Google was ordered to take down links to articles about the historic criminal convictions of a businessman.
Two businessmen (NT1 & NT2) convicted of criminal offences many years ago brought claims made under Data Protection law and the English law tort of misuse of private information, for the “right to be forgotten” or, more accurately, the right to have personal information “delisted” or “deindexed” by providers of internet search engines (“ISEs”)
The Court rejected a claim by NT1 who had committed a serious crime.
NT1 was convicted more than 10 years ago of conspiring to account falsely. He spent four years in jail.
NT2 won his case was convicted 10 years ago of conspiring to intercept communications. He spent six months in jail.
The Court explained NT1 continued to mislead the public and showed no remorse. Whereas NT2 had shown remorse and there was no plausible reason to suspect that the wrongdoing would be repeated.
The judgment discusses in detail the “complex legal framework that has developed over time”, with many legislative provisions dating back to before the internet and well before the creation of ISEs. Key elements of the legal framework are:-
- the May 2014 decision of the Court of Justice of the European Union(“CJEU”) in Google Spain SL & another v Agencia Espanola de Protecion de Datos (AEPD) and another Case C-131/12 [2014] QB 1022 (“Google Spain”), in which the CJEU interpreted the privacy rights enshrined in the EU Directive 95/46 (“DP Directive”) and the EU Charter of Fundamental Rights as creating a qualified “right to be forgotten”;
- the European Communities Act 1972, which made EU Directives directly applicable in the UK, and required English Courts to apply decisions of the CJEU;
- the Rehabilitation of Offenders Act 1974, which provides that some convictions become “spent” after a specified period, after which the offender is to be treated “for all purposes in law” as if he had not been convicted, but cannot sue for defamation in respect of a report of his conviction or sentence unless he proves malice (the convictions in these cases are “spent”);
- The Data Protection Act 1998 (“DPA”), which implemented DP Directive, the purpose of which was to safeguard individuals’ fundamental rights and freedoms, notably the right to privacy, within the EU;
- The tort of misuse of private information, recognised by the House of Lords in the 2004 decisions in Campbell v MGN Ltd and In re S (A Child); and
- Article 17 of the General Data Protection Regulation (“GDPR”), which came into force on 25 May 2016 and will have direct effect in Member States, including the UK, from 25 May 2018.
The CJEU’s decision in Google Spain requires the Court to strike a fair balance between fundamental rights and interests, of which freedom of expression and freedom of information are two. The outcome may depend on the nature and sensitivity of the processed data and on the interest of the public in having access to that particular information.
