Did you know?
Your clients may be within their rights to request that your company delete all their personal records, even if you lawfully obtained them.
A 2014 case, heard in the Court of Justice, European Union, between Google Inc and the Spanish Data Protection Agency created some virtual waves in the legal and Internet technology industries, particularly given the ever-expanding swathe of data collected about each of us, every time we use a search engine or access social media sites.
This case is particularly interesting given the potential impact it has for Website Terms of Service and Privacy Policies in South Africa.
The case concerned a Mr. Gonzalez who requested that the Spanish Data Protection Agency instruct Google to remove all personal data relating to Mr. Gonzalez so that his personal search data did not show up in Google searches of his name.
Mr. Gonzalez had some undesirable electronic information linked to his name, which was presented in a mix of web pages, images and other files, and he wanted this to disappear. The data protection agency upheld this request and issued the instruction to Google Inc and its local subsidiary.
After several appeals and many millions in legal fees later, Google agreed to remove the sensitive information from its search results, heralding a victory for privacy, with some caveats.
A right to privacy
The decision is naturally confined to the European Union, but this resulted in several other websites, such as Reddit, Twitter and Facebook banning users from posting intimate photos and ‘revenge porn’ without the consent of the parties in the photos.
Additionally, the decision will serve as authority for other courts and countries, not least of which is South Africa. Our Protection of Personal Information (POPI) Act contains provisions similar to those used in the EU’s directive relied upon by Mr. Gonzalez, which aim to regulate the processing of personal information.
Thus, there may be grounds for South African citizens to claim their right to be forgotten, providing the ability to hit delete on some of the massive information canvas our online presence creates and regain some element of privacy.
Once the Information Regulator is appointed under the POPI Act, the office will be tasked with regulating aspects of privacy control and data regulation, and the processing of personal information of the nature discussed in this article.
Relating to business
From a business perspective, this is a significant judgment in that it may permit clients of a company to request the deletion of all personal records — not inconsiderable in light of the lengths to which many businesses go to collect personal information about their existing and potential clients.
This must of course be tempered by the lawful and legitimate use of information, which is required from a legislative and commercial purpose.
Further, this affects our rights in terms of litigation, where posts on social media, comments on web pages or articles may be discovered during the litigious proceedings and used as evidence against a company in matters involving product liability, insolvency, defamation and vicarious liability (where the company is held liable for the actions of its employees), to name just a few.
In short, while the judgment affected a behemoth like Google on an international scale, the implications of not ensuring that you are adequately protected against the improper use of data and its processing may be severe — on both an individual and a company level.