The Right to be Forgotten and the Future of Open Data Projects
The famous case of Mario Costeja González — Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD) — changed the Google search engine policy in the field of (post factum) privacy protection. The outcomes of the EU Court ruling is mostly referred to as „ the Google case” or „the right to be forgotten case”. But the effects can also chill (or even kill) open data projects which reuse official data from the court or other public registries.
Actually, the effect is on its way. The Italian Court has requested the European Court of Justice to deliver the preliminary ruling in the case of an Italian citizen whose name still appears in the official business registry despite the fact the he is no longer the head of the liquidated enterprise. The court asked following questions:
Must the principle of keeping personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed, laid down in Article 6(e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, 1 implemented [by] Legislative Decree No 196 of 30 June 2003, take precedence over and, therefore, preclude the system of disclosure through the commercial registers provided for by the First Council Directive 68/151/EC of 9 March 1968, 2 and by national law in Article 2188 of the Civil Code and Article 8 of Law No 580 of 29 December 1993, in so far as it is a requirement of that system that anyone may, at any time, obtain the data relating to individuals in those registers?
Consequently, is it permissible under Article 3 of the First Council Directive 68/151/EC of 9 March 1968 [on coordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies, within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community], by way of derogation from [the principles] that there should be no time limit and that anyone may consult the data published in the companies register, for the data no longer to be subject to ‘disclosure’, in both those regards, but to be available for only a limited period and only to certain recipients, on the basis of an assessment case by case by the data manager?
The description of the case can be found on the EULawRadar website with links to similar cases. And only cases like the one we discuss here may in fact reverse the progress open data community made particularly in reusing business (companies) registries, data journalism or using tech for tackling corruption.
One of the projects conducted by the ePaństwo Foundation concerns creating a user friendly business registry the content of which is downloaded from the official registry maintained by the Ministry of Justice. Our product helps people related with business know their potential cooperators better and contributes to data journalism by enabling media to search by specific names. Since the ruling in Gonzalez case, each week we deal with similar requests concerning our product. Fortunately, the requesters have not had solid legal grounds to succeed but the Polish Data Protection authority is still obliged to deal with that. And so are we.
But with the expected ruling in the Manni Case we have to be prepared close our website. Although the newly released (so far not in English) opinion of the General Advocate explicitly states that the provisions mentioned in the preliminary question “must be interpreted as precluding that the personal data that are registered in the companies register may not be, after a period of time and on request of the data subject be delisted, made anonymous or blocked or made accessible only to a small circle of others, namely those who prove a legitimate interest in accessing such data.”but with the “Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on free movement of such data, and repealing Directive 95/46/EC” on its way which introduced the right to be forgotten into the EU legal framework, the open data community has to conclude its policy on how to fight the potential risks for their projects.
Firstly, we should think whether the fact that someone had a company is an element of one’s private life. Most information involving public officials and other people who perform public tasks or whose activities have a public rank are excluded from privacy protection not because of balancing or using the proportionality test but because what they do does not follow the definition of privacy. The latter concerns such circumstances, behavior, events that are not directly related to the exercise of a person’s tasks and powers of public authorities or carrying out other activities of public rank and importance.
Imagine that a database provider receives a request to erase some data regarding a person that was an unsuccessful candidate of the far right wing party twenty years ago and next year he wants to be an MP candidate of the Green Party. Far right does not necessarily go well with the Green Party so the person wants others to forget about his/her political past. Is this a privacy issue? Some can answer — yes, political views are a matter of privacy. My answer is: no. Information about the candidate (who has not even become a public official yet) is not a question of privacy but public responsibility. People have the right to know who are candidates for political posts. Or whom they have been before. So while discussing the balance between the right to know and the right to be forgotten, one should remember that the issue of privacy should not be risen in any of these cases.
Now imagine the former EU Commissioner wanting to erase her historical data from the company registry. And imagine it is not the registry held in Bahamas but in one of the EU Member States.
During the last International Open Data Conference in Madrid, thanks to Access Info and stiftung neue verantwortung (SNV) we had a chance to touch the issue. The problem will be also addressed by our Foundation at the Open Government Partnership Summit in Paris. But it seems that the open data community has to be much better prepared for the consequences of the right to be forgotten. For that reason we are inviting you to leave comments, opinions and ideas to elaborate on the policies concerning the problem of balancing personal data and the right to access public registries.