As a result of his privacy complaint, the European Court of Justice (ECJ) has given EU residents the 'right to be forgotten'. The ECJ decision found that, while the right was not absolute:
"individuals can request search engines to remove all links to not only inaccurate information, but also to personal information deemed to be "inadequate, irrelevant ... or excessive [for] the purposes of the processing."
Leaving aside the rights and wrongs of the decision, which have been fiercely debated, and the jurisdictional issues, the decision does raise the question of how Australian privacy law would respond to Mr Gonzalez' complaint, with anecdotal reports in the wake of the decision suggesting online operators in Australia are being asked by individuals to remove their information.
Australian residents have no statutory right to privacy (yet) or the rights to privacy and freedom of expression found in articles 7 and 8 of the European Convention for the Protection of Human Rights (which member states must implement into national law). But they do have rights information privacy under Australian Privacy Principles (APPs) 10,11 and 13 in the Privacy Act 1988 (Cth) which require entities to take such steps (if any) that are reasonable in the circumstances to:
- ensure personal information the entities use and disclose is accurate, up to date, complete and relevant having regard to the purpose of the use or disclosure (APP 10);
- destroy or de-identify personal information they no longer need for any purpose permitted by the APPs; and
- correct the personal information they hold, if requested or if satisfied that, having regard to the purpose for which it is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, and notify any other APP entity to whom they had disclosed this information (APP 13).
The 2014 amendments to the Privacy Act resulted in the insertion of the terms relevant/irrelevant and misleading. The APP Guidelines say that personal information is also inaccurate if it is misleading and will be out of date if it contains information that is no longer current and suitably qualified.
The Privacy Commissioner can make a declaration that a respondent to a complaint must not repeat or continue the conduct that constitutes an invasion of privacy, or that they must take specified steps to prevent continuation or repetition of the conduct. An application can be made to the Federal Court to enforce these declarations.
The information Mr Gonzalez complained about was in Google search results linking to two 1998 announcements in a Spanish newspaper for a real-estate auction connected with attachment proceedings against him for the recovery of social security debts which had been fully resolved. The Spanish Data Protection agency upheld Mr Gonzalez' complaint against Google Spain and Google Inc to remove or conceal his personal information so the links were excluded from the search results, as they were no longer relevant. Of relevance to the ECJ decision was that Mr Gonzalez, as the person concerned, did not want the information to be known any longer.
The provisions in APPs 10, 11 and 13 and the Privacy Commissioner's powers would appear to be sufficient to enable an individual to seek the removal or deletion of their personal information if it would constitute a reasonable step by the entity having regard to the particular circumstances. The Spanish newspaper was not required to remove the original online announcements which referred to the proceedings against Mr Gonzales. An Australian newspaper would also be exempt from the Privacy Act in relation to such an online report. Whether another entity that was using or and disclosing the information could be required to delete (or de-identify) it, would depend on the purpose of the use and disclosure and whether in that particular context it was accurate, up to date and relevant and not misleading. The APP Guidelines suggest the Privacy Commissioner may take a more expansive approach to what would be misleading or inaccurate, despite the original source being true and correct.
In its Discussion Paper on the proposed statutory tort of privacy, the Australian Law Reform Commission's (ALRC) proposed regulator take-down mechanisms to enable individuals to apply for personal information they had posted about themselves to be removed. However, in its final June 2014 Report, the ALRC found this would have "undesirably chilling effects on online freedom of expression," and "should be exercised with caution," balancing the public interest of freely available information, and the interests of the individual to control their personal information". The ALRC also identified other challenges, such as the difficulty of removing widely available material, dealing with overseas respondents such as Google Inc and, given the scale of information on the Internet, the significant cost of evaluating claims, which would create a burden for government and business.
As the ALRC correctly identified, there is no easy answer to this issue. The problems it has identified are now being grappled with, first by Google as it self administers take down requests, and now also by EU data protection bureaucrats whose Article 29 Working Party has just released guidelines on the implementation of the ECJ decision. The Guidelines include that: de-listing only applies to the search engine and not the original source of the information, not only EU domains and search engine operators are covered by the decision, and the search engine does not need to contact the original website operator or inform website editors that it has delisted their pages.