User:Stinglehammer/sandbox7

Assignment A – The Right to be Forgotten (RTBF)

Summary of the Case The ‘Right to be Forgotten’ was coined by the Court of Justice of the European Union (CJEU) following its landmark ruling (C-131/12) in May 2014 in Google Inc. vs. Agencia Espanola de Proteccion de Datos (aka the Google Spain case). The court ruled that personal information about a Spanish citizen, Mario Costeja Gonzalez, relating to his home being repossessed could be removed from being accessed via search engine and that any EU citizen can apply to search engines to request that certain weblinks be removed where they are “inadequate, irrelevant, no longer relevant or excessive”(Schindler, 2016). This controversial ruling, has since become the key pillar, Article 17, of the EU’s General Data Protection Regulations (GDPR) set to become law automatically in every EU member state on 25th May 2018 (Ruaraidh, 2016). Right to be Forgotten affects not only search engines but any organisation that hosts EU citizens’ information or does business in the EU. (Werfel, 2016). Until earlier this year, Google abided by the Google Spain ruling by de-listing search results from the domain extension the request originated from (e.g. Google.de for Germany and Google.fr for France) but the results could still easily be seen if you utilised a different domain extension such as Google.com. As a result, France slapped a $112,000 fine on Google for not honouring the ruling through its refusal to remove results outside of France. As a consequence, since April, Google now utilises geolocations to determine which country the searcher is searching from and de-lists search results worldwide accordingly, regardless of domain extension; thereby “obeying the letter of the law, if not the spirit.”(Tarantola, 2016).

Importance of the Case: Censorship vs. Privacy The case has been described as a much needed breakthrough in data protection leading to “a brave new world” (Ruaraidh, 2016) while at the same time trampling the ‘right to know’ and marking “the beginning of the end of the global internet, where everyone has access to the same information.” (Grannick in Toobin, 2015) Google handles 90% of searches in Europe (Fioretti, 2014) and has reviewed in excess of 1.5 million webpages, delisting 40% of them across Europe (Lumsden 2016); effectively creating “an internet riddled with memory holes”(Fioretti, 2014). While Google claim the CJEU ruling forces them into a role they are uncomfortable with i.e. deciding what is & is not included in their ‘card catalogue’ (Walker in Toobin, 2015); others maintain that Google’s role is much more than passive intermediary; therefore “if you’re going to be in the business of search then you need to take on privacy obligations.” (Rutenberg in Toobin, 2015). Although, forcing search engines to become judge & jury on each request’s merits is a slippery slope. The GDPR will certainly toughen the penalties for non-compliance of these privacy obligations. Previously, £500,000 was the maximum penalty in the UK for breaching privacy rules. Now organisations will be penalised 4% of their annual turnover, or 20 million Euros, whichever is greater (Davidson, 2016). Organisations therefore will need to take the opportunity to know & understand the data they hold on individuals in much stricter way. While some label this as triumph heralding a new ‘right to be respected’(Ruaraidh, 2016), others see this as a Balkanizing of the internet to see which country’s laws can apply the most muscle to Google.(Zittrain in Toobin, 2015)

Implications of the Case for the University of Edinburgh The debate over freedom of information vs. the right to be forgotten will continue to be a source of heated debate. While Janes (2016) advocates that IM professionals should be very wary of RTBF compromising a record’s integrity, tighter data protection protocols for UK organisations are likely to be the norm from here on. Advice from the Information Commissioner’s Office, and independent legal firms, is to start planning your organisation’s approach to GDPR compliance now. The May 2018 deadline for the GDPR’s implementation is not far away for an institution the size of Edinburgh University to get prepared for. While Brexit creates a great deal of uncertainty on the UK’s adherence to EU laws, the likelihood is that, regardless of Brexit, UK HEIs will still have to comply with the GDPR. Membership of the Single Market will almost certainly include compliance with the GDPR as a condition but “GDPR is going to affect UK businesses offering any type of service to the EU market, regardless of whether your business stores or processes data on EU soil, and whether the UK stays in the EU or not.”(Rustici, 2016) Google could, post Brexit, ask the British court not to adhere to RTBF in the UK but even if GDPR is not adhered to, we can expect the terms of the Data Protection Act 1998 to be extended as a way of ensuring UK organisations adopt a stricter data protection strategy to allow GDPR compliance. While research is a stated exception by the GDPR, Edinburgh University as a key player in European higher education, is still bound by the GDPR to the extent that it processes personal data of EU data subjects. Therefore, the university will have to ensure it puts a plan in place for GDPR compliance ensuring a culture of ‘privacy by design’. (McCall, 2016). This means implementing the ICO’s recommended 12 steps including: designating a Data Protection Officer reporting to the highest level of management; looking very carefully at rules governing data erasure & portability; working with I.T. to map out & review the data processes throughout the university and how data is shared with 3rd parties; liaising with HR to raise awareness of data protection throughout the university and each individual’s role as a data controller & data processor. Privacy notices will need to be made more explicit about how data is to be processed. Reviews will need to take place of data protections policies along with a review of how consent is given & recorded. Importantly, data breach protocols will have to be tightened up and any breach must be reported to the ICO within 72 hours. Subject Access Requests will a) no longer to be charged for and b) responded to within a month instead of the current 40 days. Ultimately, the University of Edinburgh will need to ensure it is far more familiar with its data processes & its data protection strategies than it is at present. This may mean that they will better understand the value of the data that it does keep but it is likely that, in seeking to avoid liability, they will err on the side of more removal rather than less; resulting in ‘premature forgetting’ (Sartor, 2016). Whether this does indeed have a negative effect on freedom of expression & information remains to be seen but is something to be guarded against.