Is Freedom of Expression Under Threat Due to the Right To Be Forgotten? A Case Laws Based Explainer

The right to be forgotten is often assumed to infringe upon the freedom of expression. As far as its interpretation goes, the courts have been subjective and often inconsistent in their decision making.  The Google Spain case (2014) is touted as one reason why the tiff between the two rights intensified. Chandreyee Maitra analyses the Google Spain case, explaining why it created tension between freedom of expression and the right to be forgotten in the first place. Maitra shows how the Google Spain case affected European jurisprudence vis-a-vis the right to be forgotten.

Is Freedom of Expression Under Threat Due to the Right To Be Forgotten?
Is Freedom of Expression Under Threat Due to the Right To Be Forgotten? Analysing Case laws

By Chandreyee Maitra, pursuing Master of Laws from the University College London.

Introduction

The European Convention on Human Rights (ECHR) accords protection for private and family life,[1]  which is qualified by the necessity of democratic society and protection of rights and freedom of others. [2] The ECHR also provides the freedom of expression and the right to impart information and ideas without interference from the public authority[3].

With the formulation of specific community legislations, the Data Protection Directive (DPD) came along that included an inherent right of data subjects, facilitating the erasure of incomplete and inaccurate data. This European Union directive meant to protect the inherent right of data subjects (natural persons) to get incomplete and inaccurate data erased by controllers. The same was meant to deal with controllers inside the European Union who accessed the data of EU persons.

This was further crystallised in Article 17 of the General Data Protection Regulations (GDPR) titled ‘Right to erasure (or right to be forgotten)’.

These rights in DPD and GDPR have been subjected to debate for placing blatant impediments to freedom of expression.

This article identifies the tensions raised in this regard by the Court of Justice of the European Union’s (CJEU) ‘s decision in Google Spain v. AEPD (Google Spain case)[4] and subsequent cases.

The article also indicates how these concerns can be mitigated through safeguards in GDPR, arguing that there are no reasons to fear the assumption of an absolute threat to freedom of expression.

The Tensions Between Competing Rights: Freedom of Expression v. Right to be Forgotten

The promulgation of the right to erasure(or the right to be forgotten) is at the centre of the privacy debate for a while.

In Google Spain, the Court took a pro-privacy approach. It held that a data subject’s rights under Articles 7[5] and 8[6] of the Charter of Fundamental Rights of the European Union override a search engine operator’s economic interests general public’s interest to obtain information.[7]

To give some context, Google Spain was asked to remove a link that came up on searching the complainant’s name. The link contained information about the complainant’s public debt, which had since been recovered.

The decision in the Google Spain case states that requests of a data subject ought to be honoured by controllers. The same needs to be done if the impugned information appears inadequate, irrelevant, inaccurate, excessive or retained for an unreasonable duration (i.e. contrary to Articles 6(1) (c ) to (e ) of DPD and now Article 5 (1) of GDPR).[8]

The case got criticised for giving rise to several points of tension between the right to be forgotten and freedom of expression.

First, the Court does not answer the tension between the public access to information and the individual’s right to obtain privacy through the tool of erasure.[9] The compatibility of the information to the instrument’s provisions has to be decided based on the facts of each case.[10]

Secondly, the CJEU relegates the freedom of expression to a lower pedestal, considering it derogatory to the provisions of the Charter. The Charter doesn’t give overriding effect to one right over another. Thus, the judgement hampers the public research and research for journalistic purposes. [11]

In ‘Balancing a Right to be Forgotten with a Right to Freedom of Expression in the Wake of Google Spain v. AEPD’, Shaniqua Singleton analyses the case. The piece cites examples of data erasure requests made by students whose alcohol consumption pictures were up on the internet. Another example that the piece quotes is a politician who requested removing his information regarding his former allegiance to an unpopular social group.[12]

Following the guidance from CJEU in Google Spain, the former request is likely to be granted and the latter denied.

Subsequent Cases Before the Court of Justice of the Europian Union: Reading into the Importance of Right to be Forgotten  

In GC v. CNIL[13] (Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL), GC 2019), CJEU tilted the balance slightly by favouring the controller. It has been recognised in light of the exceptions under Article 17 (3) (a) of GDPR that the data subject’s right to be forgotten is excluded where processing information is necessary for freedom of expression and information.[14]

What is of compelling interest has to be determined with respect to the functionality of the information in the society[15] and balancing it with other fundamental rights in the Charter.

The Court further held that if the information relating to the earlier legal proceedings did not have any relevance, the operator must accede to such a request. Alternatively, it can be deduced from here that a criminal conviction of ongoing relevance will exclude the right to be forgotten.

This is quite similar to the Axel Springer AG v. Germany (Axel Springer case 2012). [16] In this case, the European Court of Human Rights held that the legitimate expectation of the claimant, a public figure, was reduced in the context of his own public activities. The court held that the publication was only referring to factual knowledge. Therefore, prohibiting the publication by the domestic/national Court infringed upon the publisher’s freedom of expression.

The right to be forgotten also got narrowed down by CJEU in Google LLC v. CNIL.[17] In this case, the French Data Protection Authority had fined Google LLC for not complying with the formers request to de-reference links of the data subjects in the Country. The Court held that the Member State and the domestic courts could decide the need for de-referencing. Additionally, for de-referencing, the search engine operator could de-reference only on the search engine versions corresponding to the Member States.

Safeguards in GDPR

The most important safeguard to the freedom of expression can be found in Article 17 (3) (a) of GDPR. It expressly renders the right to be forgotten inapplicable for exercising the right of freedom of expression.

However, such inapplicability exists only ‘to the extent that processing is necessary’. To determine whether the processing is necessary, a full-fledged balancing of interest test isn’t required.[18] A ‘facts-based assessment’ between the processing and its purposes would suffice this criterion.[19] This upholds the fundamental right provided in the Charter.

Further, Article 17 (3) (a) is supplemented but not limited by Article 85 GDPR. This mandates the Member State law to balance the right to data protection with the freedom of expression and information, including processing for journalistic, academic, literary and artistic purposes.

The other grounds of inapplicability of the right to erasure, under Article 17 (3), such as legal obligations and public interest, can also be interpreted in light of freedom of expression. The controller can be exempted from an erasure request if it can demonstrate that it is not in a position to identify the data subject.[20]

Balancing acts

Besides the safeguards provided in GDPR, the involved authorities can undertake several balancing acts to prevent abuse of any competing rights. Such acts may be classified into two sections:

First is the duty of the controllers (private actions). They could implement internal private norms and order. The controllers may develop policy, practices or technological designs to that end[21]. The technological solutions may include allowing a user to determine the ranking of its name search results on the first page or adopting algorithms for ‘de-ranking’ results in reverse chronological order.[22] The global policies of Google, Microsoft etc., serve as examples of implementing this change.[23]

These measures can mitigate the concern that over-burdening controllers through GDPR would lead to an inherent tendency of deleting web links when challenged[25]. Further, transparency de-mystifies this arena.[26] Publishing examples of instances where erasure requests have or have not been granted is a fruitful step. The data protection authorities (DPA) also encourage controllers to post their own de-listing criterion and make statistics available.[27]

Second, the onus is carried forward by public authorities, i.e. the DPAs and the national courts. The Article 29 Working Party may provide guidance.[28] As it becomes necessary to develop rationale, the courts can base the same upon one right trumping over the other or presumption favouring one right.[29] It is submitted that these are rigid approaches.

A more liberal attitude can be demonstrated by affixing the same margin of appreciation for freedom of expression and the right to be forgotten.[30] Alternatively, it is predicted that with time, certain standards will gradually be developed based on commonality in factual scenarios before the courts. The relief to be granted can also be modulated in certain situations to anonymise the impugned information rather than deleting it.[31]

Conclusion

Freedom of expression isn’t unqualified under any constitutional system. Admittedly, the GDPR places lots of responsibilities on the controllers both in terms of exercising its freedom and processing erasure requests of data subjects.

But a nuanced look at the right to be forgotten demonstrates that the information which GDPR enables to be removed aren’t ‘meaningful’ information that serves any particular purpose. Hence, no injury is caused to any involved party by the inconvenience of removal faced by controllers. This can be justified due to the unilateral bargaining power of most controllers over the data subjects.

The right to be forgotten is an important empowering tool in the hands of data subjects, the absence of which would highly diminish the right to privacy. As observed from the CJEU decisions above, the Court also attempts to balance these competing fundamental rights. Subjectivity has been an inherent feature of most legal remedies. While the ‘balancing test’ introduces such subjectivity, one can hope that the intersection of these two rights will be laid down in detail by the CJEU, domestic legislations, data protection authorities and controllers.

Endnotes

[1] Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, art 8 (1).

[2] ECHR (n 1) art 8 (2).

[3] ECHR (n 1) art 10 (1).

[4] Case C-131/12 Google Spain v. AEPD [2014].

[5] Respect for Private and family life.

[6] Protection of personal data.

[7] Google Spain (n 4), para 97.

[8] Google Spain (n 4), paras 92-94.

[9] Shaniqua Singleton, “Balancing a Right to be Forgotten with a Right to Freedom of Expression in the Wake of Google Spain v. AEPD” [2015] 44 GJICL 167, 178.

[10] Google Spain (n 4), para 94.

[11] Singleton (n 9) 180.

[12] ibid 181.

[13] Case C-136/17 GC v. CNIL [2019].

[14] GC (n 13), paras 56-57.

[15] General Data Protection Regulations [2018] OJ 2 127, Recital 4.

[16] App no. 39954/08 Axel Springer AG v. Germany [2012].

[17] Case C-507/17 Google LLC v. CNIL [2019].

[18] Jef Ausloos, The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (OUP 2020).

[19] Ibid.

[20] GDPR (n 15), art. 11 (2).

[21] Edward Lee, “The Right to be Forgotten v. Free Speech” [2015] Journal of Law and Policy for the Information Society, 103.

[22] ibid 105.

[23] ibid 103,105.

[24] Anu Bradford, The Brussels Effect: How the European Union Rules The World (OUP 2020).

[25] Michael Douglas, ‘Questioning the Right to Be Forgotten’ (2015) 40 Alternative LJ 109, 110.

[26] Kulk & Borgesius, “Privacy, Freedom of Expression, and the Right to be Forgotten in Europe” in The Cambridge Handbook of Consumer Privacy (CUP 2018), 314.

[27] ibid.

[28] ibid 315.

[29] Lee (n 21) 103.

[30] Muci & Muci, “Defining the Right to be forgotten and its relationship with freedom of expression” [2020] 4 European Journal of Economics, Law and Social Sciences 26, 34.

[31] ibid 35.

Leave a Comment


Advertisement

There are ten ways to read more.And one of them is to subscribe to our newsletter. Yes! A bit of reading never hurts.

Give it a try, you can unsubscribe anytime :)

There are ten ways to read more.And one of them is to subscribe to our newsletter. Yes! A bit of reading never hurts.

Give it a try, you can unsubscribe anytime :)