With the focus firmly on the implementation of the GDPR on 25 May 2018 you could be forgiven for thinking that the GDPR is the only data privacy law in town. However the recent decision of Mr Justice Warby in the cases of NT1 & NT2 v Google LLC  EWHC 799 (QB) is a timely reminder that, without wishing to downplay the importance of the GDPR (and the need to prepare for it), that it is not the final word on data privacy.
This judgment followed the trials of the first two claims in the High Court to consider the application of the so-called ‘right to be forgotten’. The cases brought by NT1 & NT2 against Google LLC concerned the rights of two businessmen who had requested that Google de-list search results mentioning their past criminal convictions. The requests were initially refused by Google, and NT1 and NT2 applied to the High Court.
Back in 2014 the CJEU established a limited “right to be forgotten” in the case of Google Spain SL & another v Agencia Española de Protección de Datos (AEPD) and another Case C-131/12. In that case the CJEU ruled that outdated and irrelevant data in search results should be removed unless there was a public interest in the data remaining available and even where the search results link to lawfully published content. In deciding whether data that appears in search engine results should be removed, it is necessary to balance the rights of the individual against the rights and interests of Google and the general public, and this was largely the battleground in the NT1 and NT2 cases.
The facts of the NT1 and NT2 cases were similar but differed in a number of important respects. During the 1990’s, NT1 was convicted of conspiracy to account falsely and received a sentence of 4 years’ imprisonment, which has since become ‘spent’. Nevertheless, in coming to the conclusion that Google should not be compelled to de-list the results relating to NT1’s conviction, Mr Justice Warby stated that NT1 had not ‘…accepted his guilt, has misled the public and this court, and shows no remorse over any of these matters. He remains in business, and the information services the purpose of minimising the risk that he will continue to mislead, as he has in the past.’
The case of NT2, whilst bearing some similarity to that of NT1 and raising ‘…similar issues of principle…’, is quite separate. NT2 was, in the early 21st Century, involved in a controversial business that received public opposition as a result of its environmental practices. Over a decade ago, he pleaded guilty to two counts of conspiracy relating to the aforementioned business and consequently received a sentence of 6 months’ imprisonment, of which six weeks were served. The conviction became spent in March 2014. As a result, the court concluded that the information had become outdated and, by virtue of his acknowledgement of guilt, genuine remorse and a lack of evidence suggesting a risk of repetition, it was no longer relevant. Further, the court considered his change in business activities, which are now significantly different to the field in which he was previously operating at the time of his conviction. Consequently, the information was, in contrast to that relating to NT1, not relevant in performing an assessment as to the suitability to engage in business activities with him.
Since the Google Spain decision the major search engines have established procedures to decide applications to have search engine results deleted and approximately 1.9 million de-listing requests have been made to Google alone in the three and a half year period following the Google Spain decision, with statistics showing that just under 60% of those requests have been forgotten. Applicants that are unhappy with decisions that Google (or other search engines make) can take their cases to the Information Commissioner’s Office (ICO) or to the Court and the ICO has published guidelines on the factors to be taken into account in deciding these cases. Clearly those criteria will need to be reviewed in the light of the decisions in NT1 and NT2, and we may well find a renewed interest in these requests in the future.
Of course anyone thinking of making such a request should bear in mind that when the GDPR comes into force one of the enhanced rights that it will grant data subjects is the right to have their data deleted in some circumstances (the “right of erasure”) and it may well then be possible to use this new right and the “right to be forgotten” together as two different methods to achieve the same result of having data deleted or search results suppressed.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.