With all the stir about the European Court of Justice’s enunciation of the “right to be forgotten” in its May 2014 decision in Google Spain v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez, Canadian companies may justifiably be concerned as to how this controversial principle applies to them.
The case arose when Gonzalez, a Spanish national, complained to privacy authorities that Google searches continued to reveal a record of proceedings for the recovery of Gonzalez’s social security debts despite the fact that the proceedings had been resolved. The ECJ ruled that the EU’s Data Protection Directive affords individuals a “right to be forgotten” in certain circumstances that applies regardless of whether any undue prejudice can be shown.
“Since this ruling, privacy regulators, legislators, courts and consumers have tried to determine the boundaries of the right and how to implement it,” says Adrienne Blanchard, a partner at Norton Rose Fulbright Canada LLP in Montréal. “Although there is still a great deal of uncertainty, Canadian companies that engage or intend to engage with EU-based companies or residents should at a minimum find a way to ensure that personal information or data is stored in such a manner that it is possible to identify and delete it on request.”
Roger Watkiss, also a partner at Norton Rose, says Canadian companies must be alert to differences in the way North America and Europe approach privacy rights. “Because the ECJ decision makes the individual data holders and processors responsible for determining the integrity and relevance of information, Canadian companies dealing with the EU could be subject to a great deal of scrutiny, especially because there’s a fundamental divide between the perception of privacy rights here and in the EU,” he says.
But quite apart from the impact in the EU, the ECJ decision could focus more attention on the right in Canada. Although Canadian legislation doesn’t deal with the “right to be forgotten” in express terms, the concept is certainly not foreign to domestic legislation. “Both the Personal Information Protection and Electronic Documents Act and provincial privacy legislation give individuals the right to request that their online information be removed if the information is inaccurate or incomplete. The legislation also requires business to erase data that has become obsolete.
“I expect that both the federal and the various provincial privacy commissioners will be going after this kind of thing more aggressively in the wake of the developments in Europe,” Watkiss says. “Companies should expect and plan for heightened enforcement efforts regarding retention rules.”
That being said, Québec is the only jurisdiction that provides a direct right of action and whose legislation directly addresses reputational issues. Complainants relying on other provincial or federal legislation will find that they have no direct right of action, and that the statutes do not address reputation. “Except in Québec, complainants must follow the process set forth in the legislation, which involves an investigation by the privacy authorities and a compliance order,” Watkiss says.
In Blanchard’s view, any attempt to legislate a “right to be forgotten” could produce a viable constitutional challenge based on the Charter of Rights and Freedoms. “The Supreme Court of Canada has been vigilant in protecting privacy rights against state intrusion, but has also stepped in to carefully guard freedom of expression in private or non-governmental disputes, such as those involving freedom of the press and collective bargaining rights,” the lawyer explains.
A further potential difficulty for Canadian businesses operating in the EU, however, is that the absence of an explicit right to be forgotten may threaten Canada’s place on the EU’s “white list,” which specifies countries that have privacy rights that are “equivalent” to those in the EU. The upshot is that “white list” companies with personal information relating to EU residents may freely transfer that information to countries on that list, thus significantly facilitating obstacles to data transfer for multinationals.
Hopefully, greater clarity will emerge by the end of 2015, at which time the EU’s draft General Data Protection Regulation, which is still under consideration, should replace the existing directive that predated the Google decision. The regulation includes an express “right to erasure” that will extend to third parties to whom the data has been transferred.