CASE COMMENT

NT1 and NT2 v. GOOGLE LLC

WC2A 2LL
In the Royal Courts of Justice Strand, London
(Before MR. JUSTICE WARBY)

“THE GDPR”

-Somya Sharma
-Roll No: A045
-SY BLL.LB
(Semester IV)
The judgement of the court was delivered on 13 April 2018 by Justice Warby.

Introduction

The right to be forgotten is a principle and concept that has been practised in the European
Union and also since 2006 in Argentina. The right to be forgotten “reflects the claim of an
individual to have certain data deleted so that the third person can no longer trace them”. 1 It
has been defined as “the right to silence on past events in life that are no longer occurring”.2

Facts and Background

Introduction:

The claims in this case are about the “right to be forgotten” or more precisely, the right to
have personal information “delisted” by the operators of internet search engines (ISEs).

Facts:

 The two claimants, NT1 and NT2, are two businessman who were convicted of
criminal offences many years ago. The defendant, Google, operates as an ISE called
Search which has returned and continues to return information that is linked to other
reports about the claimants’ conviction.
 In late 1990’s and in early 21st century, NT1 and NT2 were respectively convicted
under the Data Protection Act, 1998 after a trial of criminal conspiracy linked with
their businesses, where they were sentenced to imprisonment. Such reports were also
put up by Google. After NT1 and NT2’s sentences were completed, they requested
Google on 28 June 2014 and 14 April 2015 respectively to de-list such information.
Google on 7th October 2014 and 23rd April 2015 respectively replied with agreeing to
block certain links but declining for the other links to be blocked. Further requests
were also made but Google stood by its position. On 2nd October 2015, both NT1
and NT2 moved to the court seeking orders for removal of such reports interfering
with their rights, preventing Google to use these reports in the future too and also
monetary compensation.
 The claimants argued that Google’s refusal to de-list the reports which violated six of
the data protection principles listed out in Schedule 1 of the Data Protection Act,
1998 and in particular that none of the conditions of Schedule 2 and 3 that would
allow Google to legally process such data were met, that the personal data was
irrelevant and inaccurate and that such data was kept online longer than it was
necessary for the processing purposes. Google on the other hand used a number of
arguments to defend it claim. It argued that its search function is protected under
Article 13 of the E-Commerce Directive3.

1
Weber, Rolf H. "The right to be forgotten." More than a Pandora's Box 2 (2011)
2
Pino, G. (2000). "The right to personal identity in Italian private law: Constitutional interpretation and judge-
made
  It argued that the claims of NT1 and NT2 were an abuse of the process, by using data
protection law and misuse of private information to avoid a claim in defamation.
Google also argued that the listing of the aforementioned reports was very much in
the public’s interest and hence legitimate.

Issues

The main issues4 stated in each case can together be combined as:

 Whether the claimant is entitled to have the links in question excluded from Google
Search Result either because one or more of those links contain personal data which is
accurate or because for that and/or other reasons the continued listing of those links
by Google involves and unjustified interference with the claimants’ data protection
and/or privacy rights.
 If that is the case, then, whether, the claimant is also entitled to compensation for
continued listing between the time between the time of the delisting request and the
judgement.

Comment

The above two cases put forth the problem of lack of a clear legal basis while administering
justice and, here specifically, in interpreting the right to be forgotten due to which, no proper
legal provisions were taken into consideration while deciding upon two Indian cases in Sri
Vasunathan v. The Registrar5 and Dharmraj Bhanushankar Dave v. State of Gujarat6
dealing with this very right. Regulation (EU) 2016/679, also known as the General Data
Protection Regulation(GDPR) came into force on 25 May 2016. It replaced the Directive
95/46/EC, the DP Directive’ from which the DPA emerges7. Article 17 of the GDPR
recognizes the Costeja Judgement brings into light a ‘Right to Erasure’, which can be
requested if certain grounds are met. What the GDPR essentially does is detailing,
broadening and defining the scope of the right to be forgotten and making it a fundamental
data subject right and requiring data controllers to enable EU citizens to exercise their right.

GDPR Recital 65 among others covers a data subject’s right to have personal data
concerning him/her rectified and the right to be forgotten where retention of the personal data
would infringe the stipulations of the GDPR or another law to which the controller is a
subject. GDPR Recital 65 further details the particular situations where the right to erasure
applies:

 Where the personal data is no longer necessary to achieve the purposes for which they
are collected or processed.
 Where a data subject has withdrawn his or her consent.
 Where a data subject objects to the processing of his/her personal data
3
Article 13 of the E-Commerce Directive 2000/31/EC and Regulation 18 of the Electronic Commerce(EC
Directive) Regulations 2002 (SI 2002/2013)
4
https://www.judiciary.uk/wp-content/uploads/2018/04/nt1-Nnt2-v-google-2018-Eewhc-799-QB.pdf
5
Sri Vasunathan v. The Registrar General,  2017 SCC OnLine Kar 424 [decided on 23rd January, 2017]
6
Dharamraj Bhanushankar Dave v. State of Gujarat and Ors. [SCA No. 1854 of 2015]
7
privacylawbarrister.com/2018/04/17/nt1-nt2-v-google-llc-the-information-commissioner-intervening-2018-
ewhc-799-qb/
  Where the data subject has given his or her consent as a child and is not fully aware of
the risks involved by the processing, and later wants to remove such personal data,
especially on the internet,
 Where the processing of personal data does not otherwise comply with the GDPR

Whereas GDPR Recitals shed light on the reasoning and context, the GDPR Articles contain
the essence. As said, in the case of the right to be forgotten that is essentially GDPR Article
17.It kind of summarizes the essence regarding the right to be forgotten, the exceptions and
the fact that it is a data controller task. The grounds upon which a data subject can exercise
the right to be forgotten as Article 17 summarizes them are:

 The personal data is not necessary in the context of the purpose of

collection and/or processing.
 Consent to process is withdrawn by the data subject and there is no other
legal processing basis.
 The processing of the personal data has been done in an unlawful way.
 The personal data have to be erased for legal obligations to which the data
controller is subject.
 Processing occurs in the context of children and their personal data
collected via information society services.

It is likely that most matters concerning the right to erasure concern private parties as data
controllers. With respect to the Indian cases, the existing jurisprudence on the right to privacy
as interpreted under Article 21 of the Indian Constitution may also be of limited value.
Further, as has been pointed out above, the right to be forgotten needs to be a right qualified
by conditions very clearly, and its conflict with the right to freedom of expression under
Article 19 of the Constitution of India.

Therefore, it is imperative that a comprehensive data protection law addresses these issues.
The right to be forgotten, however, is distinct from the right to privacy, as, the right to
privacy constitutes information that is not publicly known, whereas the right to be forgotten
involves removing information that was publicly known at a time and not allowing third
parties to access the information thereafter. Limitations of application in
a jurisdiction include the inability to require removal of information held by companies
outside the jurisdiction. There is no global framework to allow individuals control over their
online image. However, Professor Viktor Mayer-Schönberger, an expert from Oxford
Internet Institute, University of Oxford, said that, “Google cannot escape compliance with
the law of France implementing the decision of the European Court of Justice in 2014 on the
right to be forgotten”. Mayer-Schönberger said, nations, including the US, had long
maintained that their local laws which have “extra-territorial effects"8.

From a claimant and a claimant-lawyer point of view, the judgment is distinctly conservative.
A decision that URLs about criminal convictions should be delisted at the point the
conviction becomes spent would have opened the floodgates to claims, backed by conditional
fee agreements against Google. A more proper basis for not awarding damages to NT2 taking
into account the judge’s criticism of the way it was pleaded might have been that the damage
8
(September 23, 2015)Expert: Google Can Not Escape French Law on Right to Delist. Yibada.com
suffered was minimum. Finally, as the judge eloquently explained, we are in the twilight of
the Data Protection Act 1998 and the dawn of the General Data Protection Regulations
(‘GDPR’) is nearly upon us and also said that the GDPR will come into force from 25 May
2018. From that date, delisting requests will be founded on the GDPR. While NT1 and
NT2 will no doubt be persuasive, the underlying law is changing. The right to be forgotten
will be codified in statute as the ‘right to erasure’. In short, individuals’ data protection rights
will be strengthened.