Personal data on the Internet – can POPI protect you?

December 1st, 2014
x
Bookmark

By Nthupang Magolego

It is a general practice of many Internet users to enter their names on Internet search engines in order to see what appears or is stored under their names on the Internet. In fact in one of the seminars I recently attended, on the subject of personal image and branding, attendees were advised to manage their online or Internet image by being careful about what they put or publish on the Internet under their names, and by also occasionally searching their names on Internet search engines in order to stay informed about what is stored under their names.

What happens then when you enter your name on an Internet search engine and some personal undesirable information appears under or linked to your name? What legal recourse is available to ensure that the undesirable personal information is removed or ‘forgotten’? On 13 May 2014, in a matter between Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEP) Mario Costeja González (case no C-131/12, 13-5-2014), the Court of Justice of the European Union (the EU Court) handed down what could be termed as a landmark judgment on the right to privacy in relation to personal data on the Internet. The judgment involved the processing of personal data or information by the Internet search engine, Google. Incidentally the judgment came amid the promulgation in South Africa of the Protection of Personal Information Act 4 of 2013 (POPI) into law.

Even though the application of the above EU Court decision is territorially confined to the European Union States, it may serve as a basis in South Africa for purposes of determining whether POPI can be interpreted in a manner in which Google or other Internet search engines may be requested to remove personal data from their database or indexes.

Internet search engines

In order for the EU Court decision to be construed in the correct context, it is necessary to understand how Internet search engines operate. An Internet or web search engine is a software system that is designed to search for information on the World Wide Web. The search results are generally presented in a line of results and may be a mix of web pages, images, and other types of files. The search engines work by storing information about many web pages and the information is then analysed in order to determine how it should be indexed. Data about web pages are then stored in an index database for use in later queries. The index database is then used to respond to a query from a user. When a user enters a query into a search engine (typically by using keywords), the engine examines its index database and provides a listing of best-matching web pages according to its criteria, usually with a short summary containing the document’s title and sometimes parts of the text. (en.wikipedia.org, accessed 4-11-2014).

The AEPD case

During 2010, Costeja González, a Spanish national, lodged a complaint with the Spanish Data Protection Agency (Agencia Espanola De Proteccion De Datos) (AEPD) against a local daily newspaper as well as against Google Spain and Google Inc. The complaint centred around the fact that when an Internet user entered González’s name into the Google search engine, the user would obtain links to web pages of the daily newspaper, wherein an announcement appeared mentioning or involving González in a real-estate auction for the recovery of certain debts.

González firstly requested the newspaper to either remove or alter the personal data relating to him on their web page. Secondly, he requested that Google Spain or Google Inc be instructed to remove the personal data relating to him so that the personal data ceased to be included in the search results.

The complaint against the newspaper was dismissed as the AEPD viewed the publication by the newspaper to be legally justified as it took place in terms of the law, and was intended to give maximum publicity to the auction in order to secure as many bidders as possible.

The complaint against Google Spain and Google Inc was upheld. The AEPD held that operators of Internet search engines are subject to data protection laws because they are involved in the activity of data processing. The AEPD ruled that it has the power to require operators of Internet search engines to delete data if the dissemination of the data infringes on the fundamental right to privacy and dignity of individuals. The AEPD held that the obligation to delete personal data may be imposed directly to Google, without it being necessary to delete the data from the website where the data originally appears (ie, the newspaper web page), including when retention of the information on that originating web page is justified by law.

Google Spain and Google Inc brought separate actions against that decision before the National High Court. The court stated that its deliberation on the matter depended on the way in which the Directive of the European Parliament and Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data (Directive 95/46/EC) is interpreted.

The court then decided to stay the proceedings and to refer various questions relating to the interpretation of Directive 95/46/EC to the EU Court for a preliminary ruling, the relevant questions being:

  • Google’s activity of locating personal information published on the Internet by third parties, indexing it automatically, storing it temporarily and finally making it available to Internet users according to a particular order of preference, whether such an activity can be interpreted as falling within the concept of ‘processing of data’?
  • If the activity is regarded as data processing – whether Google can be regarded as the ‘controller’ of the personal data contained in the web pages that it indexes?
  • If Google is a controller as defined – whether Google can delete from its indexes information published by third parties, without addressing this with the third party on whose web page that information is located?
  • Would Google be obliged to delete personal data if the personal data has been lawfully published by third parties and is kept on those third parties’ web pages?
  • What are the rights of data subjects in relation to the processed and disseminated data?

The EU Court considered the provisions of Directive 95/46/EC, including the conditions that a controller must comply with when processing personal data, these conditions being that:

  • Data must be processed fairly and lawfully.
  • Data must be collected for specified, explicit and legitimate purposes.
  • Data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.
  • Data must be accurate and, where necessary, kept up-to-date.
  • Reasonable steps must be taken to ensure that data that is inaccurate or incomplete is erased or rectified.

Considering the above, the EU Court decided that:

  • The operations of Google involves data processing as defined in Directive 95/46/EC, that is, any operation or set of operations (by automatic means or not) performed on personal data (any information relating to an identified or identifiable natural person), and such operations can either be the collection, recording, organisation, storage, adaptation or alteration, use, disclosure by transmission, or dissemination of data.
  • Google is responsible as a controller, for the processing of data, a controller being defined as a natural or legal person, public authority, agency or any other body, which alone or jointly with others determines the purposes and means of the processing of personal data.
  • Google can be required to remove information collected from third party websites, also in a case where that personal information is not erased beforehand or simultaneously from the third party web pages.
  • Google can be required to remove information collected from third party websites, also in a case where that publication from the third party web pages is lawful.
  • A data subject has a right to oppose to the dissemination of the processed data through the search engine if the dissemination is prejudicial to him or her and his or her fundamental right to privacy, and that this right overrides the legitimate interests of Google and the general interest in freedom of information.

The impact of POPI on Google South Africa

In South Africa, Google (including other Internet search engines) may face similar (or possibly far reaching) consequences due to the provisions in POPI that are analogous to those of Directive 95/46/EC.

The provisions of POPI are applicable to data processing by an entity that is domiciled in South Africa, or if not domiciled in South Africa, the entity must use automated or non-automated data processing means in South Africa.

POPI defines ‘personal information’ as ‘information relating to an identifiable, living, natural person … including, but not limited –

(a)     information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health … of the person …’.

‘Processing’ is then defined as ‘any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –

(a)     the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use …’.

POPI has determined who is accountable for data processing and accordingly states that a ‘responsible party’ is accountable. A ‘responsible party’ is then defined as ‘a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.’

Furthermore, chapter 3 of POPI prescribes conditions that a responsible party must comply with when processing data and these conditions are that:

  • Data must be processed lawfully and reasonably in a way that it does not fringe the data subject’s privacy.
  • Data must be processed for a specific purpose, and the data must be adequate, relevant and not excessive to the purpose for which it is processed.
  • The responsible party must obtain consent from the data subject when processing personal data. (This in my view will have stringent consequences for Internet search engines because the implication is that Internet search engines may now be expected to obtain consent from everyone whose personal data is to be processed a practically impossible task).
  • The responsible party must (with certain exceptions) collect personal information directly from the data subject.

Regarding the rights of data subjects, POPI has granted data subjects various rights in relation to the processing of their personal data, including the right to request the correction, destruction or deletion of that data subject’s personal information. A data subject can request that personal data be deleted if the data is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

The effect of the above mentioned provisions is that Google South Africa, which is domiciled in South Africa or uses automated or non-automated data processing means in South Africa, may have to comply with the provisions of POPI. This is because the activities of Google can be regarded as data processing, and if the processed data involves information relating to an identifiable, living, natural person, these activities will be regarded as the processing of personal data. Furthermore Google will be the responsible party for such processing, seeing that it is the one that determines the purpose of and means for processing the personal information.

Conclusion

The provisions of POPI are to a large degree, a replica of the provisions of Directive 95/46/EC. The EU Court’s interpretation of this Directive as alluded above, presupposes that Google South Africa (or other Internet search engines) may have to comply with POPI in their business of processing personal data. It is my submission that South Africans, just like their European counterparts, may also have a right to be forgotten by Google under the provisions of POPI.

Nthupang Magolego BIur LLB (UP) LLM (Unisa) is a Manager: Investigations and Enforcement at the National Credit Regulator in Midrand.

This article was first published in De Rebus in 2014 (Dec) DR 20.