Chapter 7: The Right to be Forgotten / Right of Erasure

HTML VERSION

Chapter 7:
The Right to be Forgotten / Right of Erasure

I. Introduction: The European “Right of Erasure”

Development of a Canadian “right to be forgotten” follows the establishment of a European “right of erasure”.

[See GDPR, Art. 17; Google Spain case, Case C‑131/12 (ECJ).]

Canadian companies should be prepared to respond to inquiries from users claiming the right to be forgotten (or “right of erasure”). Responses should particularly address a reasonably appropriate purpose for data collection, limited collection, and limited data retention periods. It is advisable that these issues be addressed with careful consideration of related European legal developments regarding the right of erasure.

[See PIPEDA, s.3 and Sch. 1, Principles 4.4-4.5.]

Under European Union law, if a data subject requests his/her name to be de-indexed from search queries, the search engine (as a data controller) must comply. The search engine must also take reasonable steps to inform other controllers processing the same data of the data subject’s request. The European right of erasure can apply even if the data was already in the public domain, and if the publication was lawful in itself.

[See Google Spain, Case C‑131/12 (ECJ) at para. 88.]

An exception to this rule applies if public access to the information would justify the potential privacy harm to the data subject. Whether this exception can apply in any given case is a question of mixed law and fact.

[See GDPR Art. 17(3); Google Spain, Case C‑131/12 (ECJ) at para. 81.]

II. Potential For a Canadian “Right To Be Forgotten”

In the Canadian context, the OPC is presently attempting to determine whether a right to be forgotten is included within PIPEDA. In legal parlance, it has commenced a federal court reference to determine if Google is collecting, using, or disclosing personal information in the course of commercial activities, and if so, whether such indexing is justified under the PIPEDA exception for “journalistic, artistic or literary purposes”.

[See OPC, “Announcement: Privacy Commissioner seeks Federal Court determination on key issue for Canadians’ online reputation” (Oct 10, 2018); PIPEDA, ss.4(1)(a), 4(2)(c).]

Google responded with a broad constitutional argument grounded in the freedom of expression. However, this argument was dismissed on procedural grounds.

[See Canadian Charter of Rights and Freedoms, s.2(b); James McLeod, “Federal Court sidesteps constitutional questions — for now — in Google 'right to be forgotten' case” (Financial Post, Apr 30, 2019) re April 16, 2019 prothonotary decision (unreported).]

The expected next step is for the federal court to provide an answer to the OPC’s legal questions. Its arguments are expected to address:

• de-indexing by search engines;
• source takedowns from the originating data controller;
• geo-fencing (and related issues with virtual private networks [“VPNs”]); and
• special rules that apply for minors.

At the conclusion of the reference proceeding, the OPC will provide its final remarks with respect to the law affecting reputations online. Moreover, the OPC will continue to encourage Parliament, to “confirm the right balance between privacy and freedom of expression in our democratic society.” This position is consistent with the OPC’s prior condemnation of a foreign website, which indexed personal information found in Canadian court and tribunal decisions.

[See OPC, “Draft OPC Position on Online Reputation” (Jan 26, 2018); OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 57; OPC’s Globe24h decision (PIPEDA Report of Findings #2015-002, Jun 5, 2015).]

However, while a final reference decision is pending, it is important to note that the reference result will not be binding. Under the current statutory framework, the result will merely be instructive for a subsequent OPC investigation and non-binding recommendation. In response to that OPC recommendation, Google may either comply voluntarily, or commence a de novo (i.e. “new”) proceeding, the decision for which would be binding. Alternatively, the OPC can commence the de novo proceeding itself, with Google’s consent.

[See PIPEDA, ss.13-15; Reference re subsection 18.3(1) of the Federal Courts Act, R.S.C. 1985, c. F-7, 2019 FC 261 at para. 17.]

III. Multi-Jurisdictional Complexities

The federal court reference (and de novo hearing) are expected to closely examine a glaring jurisdictional problem in global big data law. In mid-2017, the Supreme Court of Canada decided that Google was required to obey a censorship order worldwide. However, in late 2017, a Federal U.S. court refused to respect the Canadian order, on grounds including free speech. Google thereafter returned to Canada to gain recognition of the U.S. injunction in Canada.

[See Google v. Equustek, 2017 SCC 34; Google v. Equustek (U.S. District Court, ND Cal) preliminary injunction order and permanent injunction order; Equustek Solutions Inc. v. Jack, 2018 BCSC 329.]

More recently, the inability for any nation’s court to make a globally enforceable de-indexing order was confirmed in Europe.

[See Google LLC v. CNIL, ECJ C-507/17 (Sep 24, 2019) at paras. 72-73; ECJ Press Release No. 112/19 (Sep 24, 2019) at 2.]

In response to such global enforcement difficulties, Canadian courts have recently ordered a new remedy: a domestic blocking order. Such orders are directed to domestic internet services providers (“ISPs”), and require them to block certain domains, subdomains, and/or IP addresses.

[See Bell Media Inc. et al v GOLDTV.BIZ, 2019 FC 1432.]

Although a blocking order thereby helps to “control” visible internet content within a country, it is a limited remedy subject to at least three problems.

First, a blocking order may not be effective against the use of a VPN. Such networks use encrypted data tunnels to facilitate access to a “blocked” site, without the ISP’s knowledge or control. Second, a blocking order is directed toward specific parties, and is not able to restrict general access to the subject content from outside Canada. Third, blocking orders may offend domestic principles of net neutrality. In fact, the originator of the term “net neutrality” has testified before a Parliamentary committee, recommending a definition for net neutrality “with no blocking and no degrading allowed.”

[See ETHI Committee Report, “The Protection of Net Neutrality In Canada” (May 2018), under “Explicitly enshrine the principle of net neutrality in the Telecommunications Act?”]

The multi-jurisdictional complexities also apply with respect to de facto responsibilities of users on U.S. platforms. For example, if user-created content on a server in the U.S. is available for public access, the user arguably bears responsibility for that content under U.S. law. In other words, as suggested by a recent California case, it is the user—not the platform—that must ensure that such content is unavailable for third-party data scraping.

[See Communications Decency Act, 47 U.S.C. §230(c)(1); Matt Laslo, “The Fight Over Section 230—and the Internet as We Know It”, Wired Magazine (Aug 13, 2019); HiQ Labs, Inc. v. LinkedIn Corporation, No. 17-cv-03301-EMC, slip op. at 16-17, 35-37 (9th Cir. Sep. 9, 2019).]

The same responsibility may not exist if the public content is accessible only from a Canadian server. In Canada, privacy invasions can take place in public spaces, which arguably includes many social media websites. This would imply that websites may bear liability for making user information publicly available, to web-scrapers and the world at large. This result would be consistent with Canadian precedent that recognizes internet vendors as providers of a “conduit” for internet activity, and “more than mere witnesses” to such activity.

[See Vanderveen v. Waterbridge Media Inc., 2017 CanLII 77435 at paras. 20-21 (ON SCSM); York University v. Bell Canada Enterprises, 2009 CanLII 46447 at para. 26 (ON SC).]

With respect to international law, the forthcoming United States-Mexico-Canada Agreement (“USMCA”), discussed in Chapter 8, appears to create yet another enforcement obstacle. U.S. search engines are ostensibly insulated from liability under non-U.S. law, with limited exception.

[See USMCA at Article 19.17(2) and fn 7.]

IV. Conclusion

While the OPC has a clear mandate to pursue a right to be forgotten, it is still too early to assess whether such a right will come into force through the courts, through Parliament, or at all. Moreover, if a Canadian right to be forgotten emerges, the international enforceability of that right will also need to be addressed. A right to be forgotten requires global buy-in to have meaningful force, given the cross-jurisdictional nature of the internet.