Category: Privacy and Data Protection

A Linkedin post by Luciano Floridi announce a British House of Lords EU Committee hearing about the Google Spain ECJ Decision and the right to be forgotten. Here are my two cents (sorry, this isn’t going to be a short post):

Q. Do you agree with the Court’s ruling that Google (and other search engines) can be classed as data controllers?

A. NO. The search engine activity as such doesn’t handle personal data under the 95/46/CE Directive. The collection and organization of the retrieved data are the automatic output of a search algorithm. The issue arise when the retrieved data are used for purposes different than the pure providing search engines results, thus attempting to identify a natural person and creating his/her profile. To give an example: Duckduckgo.com and before, Cuil, are no-user-data-collection search engines so it is not possible to include them into the legal “data-controller” definition.

Q. The question put by the Spanish court to the Court of Justice referred to the data subject wishing to have information “consigned to oblivion”. Isn’t the true position that information removed from websites will always continue to exist, but will simply not be so easily accessible?

A. Yes. And fact is that information still available are still accessible by alternative means (word-of-mouth, newsgroups, social networks etc.) The point is that we are lured into thinking that there isn’t anything else, on the Internet, outside Google but this is simply not true. Google is used because is quick and effective, but when proper information are needed nobody will rely upon a search engine while trying to connect with an expert of the matter.

Q. The Court has ruled that the data subject’s fundamental right to privacy “as a rule” overrides the right to receive information, but that this will not be the case if there is a public interest in “the role played by the data subject in public life”. Do you agree with this order of priorities? Can it in practice be implemented?

A. It is a legal mistake to build the right to be forgotten on the EU Data Protection Directive. The right to privacy is set forth by the European Convention on Human Rights and the data protection is a principle set forth in a EU Directive. Thus data protection is a subordinate and particular right that doesn’t necessarily implies privacy issues. EU Data Protection Directive, indeed, is contrary to the Right to be forgotten because sets a precise legal duty to handle personal data so that they are readily available, updated and exact. This is contradictory with the idea of being forgotten, because a messy way to handle personal data (i.e. non reliable information) would be the best protection for an individual, whose personal whereabouts wouldn’t be easily found.

Q. Do you think it is in practice possible for Google to comply with the Court’s ruling?

A. Yes, but the decision is wrong and Google shouldn’t be forced to comply. The balancement between individual rights and public needs can only be assessed by a Court and we can’t bear the risk of letting a private company to decide what we should and shouldn’t find. The Google Spain ECJ decision shift the burden of protecting the public interest on a private company’s shoulders. To put it short: the ECJ ruling gave Google the legal power to re-write the History.

Q. What do you consider to be a ‘reasonable time’ for companies to put in place an acceptable response to the CJEU’s ruling?

 ?A. I don’t think a general answer is possible. There are issues to be considered such as the number of users’ claims, the kind of legal issues involved by every single claim, the impact on the technical infrastructure and so on that make giving a figure a roll of dice.

Q. The proposed new EU Data Protection Regulation would give data subjects an even stronger ‘right to be forgotten’. Do you think the UK Government are right to oppose this?

A. Again, data protection doesn’t equal right to privacy. The upcoming EU regulation shouldn’t deal with the right to be forgotte because it is an out of scope issue that should be handled within the EU Convention of Human Rights framework.

Q. How do you think an acceptable balance can be achieved at EU level between the public’s right to know, and the right to privacy?

A. By re-affirming and hardening the principle that online (as offline) the main legal liability is on the natural person that performs an action. In the specific case, if a fact is true and reported in a proper way there is no reason to erase it. Following the contrary opinion, today we wouldn’t know anything about the Lucius Catilina’s attempted golpe because his heirs might legitimately ask, after about 2.000 years, that their ancestor be let rest in peace.

The news of the day is that the lawyers of an indicted Italian politician will ask the Italian Data Protection Authority to block the publication of a video ?covertly-made by a journalist portraying this indicted politician while serving his sentence in and elder-care facility (as a substitution for a 4 month jail term.)

While it is (still) not known whether the request will actually be filed, the news is a confirmation that the Data Protection Act is now seen as an effective tool to remove “unpleasant” information from the public sources in the name of “privacy protection”.

It will be interesting to see if, in this case, the Italian Data Protection Authority will follow the censor attitude showed back in the 2006 in the case of a TV show that exposed several Italian MPs to make use of drugs.

It really doesn’t matter whether, in this case, the Data Protection Authority shall block the video or not. The point is that by confusing “privacy” with “data protection” and giving room to a devious interpretation of the “right to be alone” – such in the Google Spain case – on the long term we are making impossible the work of the future historian and, on the short term, we are favouring the possibility for the powers-that-be to finally get back its dark, quiet obscurity where anything can happens, hidden from the public scrutiny.

In the name of “privacy”.

The Italian translation of the European Court of Justice’s Google Spain ruling is affected by serious translation errors that undermine its meaning.

The first recital of the conclusions read, in Italian

L’articolo 2, lettere b) e d), della direttiva 95/46/CE … deve essere interpretato nel senso che, da un lato, l’attività di un motore di ricerca … deve essere qualificata come  ?trattamento di dati personali ?, … e che, dall’altro lato, il gestore di detto motore di ricerca deve essere considerato come il  ?responsabile ? (enphasis added) del trattamento summenzionato, ai sensi dell’articolo 2, lettera d), di cui sopra.

The same word, “responsable” appears in the Spanish text, ? while the English text uses the words “data controller”, that Under Sect. 2 of the Dir 95/46/CE is a different legal position

Article 2(b) and (d) of Directive 95/46/EC … are to be interpreted as meaning that, first, the activity of a search engine … must be classified as ‘processing of personal data’, … second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

The difference between Google being “data processor” or “data controller” is a serious one so it is of the utmost importance to find out which translation is the correct one, since the Italian courts and the Data Protection Authority are likely to refer to the Italian text.

The answer is the the English text is correct and both the Italian and Spanish are wrong. This conclusion comes from the fact that the recital points to sect. 2 lett. d) of the Directive that contains the definition of “data controller”.

But the mistakes of the Italian text don’t stop there. Talking about the role of the websites and blog owners, the translations uses the word “editori” as a false friend of the English word “publishers”. “Editore” in Italian means an entrepreneur whose business is selecting and publishing books and, broadly speaking, contents. While the Court is obviously referring to everybody handles a website, no matter if for business or what.