Reducing the impact of adverse information like past criminal convictions was more straightforward in the pre-internet era than it is now. Under the Rehabilitation of Offenders Act, 1974 (‘the Act’) many types of conviction become ‘spent’ after a period of time. In practice the individual is treated as though he or she was never convicted of the particular crime. This means for example not having to mention the conviction when applying for a job. But the purpose of the Act is undermined when an employer is able to carry out a quick Google search and discover details of the spent conviction. Doesn’t the individual have a right to privacy in respect of the negative information? And what about the search engine’s right to freedom of expression?
It’s the interplay between these two competing rights that we have to consider when advising our clients on how to successfully remove prejudicial or unwanted online information about them. As we’ll see below the ‘right to be forgotten’ (or ‘right to erasure’ under GDPR) is clearly established. But there are limitations to the right that you need to be aware of before attempting to take enforcement action against a search engine like Google or any other organisation that’s processing negative personal data about you.
The right to be forgotten permits an individual to require an organisation – like Google – to remove personal data from their systems where there is no compelling reason for it to be retained. The manner in which the right to be forgotten could be used against powerful organisations was demonstrated in the Google Spain case in 2014. And GDPR introduced the corresponding right to erasure under Article 17 which empowers individuals to have their data erased – although the ICO makes clear the right is not absolute and applies only in certain circumstances.
It was the tension between an individual’s right to privacy and an organisation’s right to freedom of expression that lay at the heart of the 2018 case of NT1 & NT2 v Google. While the judgment was handed down before GDPR it nevertheless sheds light on when the right to be forgotten applies – and when it doesn’t. The judgment is useful for several reasons – not least because it deals neatly with two specific and contrasting cases. One claimant –NT2 – succeeded in requiring Google to remove adverse information about him from its indexes. The other claimant – NT1 – did not.
In brief, NT1 and NT2 were both businessmen who had been convicted for conspiracy-type crimes. The convictions, in line with the Act, were spent. But information about them still appeared when Google searches were carried out against their names. When the businessmen asked Google to remove the information – or the links to it – the search engine refused. The High Court case was an attempt by NT1 and NT2 to get the information about them erased.
Mr. Justice Warby had to decide whether the continued listing of the links by Google involved an unjustified interference with NT1 and NT2’s data protection and privacy rights. As we’ve said the right to be forgotten is not absolute. To decide whether it applied Warby J. examined a range of factors, including:
On the facts NT2 was able to rely in the right to be forgotten – his offence was less serious, he had pleaded guilty at trial and the details of the conviction weren’t especially relevant to his current professional and public role. The same factors did not apply to NT1. He had never fully accepted his criminal liability and had faced subsequent prosecutions for dishonesty. In Warby J’s view Google was justified in continuing to process the damaging information about him: It was in the public interest.
Warby J’s analysis of the right to be forgotten and when it applies in the NT1 and NT2 case against Google shows that these cases will always be decided on their particular facts. Although decided ahead of GDPR the judgment remains highly relevant. For our clients – individuals seeking to enforce their right to be forgotten as well as companies wishing to justify continued use of personal information – the NT1 and NT2 case illustrates the type of factors that we need to consider before deciding on the right legal strategy.
It’s also worth remembering that you should always consider the consequences of the right to erasure when carrying out data audits. For example if you are relying in an individual’s consent or some other lawful basis to process their data do you still have consent or does the basis you’re relying on still apply?
To discuss any concerns you have about the right to be forgotten or GDPR compliance generally contact Shubha Nath at Nath Solicitors on 0203 983 8278 or get in touch with the firm online.