Lim You Xiang/George Hwang
The Court of Justice of the European Union’s (CJEU) decision in Google Spain v AEPD and Mario Costeja Gonzalez made waves last month because it ruled that search engines are data controllers and extended principles of the right to access and to object onto include the “right to be forgotten”. Closer home, in Hong Kong last year, the Privacy Commissioner in the “Do No Evil” case held that an aggregator of information in the public domain has breached the purpose limitation principle of its Personal Data (Privacy) Ordinance.
Both cases deal with information which have found its way, legally, into the public domain. In the law of confidential information, such information are no longer protectable. However, in privacy laws, whilst such information are available in/to the public e.g. dining in a restaurant or walking on the street with a knife in hand in the throes of suicide , the law prevents them from being spread. In simple terms, it prevents information in the public domain from being more public.
These two cases consolidate the position that personal data protection law protects privacy rather than confidential information. Whether these decisions will influence the interpretation of Singapore’s Personal Data Protection Act (PDPA) which comes into effect on 2 July 2014 remains to be seen.
Google Spain v AEPD and Mario Costeja Gonzalez
Mario Costeja González, a Spanish national, relied on the EU Data Directive to sue a newspaper publisher and Google over announcements published in 1998 about an auction for his foreclosed home. While the debts have been paid long ago, the information was still available via Google Search more than a decade later. The matter consequently wound up in the CJEU, which then clarified how the EU Directive should be construed with reference to online search engines.
The main crux of the ruling by the highest court in the EU was that search engine operators such as Google must consider wishes from individuals to remove links to freely accessible third party web pages resulting from a search made on basis of their name. This is the case even if the information linked is not prejudicial to the individual. Moreover, this obligation remains even if the personal information has not been removed by the webpages from which the data originated. This means that while the information might still be in the public domain, search engines nevertheless must delink this webpages if necessary under the EU Directive.
Of note is the court’s opinion that given the ubiquitous nature and considerable ease of information access via the Internet, search engines play a far more important role in the protection of privacy and personal data protection than media publishers do. The processing of data by Google allows users to ascertain a more or less detailed profile of an individual. This greater influence on the fundamental right to privacy by internet search engines was brought up by the court in its ruling. Furthermore, the court even held that, as a general rule, an individual’s fundamental right to privacy and data protection should override that of the public interest in having that information and definitely the economic interests of the search engine.
“Do No Evil” Smartphone Application
The report by the Office of the Privacy Commissioner was based on an investigation conducted upon four complaints citing concerns that a certain smartphone application had contravened the Hong Kong Personal Data (Privacy) Ordinance.
Shrewdly named “Do No Evil”, the application collected litigation, bankruptcy and company directorship data of individuals from different public sources and collated these data such that users can access them for the purpose of conducting background checks.
While all the information could be found on the public registers from which they originated, the Commissioner found that personal data gleaned from the public domain was not available for unrestricted use. The Commissioner highlighted that the service provided by the App had seriously contravened with the original stated purpose of the personal data that was publicly available. The App had greatly deviated from the explicit/implied purposes established in the public registers from which the information was gathered. Such use of legitimate records was found to have exceeded the reasonable expectations of data subjects as to how their information would be used. As such, the smartphone application was told to cease disclosing all of the personal data.
In the report, it was observed that an individual does not surrender his right to data privacy by virtue of disclosing data in the public domain. The Commissioner pointed out the severe risks of intrusion on privacy rights if publicly available personal data is to be profiled and aggregated for the convenience of others. Additionally, the lack of restriction or monitoring of which the data could be further used was seen as aggravating to personal privacy.
Interestingly, the Hong Kong report also pointed toward a “right to be forgotten” in its investigation, where it found that the smartphone application had not prescribed a retention period for the personal data, undermining any offender’s chance of rehabilitation.
Citing other legislation such as the Bankruptcy Ordinance which offers time limits on retention of bankruptcy records, the Commissioner opined that the smartphone application could have potentially “adversely and indefinitely affected persons” that have been adjudicated bankrupt or sued against before, thus being unfair to these individuals’ rights.
Whilst the EU case made waves because it affected search engines and is one of the few cases on the concept of “the right to be forgotten” internationally, it is the Hong Kong case which has wider applicability. “The right to be forgotten” applies mainly to old information whilst the purpose limitation principle referred to by the Hong Kong Privacy Commissioner could apply to both old and current data. Telemarketers using a telephone book could potentially be in breach of the purpose limitation principle, since the purposes of a telephone book is to identify phone numbers of individuals and not for the purpose of marketing calls.
The Schedules on the exceptions to getting consent for collection, use and disclosure in the Act include information in the public domain. Whether the Commission or the courts will limit the scope of the exceptions like these two cases remain to be seen.
These cases interpreted the personal data protection laws in view of express rights to privacy provisions in constitutional documents. For the Google case, it is a regional human rights convention, European Convention on Human Rights, and the Charter of Fundamental Rights of the EU. For the “Do No Evil” case, it is the Hong Kong Bill of Rights Ordinance. In Singapore, where we have no express provisions on privacy in our Constitution, it will be interesting to see how the court will decide should this point be raised.
Unlike the common law of confidential information which existed before independence, hence accepted as law of the land by virtue of Article 162 of the Singapore Constitution, protection of informational privacy is a statutory right which the government has delayed in introducing till 2012. We need to know where the rights of the data subjects are derived before we can balance them against the interests of the data users.
—Intentionally left blank—
Lim You Xiang
George Hwang LL.C.
George Hwang LL.C.
This article has been published in “.Connect”, the Licensing Executives Society (LES) Singapore Newsletter of 02/2014