Data Controllers Beware

Data Controllers Beware

Data Protection issues used to relatively minor but now there is a growing tendency for these issues to be treated as major breaches of the law. This is the same now for small companies as well as big.

The Information Commissioner’s Office (the ICO) has been showing an increased readiness to bring proceedings and issue fines against those who fail to comply with their data protection obligations. In a recent example, the ICO brought criminal proceedings against a company for breaching the Data Protection Act as well as – more interestingly – against its director personally. Both the company and the director were convicted and were ordered to pay £597 each (of which £270 was a fine). The Information Commissioner stated:

“Failure to notify is a criminal offence and it’s the data controllers’ responsibility. Mr Muhith failed to do so and now he is paying the price for his disregard for the law.”

For company directors, failing to comply with data protection laws now presents a major risk for them personally – not simply in terms of a fine but, more significantly, the reputational risks and problems that being convicted of a criminal offence brings. All companies who handle, collect, process and/ or control data that is deemed of a confidential nature need to be aware of the responsibilities and risks involved as well as the strategies that must be put in place to avoid breaches of the law. Policies must be put in place internally and policies on their own are not enough i.e. those policies must be acted upon, updated and maintained and kept up-to-date with the law.

Google must remove links by request

The European Court of Justice (‘CJEU’) has ruled that search engines must remove the links between search results and webpages if it contains information an individual considers should be forgotten.

The facts of the case was that in 2010, a Spanish National (Claimant), lodged a complaint with the Spanish Data Protection Agency (‘AEPD’) against the publisher of a daily newspaper, La Vanguardia Ediciones SL, Google Spain and Google Inc.  The Claimant’s complaint was that a Google search of his name returned links to announcements published in 1998 in La Vanguardia’s newspaper which referred to a real estate auction and related to proceedings brought against him for the recovery of social security. Although the AEPD found that the information was lawfully published by La Vanguardia’s newspaper and rejected the Claimant’s claim against the newspaper itself, it did uphold the Claimant’s complaints against both Google Spain and Google Inc. Google Spain and Google Inc appealed to the Spanish High Court which referred a series of questions to the CJEU. The CJEU found:

An internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties.

Thus, if, following a search made on the basis of a person’s name, the list of results displays a link to a web page which contains information on the person in question, that data subject may approach the operator directly and, where the operator does not grant his request, bring the matter before the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results.

Conclusion

This right to be forgotten was established by the Data Protection Directive. As a result of the CJEU’s decision an individual may now request Google to remove information, even if published lawfully, about himself/ herself from Google search results.

Google has responded to this decision by launching a form that allows individuals to ask it to remove personal information about themselves from Google search results. Individuals that fill out this online form will be notified by Google when it starts considering the individuals request. It is not sure how long it will take for Google to process requests. Further individuals will need to provide links to the information they would like removed, the reason for its removal and a copy of their photo ID for Google to begin considering their request. It will be interesting to see how many other online companies might experience a truly significant increase in similar requests for the removal of information wherein the individual requesting the removal is the subject matter of the link.

By |2017-05-25T14:53:42+00:00July 9th, 2016|News|0 Comments