Assoc Prof Lim Yee Fen Hannah (Assoc Prof, Nanyang Business School)
11 September 2014 (Thursday)
CIT Auditorium, Lvl 2 Computer Centre, 2 Engineering Dr 4, Singapore 117584, NUS
This seminar was conceived in the light of the recent landmark decision by the European Court of Justice (ECJ) to hold search engine operators responsible for removing the link between search results and a webpage if it contains information the individual deems should be “forgotten.” In doing so, the ECJ has affirmed what many have called “a right to be forgotten” under the broad ambit of privacy protection.
Assoc Prof Lim Yee Fen from the Nanyang Business School began the seminar by providing a social context to the legal changes to personal data protection in recent years. This included the pervasiveness of social media and its ironies – the platform advocates open sharing of personal information, but users in general would not want their lives to be overly scrutinised, especially not their mistakes. Assoc Prof Lim cited the case of British expatriate Anton Casey who left Singapore after remarks he made on Facebook were widely publicised and felt to be disparaging of Singaporeans. She noted that most of us would not wish to have our mistakes kept on the internet that would prejudice our future job prospects or taint our character 10 – 20 years down the road.
Assoc Prof Lim noted that the online world can be very “unforgiving” of mistakes made. The development of the internet and social media had led to dangerous precedent in increasing expectations of the “right to know”. The “right to be forgotten” principle was in some way an attempt to rein in this swing towards “right to know” phenomenon. She reiterated that the right of freedom of expression and the media were not absolute rights, as was the right to be forgotten..
Assoc Prof Lim then went into some detail on the recent European Court of Justice (ECJ) ruling on the “Right to be Forgotten”. She argued that the ECJ did not invent the right as some of its critics have accused it of doing as it was already enshrined in the EU Data Protection Directive of 1995, specifically Article 6 which states that EU “Member States shall provide that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed”.
The case arose when a Spanish citizen complained to the Spanish data protection agency (Agencia Española de Protección de Datos or AEPD) about an auction notice of his repossessed home on Google’s search results infringing his right to privacy. The complaint was made against a Spanish newspaper as well as Google Spain and Google Inc. The Spanish High Court then referred the case to the ECJ for its decision on the applicability of the Directive on search engines such as Google when Google tried to appeal by putting forth concerns with regards to territorial applicability and claiming as its searches were “automatic” it was not responsible for that data processing that produced the results .
On the matter of territorial application, Google argued that its presence in Spain was irrelevant as its information search, storage and processing functions did not physically take place within Spanish borders. However, the ECJ pointed to Recital 19 of the Directive’s preamble which states that the “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements”; further, Google Spain had promoted and sold advertising space to make a profit and the ECJ found that this was “inextricably linked” to the activities of Google and satisfied the requirements of Article 4.
Google also argued that searches on its site were automatic, that it had no control and knowledge of specific data and hence its activities did not constitute processing. On this matter, the ECJ referred to Article 2 on the definition of data processing and ruled that its broad definition encompassed Google’s “structured overview” of information which counted as additional work, and that the “controller… determines the purposes and means of the processing of personal data”. The ECJ further ruled that the combination of information provided by Google aids in the infringement of personal privacy and referred to Article 12 on a citizen’s right of rectification, erasure or blocking of information on the condition that said data is inaccurate or incomplete.
While ruling in favour of Mr Gonzales for his “right to be forgotten” the ECJ nevertheless also cautioned that the “right to be forgotten” is not absolute and have always to be balanced against other fundamental rights such as freedom of expression and media.
Assoc Prof Lim closed her talk with a brief overview on Singapore’s Personal Data Protection Act (PDPA) which came into full effect this year. It is a consent-driven mechanism which governs data collection, usage and disclosure. However, she noted that the PDPA neither defined “use” nor include “process” in its wording, but anticipated that the Singapore Courts were likely to use a broad definition of in its interpretation. Finally, exemptions exist under Schedules 2 to 4 of the Act. For example, if personal data is “publicly available”, it would allow anyone to collect, use and/or disclose this about someone else without their consent. Assoc Prof Lim noted that a definition of “publicly available” would be expansive. She mentioned that the PDPA exemptions were not without limits, as Section 18 of the Act states that usage, collection or disclosure may only be for purposes “that a reasonable person would consider appropriate in the circumstances”.
The question and answer session proved to be a lively exchange with a wide array of questions raised and clarifications sought. Assoc Prof Lim, in a reply on the implications of the ruling for search engines, argued that Google had a presence in China until its partial exit several years ago and was subject to censorship obligations; hence it had the software capabilities to filter information. The ECJ ruling adds compliance costs for companies but it is technically not difficult. An audience member asked why the government was exempted from the PDPA, to which Assoc Prof Lim stated that public agencies have their own code when it comes to data collection which, for instance in the case of Australia was quite similar to theprivate regime. The public regime could be somewhat different from the private regime for reasons of law and order and national security.
The ECJ ruling can be accessed here:
An EU fact sheet on the case:
The 1995 EU Data Protection Directive: