Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

The right to be forgotten… for convicted criminals?

10.04.2018

Earlier in March 2018, the Maltese press reported and revealed that private individuals have successfully requested that court cases decided against them be deleted from local online databases of such judgements. The request was purportedly made on the basis of ‘the right to be forgotten’ yet ignored the legal principles of transparency, legitimacy, justifiability, necessity and proportionality. This matter led MITLA to review the right of erasure against other considerations at the law.

Five key points emerge from this Malta case:

1. Transparency: There is currently no rule, policy or procedure available that outlines the possibility of exercising one’s right to be forgotten with respect to the deletion of court decisions available on the Maltese online court database. There are no prerequisites stating unequivocally the circumstances in which this right might be successfully claimed or the parameters against which such a request would be measured or decided. Therefore there can be said to be no transparency whatsoever in the ‘system’. 

2. Legitimacy: There exists a clear and legitimate interest for court judgements to be placed on an online database and for judgements to be left online and publicly available for an indefinite period of time, irrespective of the subject matter and/or the parties involved, when proceedings have been carried out in public and there are no legal exceptions which expressly warrant exclusion from such a database.

There are international conventions as well as case law which have established clearly that in order for the requirement of ‘publicity’ to be satisfied, a judgement needs to be read out in an open court and deposited in a court registry where it is accessible to everyone1. According to the OSCE2, depositing the judgement in a public court registry is the minimum necessary to satisfy such a requirement for a party to the convention, such as Malta, not to be considered to be in breach of the ECHR. 

The Council of Europe Recommendation of the Committee of Ministers to member states on the delivery of court and other legal services to the citizens through the use of new technologies, R (2001) 3 of 28th February 20013, is furthermore insistent on the requirement of members of the Council of Europe, including Malta, to make national public registers as easily available to all members of the public as possible in the interest of “democratic participation”. This, of course, includes online resources. 

3. Justifiability: When all the relevant provisions of current data protection legislation are read together, it is clear that the right for data subjects to be forgotten does exist if the data is no longer required for the purpose that it was collected for, and if the data subject can prove that such processing is causing distress.  It is submitted that most, if not all judgements delivered, are always going to cause someone some level of distress but what makes this particular case different to all others who are similarly distressed by a court decision or judgement for one reason or another?

4. Necessity: The right of erasure needs to be weighed against other conflicting interests and rights, such as public interest and transparency, as mentioned above, and it then needs to prevail over such interests and rights so that the necessity to retain such data becomes secondary to the data subject’s right to be forgotten.  It also needs to be applied in a proportionate manner so as not to go beyond what is strictly necessary to safeguard the data-subject’s rights to the detriment of other third party interests.

5. Proportionality: Guidance so far issued by the Article 29 Working Party (14/EN WP225) was issued with respect to the implementation of the Costeja judgement (C-131/12) which focusses on de-listing from search engines, and not on the Manni judgement (C-398/15) which deals with online public records.  Nevertheless this guidance stresses the importance of balancing rights and achieving proportionality but also sheds light on public interest considerations. The application of public interest considerations are stronger when the request for erasure of pubic data is not being made against a search engine, or a newspaper but on the keeper of the public record.

While the right to be forgotten will certainly be developed further by the imminent applicability of the EU’s General Data Protection Regulation from the end of May, there is nothing in this regulation which can persuade that it is intended to include, in its purview, the possibility that court judgements and decisions might, at any point in time, be deleted from any online database within democratic Europe on the basis that the data contained therein are no longer required for their original purpose or that there is no overriding ground to retain such judgement or decision. 

However, it is submitted that if, similarly to Germany, there were to be a law passed by Parliament, equally applicable to all, enacted transparently following public consultation, which did not go against international obligations, and which could allow for some, if not all, criminal sentences to no longer be made available on the online court registry based on specific known and certain criteria, and only once criminal sentences had been served, and the debt to society had been fully paid, then there may be an acceptable legal basis to limit access to an online registry of a person’s criminal past. However, the German model cannot be completely followed as it is based on constitutionally entrenched principles of self-determination and the right to personality. Unfortunately, a bill presented in 2014 proposing the introduction of such concepts in the Maltese Constitution was never discussed by Parliament.

 

References: 

  1. See (2007) Case of Szücs v. Austria, The International Journal of Human Rights, 2:1, 101-104, DOI: 10.1080/13642989808406713
  2. See Access to Court Decisions – A legal analysis of international and national provisions, OSCE Rule of Law Department, 2008 at p. 13: http://www.right2info.org/resources/publications/publications/OSCE_AnalysisAccesstoCourtDecisions17092008.pdf
  3. Recommendation Rec(2001)3 of the Committee of Ministers to member states on the delivery of court and other legal services to the citizen through the use of new technologies (adopted by the Committee of Ministers on 28 February 2001 at the 743rd meeting of the Ministers’ Deputies): 

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Data Privacy Compliance (DPC)/Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT, 2018

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.