Tailor-made memory and online communications: Spain's Supreme Court rules on the right to be forgotten

Here's a welcome guest post from recent Guest Kat Valentina Torelli, who has been pondering the significance of a fascinating decision from Spain's top court on the extent, if any, to which a data subject can effectively suck public knowledge about him out of the online public domain, and on the related question of whether it is possible for a person to create a set of bespoke accessible memories concerning himself by invoking the right to be forgotten.  Here's what Valentina writes:

On 15 October the Spanish Supreme Court gave the final decision in a dispute concerning the processing of personal data in online communications. The Court was tasked with balancing the fundamental rights to honour, privacy and personal data protection against another constitutional right -- freedom of expression. In this judicial exercise the Court applied both its own case-law and that of the Court of Justice of the European Union (CJEU) in Lindquist (C-101/01) and Google Spain (C-131/12) regarding personal data protection.

Not that forgetful!

The background to this dispute resonated with the facts that kick-started the reference for preliminary ruling in Google Spain. Two individuals sought to enforce the fundamental rights to honour, privacy and data protection against the communication to the public of information relating to them and associated with their names and surnames, as carried out by Ediciones El País SL on its website www.elpais.com. They filed a civil suit in Barcelona which both at first and second instance went in their favour: the defendants' new online publication had the effect of bringing back to the public's memory facts that occurred in 1985 and which had already been contemporaneously reported in El Pais's paper edition.

The information in question was found to be particularly harmful to the plaintiffs’ fundamental rights since it concerned both an account of the delict of drug-dealing committed by them and details of their drug addiction. 20 years later they were reformed characters who had distanced themselves from activities to which further reference had since become irrelevant.

The plaintiffs also objected to the way El Pais distributed the damaging information. When processing their personal data, it included their forenames and surnames in the webpage header's source code, thus enabling all internet users who used that personal data as search terms to access the contested online archive, in which the now irrelevant information was freely accessible. This use of their names also served to enhance the webpage’s indexing as well as its ranking in terms of online search results.

Limitation of actions:
no problem here

In respect of the first plea in law, the Supreme Court clarified that damage arising in the context of personal data processing is continuous damage. The time limit to bring the legal action seeking redress must be therefore calculated not from the date of the unlawful activities that took place two decades ago but from the time the plaintiff acknowledges that the processor  -- here El Pais, as the data's controller too -- has ceased processing personal data. Since the two physical persons’ forenames and surnames were still retained within www.elpais.com and the news relating to them could be searched and indexed inside the website and through search engine, the right to bring legal actions had not expired.

In relation to the substance of the complaint, this judgment provides clear guidelines on how to interpret and apply the right to be forgotten in Spain. The relevant legislation is the Spanish Constitution, Directive 46/1995 (the Data Protection Directive), Spanish Law 15/1999 on Personal Data Protection, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union.

First, the Supreme Court pointed out that the editor of a webpage is responsible as processor [and also as data controller, according to Google Spain] for the processing of personal data in the webpage occurring in compliance with the “principles relating to data quality” [ie. personal data must be adequate, relevant and not excessive in relation to the purposes for which data are collected and/or further processed] and with the rights granted by the EU data protection legislation to the interested persons.

The Court built upon the CJEU ruling in Google Spain by adding that, although El País is responsible [as well as the search engine, under Google Spain] for the processing of personal data. This is so even when the editor did not apply protocols such as Robots.txt [which lets website holders instruct web robots like web search engines and tell them not to visit any pages on the site] and noindex [an HTML robots metatag asking robots to avoid indexing a web page] to its web page, in order to prevent searching providers from indexing the plaintiffs' and their disclosure in the search results.

The Court added that El País lawfully disclosed the information relating to the plaintiffs: it truly and accurately reproduced in its online archive the facts reported in the journal’s paper version 20 years before. However, the Court highlighted that, as in the case in Google Spain, over the course of time its initially lawful and fair data processing had become incompatible with the Data Protection Directive in that the data was no longer appropriate for the purpose for which had been originally processed. Accordingly this processing could excessively harm the individuals’ fundamental rights to honour and privacy and data protection for two reasons: (i) the plaintiffs had no public relevance and the facts relating to them were of no historical interest; (ii) online archives are afforded a lower level of protection under the right to the freedom of expression than that enjoyed by the traditional press. The reasoning is connected with the different rules governing the online and the offline communications, the former being potentially more harmful to fundamental rights, privacy above all, insofar as online information can be accessed ubiquitously over an indefinite period of time.

The Supreme Court did however consider that the “right to be forgotten”, being aimed at the fulfilment of the “principles relating to data quality”, cannot be the basis for people to create their own digital memory within the internet by requesting a tailored cancellation of their personal data when they are associated with negative facts.

In the present case the fundamental rights to honour, privacy and data protection override the freedom of expression and the interest of the public to be informed about facts which transpired 20 years before. Consequently, the Supreme Court confirmed that El País had to apply protocols preventing the indexing of its web page on the part of search engine and to block out any mention of their names or any other personal data by which the plaintiffs might be identified -- plus the payment of compensatory damages. 

Forgetfulness here
Forget-me-not here
Famous old Jewish joke about forgetting here