Airbrushing history? Photos of Oxford Student Celebrations Raise Questions About Privacy Rights and Journalism

Airbrushing history? Photos of Oxford Student Celebrations Raise Questions About Privacy Rights and Journalism

A former Oxford University student asked image agency Alamy to remove photographs of her celebrating the end of exams. Now, the photographer accuses Alamy of “censoring the news”.  Is this a threat to freedom of the press, or has the woman’s human right of privacy been correctly protected?

The end of exams are a liberating and happy time for university students around the world. At Oxford, students take their celebrations to another level by partying en masse in the streets, covering each other in champagne, shaving foam, confetti, flour and silly string in a tradition known as “Trashing.”

Screenshot 2018-10-14 at 9.37.21 AM
An Alamy photo of Oxford celebrations from 1968. “Trashing” has become a bit more crazy since the 1990’s.

Speaking to the Press Gazette, Photographer Greg Blatchford explained that during the 2014 Trashing, a student invited him to take photographs of her celebrating on the public streets. Some of the images show her swigging from a bottle of champagne, while in others she is covered in silly string.

Blatchford then sent “about 20” images to Alamy as news content. The former student subsequently stated that she “loved” the images in email correspondence to Blatchford, and even shared them on Facebook. This summer, four years later, the woman contacted Alamy to have the photos deleted. The company removed the images – much to Blatchford’s dismay.

Screenshot 2018-10-14 at 9.37.58 AM
An Alamy stock image of Oxford University Trashing celebrations. Note: THIS IS NOT ONE OF THE SUBJECT PHOTOGRAPHS.

The right to be forgotten under the GDPR

Because the woman was able to be identified from the photographs, they constitute “personal data” as defined by Article 4 of the General Data Protection Regulation (GDPR). Under Article 17 GDPR, data subjects have the right in certain circumstances to compel the erasure of personal data concerning him or her.

For example, if the data was originally collected or used because the individual gave their consent, and that consent is subsequently withdrawn, the company may honour the request for deletion (Article 17(1)(b)). However, a company can also use a “counter attack” if an exception applies. Importantly for news and media agencies, if keeping the data is necessary for exercising the right of freedom of expression and information, they may be able to refuse the request and keep the data (Article 17(3)(a)).

For more details on how the right to be forgotten works in practice, see my earlier post, Now You’re Just Somebody That I Used to Know.

Are journalists under threat from privacy lawyers?

Blatchford explained that although they are now considered “stock images,” they were originally “news” photos and should not have been removed. By deleting the photos, Alamy “are censoring the news. I’m incensed that someone can influence news journalism and censor the past where clearly if photographs are taken in public, with the full consent of participants they can turn around and say ‘sorry, that’s not news’ later. This sets a precedent for anybody to walk up to a news organisation and say I don’t like the pictures of me. Journalists will then start feeling the threat of lawyers.”

In a statement to the Press Gazette, Alamy’s director of community Alan Capel said the images were submitted as news four years ago, but moved 48 hours later to the stock collection. “Therefore we are surprised that this is deemed to be ‘censoring the news.’ As per our contract with our contributors, we can remove any images from our collection if we see a valid reason to do so.”

The university said that participating in trashing can lead to fines and disciplinary action since it is against the university’s code of conduct
The comical images of students wearing sub fusc (formal academic attire) while partying are often published in newspapers around the country in May.

Privacy and press freedom have long been considered competing interests, but that’s not to say that striking an appropriate balance between the two is impossible.

On some level, I do sympathise with the photographer. I also struggle to buy Alamy’s argument that the images are not “news content” and are now “stock images.” The classification of an image should be based on its context, purpose and subject matter – not the time that has elapsed since the event, nor the label attributed to it on a website.

Stock images are, by definition, professional photographs of common places, landmarks, nature, events or people. By contrast, the Oxford Trashing photos are attributed to a specific time (May), place (Oxford), category of people (students), and event (celebrating the end of exams). They are popular for several reasons. Firstly, they illustrate a charming and comical juxtaposition. Although these students attend one of the oldest and most prestigious Universities in the world, they are – after all – entitled to a bit of fun. Secondly, Trashing has received increased press attention in recent years, as students have become subject to complaints fines, disciplinary action, and even police enforcement. These images clearly show, in ways that words alone cannot, matters of public interest.

Screenshot 2018-10-14 at 1.04.41 PM.png

In this particular instance however, I think Alamy have made the right decision in deleting the images.

Although the Press Gazette does not name the woman, it does note she is “a marketing director in New York.” It’s entirely plausible that she has valid concerns that the images of her participating in Trashing may negatively impact her reputation and career, or otherwise cause some sort of harm or embarrassment.

She claims that “there was no consent given to publish or sell my photos anywhere. I am not a model nor have given permission to any photographers to take photos of me to publicly display or to sell. This was a complete breach of privacy.” This contradicts what the email records show, but even if she had lawfully consented to the photographs being taken at the time, she is entirely within her rights to now withdraw consent. 

On balance, Alamy probably has dozens – if not hundreds – of images from the 2014 Trashing at Oxford. The likelihood that the images of this woman in particular are somehow especially newsworthy is minimal. Had Alamy refused to delete the photos, the woman would have been entitled to raise a complaint with the Information Commissioner’s Office. ICO enforcement action can include injunctions, sanctions, or monetary fines. Furthermore, Alamy would risk becoming known as an organisation that doesn’t care about privacy laws, thereby damaging its reputation.

Contrary to Blatchford’s concerns, it is doubtful that an organisation would delete a genuinely newsworthy image, simply because someone doesn’t like how they look. The right to be forgotten is not an absolute right to be purged from history, but a right to regain control of how information about you appears online.

For more details on how the right to be forgotten works in practice, see my earlier post, Now You’re Just Somebody That I Used to Know. If you’re interested in how celebrities control images of themselves, see Fame and Fortune: How do Celebrities Protect Their Image?

Header image by Alex Krook via Flickr

Sir Cliff Richards v BBC: is publicity the soul of justice?

Sir Cliff Richards v BBC: is publicity the soul of justice?

You don’t have to be a privacy or media lawyer to have heard of the sex abuse allegations levied against celebrities in the entertainment industry over the last few years. The investigations concerning Sir Cliff Richard, a famous British musician, included a widely-televised raid on his estate in Berkshire by South Yorkshire Police. Nearly four years after the BBC first named and shamed Sir Cliff in what is now considered to have been “sensationalist” journalism, the High Court has determined that his rights of privacy were infringed.

What makes this case so interesting is that it does not focus on defamation —that is, the publication (or voicing) of a statement which adversely affects another person’s reputation. Instead, Sir Cliff won his case on the basis that the BBC’s wrongful disclosure of his private information was an invasion of his privacy. 

In Sir Cliff Richard v BBC and South Yorkshire Policethe Court considered if suspects who have not been formally charged by police have a reasonable expectation of privacy in respect of the criminal investigation. How are an individual’s rights to privacy balanced against the freedom of expression enjoyed by media organisations? That the suspect in this case is a celebrity only complicates matters, as it calls into question the importance publishing private details in the name of public interest.

Prosecutors said in 2016 that there was not enough evidence to justify criminal charges against Mr. Richard, one of Britain’s best-known entertainers, with a career spanning some 60 years. However, the BBC stands by their reportage of the allegations, and I suspect the BBC will indeed appeal this decision.

As if written for the stage, the Justice Mann’s 120-page judgement begins with a summary of key characters and the plot as it unfolded…

Related image
Daniel Johnson, in front of Sir Cliff’s Berkshire estate

Daniel Johnson, an investigative journalist for the BBC, received a tip-off from a police insider in June 2014 that Sir Cliff was under investigation for historic sex offences against a child. In a manner some would consider blackmail, Johnson “exploited the opportunity to get confirmation of his story about Sir Cliff, and more details if possible” from the South Yorkshire Police (SYP). In exchange for Johnson not publishing the story immediately, the SYP promised that he would be given advance notice of the search of Sir Cliff’s estate. The raid was eventually conducted in August 2014, with BBC crew waiting at the gates and helicopters hovering overhead to capture the whole ordeal.

In case you’re wondering where the Beeb’s lawyers were, the BBC held a meeting to discuss whether to name Sir Cliff and when to broadcast. In her testimony, Senior Editor Fran Unsworth explained that “the legal risk was diminishing because they had got a lot of confirmation of the facts of the story”. The principal legal concern seems to have been in respect of factual accuracy and defamation, and not privacy – as “the lawyers had not flagged that up to her as a specific risk” (para 111).

scne2
the (not very exciting) footage shows plain-clothes police entering Sir Cliff’s estate.
scene1
Three gloved individuals appear to be looking through what is likely Sir Cliff’s office

The legal framework of Sir Cliff’s privacy claim is enshrined in European Convention on Human Rights, brought into force in the UK by the Human Rights Act 1998.

Article 8 sets out the right to privacy: “Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law […] or for the protection of the rights and freedoms of others.”

Article 10 upholds the BBC’s competing rights of expression: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society [including those] for the protection of the reputation or rights of others.”

In instances where which both Article 8 and Article 10 are engaged, the Court has to perform a balancing and weighing act to ascertain which predominates. Neither article has prima facie precedence over the other.

Article 8 privacy protections arise only where an individual has a reasonable expectation of privacy. For example, if I have a conversation with my friend in a crowded coffee shop in central London, I cannot reasonably expect our discussion to be protected as truly private.

The 77 year-old singer told the Court that he suffered an “unbelievable amount of hurt and pain” after the BBC broadcast the allegations that he had sexually assaulted a boy in 1985. “It felt like torture, sustained over almost two years. It felt as though everything I had done, everything I had built and worked to achieve, was being torn down, like life itself was coming to an end.”

But one might wonder if, as a celebrity, Sir Cliff cannot claim to have an expectation of privacy. A certain amount of emphasis was given by the BBC to the fact that Sir Cliff was a public figure, and one who had promoted his Christian beliefs. Because Sir Cliff had been so vocal (ie public) about Christian morality, the BBC considered that his alleged sexual crimes against a child qualified as a matter of public interest. To that point, the Court acknowledged that in certain special circumstances, the public’s right to be informed can extend into private aspects of public figures (para 276).

However,  Rocknroll v News Group Newspapers [2013] EWHC 24 (Ch) upheld that a public figure is not, by virtue of their fame, necessarily deprived of his or her legitimate expectations of privacy. Axel Springer v Germany 39954/08 [2012] ECHR 227 also makes clear that the safeguard afforded by Article 10 to journalists is subject to the proviso that they are acting in good faith and on an accurate factual basis, and that they provide “reliable and precise” information in accordance with the ethics of journalism.

In considering the BBC’s argument that the stories about Sir Cliff had been published in the public interest, the Court disagreed, saying that reporters at the BBC “were far more impressed by the size of the story and that they had the opportunity to scoop their rivals.” (para 280) This echoes the findings in Axel Springer, in that photographs and commentary which expose a person’s private life cannot be considered to have been published in the name of public interest, if they were in fact made public only to “satisfy the curiosity of a particular readership” (Axel Springer, para 48). It is unsurprising in my view that Justice Mann “came to the clear conclusion that Sir Cliff’s privacy rights were not outweighed by the BBC’s rights to freedom of expression” (para 315).

Publicity is the very soul of justice. In the darkness of secrecy, sinister interest and evil in every shape, have full swing. Only in proportion as publicity has place can any of the checks, applicable to judicial injustice, operate. Where there is no publicity there is no justice.

Jeremy Bentham. legal and social reformer (1748 – 1832)

Will this case have a chilling effect on media freedoms? Writing for The Guardian, Professor of Financial Journalism Jane Martinson argues that “as long as the media reports accurately – making it clear when a suspect is under investigation for a serious crime, rather than arrested or charged – there should be no bar to the public knowing what is going on.” However, in my view this fails to take into consideration the complexity of public perception. In his concluding remarks, Justice Mann cited “the failure of the public to keep the presumption of innocence in mind at all times” as an aggravating factor against the BBC.

Other criticisms focus on the point that this case provides an undeserved blanket of anonymity to criminals, providing a way to keep allegations against possible abusers secret. Whether or not there is a reasonable expectation of privacy in a police investigation is in actuality fact-sensitive question, and is not capable of a universal answer (para. 237). According to Police Guidance on Relationships with the Media, the names or identifying details of suspects of crime should not be released by police to the press or public, unless special circumstances apply — such as threat to life, the prevention or detection of crime, or a matter of public interest.

The inevitable stigma attached to the extremely serious allegations against Sir Cliff made the invasion of privacy even worse. When an individual’s good reputation is tarnished, even wrongfully, it may never be recoverable. This is especially harmful to celebrities, who rely so heavily on public favour. In my view, Sir Cliff Richards v BBC is not a sweeping new precedent that stifles freedom of the press: it simply restates the statutory protections afforded by the Human Rights Act within the context of already-established European and English case law.

Now you’re just somebody that I used to know

Now you’re just somebody that I used to know

The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.”

However, this right is not absolute, and only applies in certain circumstances. Let’s look at the balancing act between a data subject’s right to have their data erased on the one hand, and an organisation’s need to maintain data for legitimate purposes, on the other.

Organisations (data controllers and processors) are obliged to only collect and use personal data in a lawful manner, as set out in Article 6. There are several types of “lawful processing,” including in instances where an individual grants his or her explicit and informed consent. But lawful processing also covers the use of data for a controller’s legitimate interests, the performance of a contract, or legal obligations, such as fraud prevention. For more on lawful processing, check out my earlier post – Lights, camera, data protection?

With this in mind, it’s important to note that only in certain scenarios does an individual have the right to be forgotten. Under Article 17(1), their data must be either:

  1. no longer necessary for the original purpose
  2. processed based on consent, which is now withdrawn
  3. processed based on the organisation’s legitimate interests, which the individual objects to;
  4. processed for direct marketing purposes, which the individual objects to;
  5. processed unlawfully (in contravention of Article 6);
    or
  6. erased to comply with a legal obligation.

But before an organisation hits “delete” it must see if any purposes for retention apply. In pre-GDPR days gone by, data subjects had to prove they had the right for their data to be erased. The burden now lies with the controller to prove that they have a legal basis for retaining the data. If so, the organisation has a lawful reason to refuse the erasure request. In fact, deleting data when an exemption does apply could be a breach of the law!

The purposes for retention under Article 17(3) are:

  1. the right of freedom of expression and information;
  2. complying with a legal obligation, or for performing a task in the public interest;
  3. for reasons of public health;
  4. for archiving in the public interest, including scientific or statistical research; or
  5. for the establishment, exercise or defence of legal claims.

Additionally, “manifestly unfounded” or “excessive” requests may be refused outright.

From what I’ve seen in practice over the last few days, most erasure requests are made because an individual no longer wants to receive marketing emails. Fair enough: in shifting responsibility onto corporate controllers, the right to be forgotten strengthens individual control. It also signifies public disapproval of entities which process – and, in some instances abuse – enormous quantities of personal information without the explicit consent or knowledge of the individuals concerned.

For those of us interested in the societal and human rights implications (I’m telling you – data protection isn’t just for the techies amongst us!) it’s worthwhile to consider how journalism fits into the picture.

As Oxford’s International Data Privacy Law summarises rather eloquently: The nebulous boundaries and susceptibility to misuse of the right to be forgotten make it a blunt instrument for data protection with the potential to inhibit free speech and information flow on the Internet.

As early as 2012, Reporters Without Borders (formally, Reporters Sans Frontières) criticized the right to be forgotten – then in early draft stages – as a generalised right that individuals can invoke when digital content no longer suits their needs. This runs the risk of trumping the public interest in the information’s availability. RSF also contends that the demand for complete erasure of online content, or the “right to oblivion”, could place impossible obligations on content editors and hosting companies.

EU Commissioner Viviane Reding responded to the criticism from RSF by explaining that the [GDPR] provides for very broad exemptions to ensure that freedom of expression can be fully taken into account.

Note – this post covers the statutory Right to Erasure under Article 17 of the GDPR. Although related, it is distinguished from the recent high-profile cases against Google, in which the English Supreme Court held that a defendant convicted of a crime was entitled to the right to be forgotten, and therefore delisted from Google search results. A more serious offence, with fewer mitigating circumstances, did not attract the same right.

photo © Cassidy Kelley

Lights, camera, data protection.

Lights, camera, data protection.

Cannes: movie stars, auteurs, glamour, the French Riviera, and… data privacy?

Before the cameras start rolling, a film production company will need to agree service contracts for cast and crew.  In honour of the Cannes Film Festival happening this week, let’s consider how data protection issues need to be addressed for an actor’s contract.

A standard Actor’s agreement will cover payment, travel and residence allowances, box office bonuses, and of course, intellectual property.  But if the production company intends to process a significant amount of personal data about the Actor – such as dates and locations of filming, and details of travel arrangements and accommodation –  the agreement should also contain a data protection clause.  Remember that “processing” is widely defined, and covers any activity involving personal data, including storing, sharing, or reading.

Related image
The Cannes 2018 poster, featuring an image from Jean-Luc Godard’s 1965 film “Pierrot le Fou.”

“The Actor agrees and hereby give her consent to the holding and processing of personal data relating to the Actor in any form, whether obtained or held in writing, electronically or otherwise, by the Producer.”

The above clause may be acceptable under the UK Data Protection Act 1998, but is problematic under the incoming General Data Protection Regulation (GDPR).

Consent. As worded above, the Actor is providing the Producer with blanket consent to process her personal data.  Under the GDPR, consent means “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art. 4(11)).

Given that this is a contract between a prospective employee and her boss, there is an imbalance of power between the parties. Accordingly, the Actor’s consent statement is unlikely to be considered “freely given” as is required under the GDPR.  Furthermore, personal data processing should neither be disguised nor bundled with the provision of a contract (Art 7(4)).

Even in other contexts, it would be unwise to rely on the Actor’s consent for processing, as this can cause difficulties if consent is withdrawn at a later date.  It is therefore advisable to rely on another lawful basis.

Another lawful basis? “Lawful basis” is just another way of saying “reason to do something.” Consent is just one of the six lawful bases permitted (Art. 6 GDPR). As the conditions for consent are very strict and unlikely to be met in this scenario, the Producers should consider their other options:

  • Contract: Processing is necessary for a contract with the person. Employment contracts are certainly applicable in this instance: for example, the Producers must process the Actor’s bank details to pay her.
  • Legal obligation: Processing is necessary for the Producers to comply with the law. This could include their tax obligations for HMRC, or complying with money laundering regulations.
  • Legitimate interests: The Producers must process the data for their legitimate interests. This could include business purposes such as sending out publicity emails with the Actor’s name and contact details, posting her image on social media, and so on. This is the most flexible basis to rely upon, but requires the Producers to demonstrate (inter alia) that their objectives are not unreasonable, and do not harm the Actor’s human rights (Recital 47).
  • The other lawful bases of protecting vital interests and carrying out a public task are not applicable in our scenario, but worth noting for completeness.

To be GDPR compliant, the clause could be amended to something like:

The Producers will collect and process the Actor‘s personal data in accordance with the Privacy Notice annexed to this Agreement. The Actor will sign and date the Privacy Notice and return it to the Executive Producer within 10 days of signing this Agreement.

The purpose of the Policy Notice is to provide the ActorActor with the information she is entitled to receive as a data subject (Articles 13 and 14). The Privacy Notice, likely to take the form of a letter, will explain how the Producer obtains, uses, and retains the Actor’s personal data. It will also set out the relevant lawful bases for each type of processing, and explain how the Actor can exercise her rights (Articles 15 through 22 inclusive).

Of course, the work doesn’t end once the agreement is signed. The Producers will need to make sure anyone who handles personal data within their organisation understands the new requirements under the GDPR. Having clear policies is only part of the story: those policies will need to be followed.

It’s a common misconception that the GDPR is just about IT security and marketing emails filling up your inbox. In reality, the legislation will provide enhanced rights for data subjects, and it’s important to remember that employees are data subjects too.

The Six Principles of Data Protection: Facebook fails

The Six Principles of Data Protection: Facebook fails

Facebook may believe that dubious data collection and security practices justify a more connected audience: the incoming General Data Protection Regulations say differently.

Once again, data privacy is in the headlines. But this time, it isn’t a credit agency or department store that has fallen short of consumer expectations: instead, it’s Facebook. Much credit is due to Carole Cadwalladr and her team at The Guardian, who first broke the the Cambridge Analytica story.

#DeleteFacebook was trending on Twitter for a while, and I myself was considering ditching my account – not least because I simply don’t use Facebook often. While I’ve decided against deletion, I was genuinely saddened – although, in retrospect, not surprised – to come across the leaked 2016 “Ugly Truth” Memo from a Facebook executive Andrew “Boz” Bosworth. You can see the Memo in full at Buzzfeed, but the part that hit me hardest reads as follows:

We connect people. Period.

That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.

The natural state of the world is not connected. It is not unified. It is fragmented by borders, languages, and increasingly by different products. The best products don’t win. The ones everyone use win.

“Questionable contact importing practices”? By Bosworth’s own admission, “the ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is de facto good.”

The General Data Protection Regulations (GDPR) say differently. With less than two months to go until the implementation date of 25 May (!) I’ve set out a little refresher on the main responsibilities for organisations below.

Article 5 of the GDPR contains Six Principles of personal data collection and processing. The data controller (the company collecting or otherwise controlling the data) are responsible for, and must be able to demonstrate, compliance with these principles.

(A) Processed lawfully, fairly and in a transparent manner.
A company collecting data must make it clear as to why the data are being collected, and how the data will be used. The company must provide details surrounding the data processing when requested to do so by a person whose data is collected (the “data subject”). “Questionable practices” are likely neither fair nor transparent!

(B) Collected for specified, explicit and legitimate purposes.
Have you ever filled in a form, only to think, “why am I being asked this question?” This principle states that organisations should not collect any piece of personal data that doesn’t have a specific purpose, and a data subject must give explicit consent for each purpose. A lawful purpose could mean fulfilling a contract: for example, your address is required for shipping something you bought online.

(C) Adequate, relevant and limited to what is necessary.
Companies strive to understand customer buying behaviours and patterns based on intelligent analytics, but under this principle, only the minimum amount of data required may be stored. Asking for one scanned copy of a drivers’ licence may be adequate, but asking for a drivers’ licence, passport, and birth certificate might be more than necessary.

(D) Accurate and, where necessary, kept up to date.
Controllers must ensure personal data is accurate, valid and fit for purpose. Accordingly, data subjects have the right under Article 16 (Right of Rectification) to rectify any personal data held about themselves.

(E) Kept for no longer than is necessary.
This principle limits how data are stored and moved, and for how long. When data is no longer required, it should be deleted. This is closely related to the Right of Erasure (“Right to be Forgotten”) under Article 17, which I previously wrote about in respect of the Google case in England.

(F) Processed in a manner that ensures appropriate security.
This principle is perhaps what most people think about when they think of data protection. It means that IT systems and paper records must be secure, and the security must be proportionate to the risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR!

In 2016, a Gallup study found that Millennials (those of us born between 1981 and 1996) are generally aware of potential data security risks, but less likely to be concerned about them. Prior to familiarising myself with these principles, I simply thought data protection was another phrase for “IT security”. I thought it was just about firewalls, encryption, and outsmarting hackers.

But in the months I’ve been helping clients to get ready for the GDPR, I’ve realised that compliance is about more than just having strong passwords: it really is a mindset. That’s what’s so disappointing about Facebook’s apparent attitude towards the end consumer, in which people are seen only as a series of clicks or “likes” which can be analysed, predicted, and manipulated – at any cost. My Facebook account may remain active, but I for one will certainly be less engaged.

Photo credit – Book Catalogue

Google prepares for the first “Right to Be Forgotten” trials in England

Google prepares for the first “Right to Be Forgotten” trials in England

All human beings have three lives: public, private, and secret.
― Gabriel García Márquez

The European Union’s Court of Justice decision in Google Spain v Agencia Española de Protección de Datos, Mario Costeja González (“Google Spain”) confirmed the “right to be forgotten” for European citizens. This right is further enshrined in the upcoming General Data Protection Regulations (GDPR). Accordingly, European data protection law grants individuals a qualified right to have personal data relating to them removed from search engines.

This right is however considered by some to be a uniquely European phenomena, which resulted from one unusual CJEU judgement. Now, two upcoming cases against Google will be the first time in which the “right to be forgotten” will be considered by the English Courts. 

Two unnamed claimants, known only as NT1 and NT2, are bringing a companion case against Google to enforce their right to be forgotten. (NT1 v Google and NT2 v Google,  [2018] EWHC 67 (QB) (Rev 3))

Continue reading “Google prepares for the first “Right to Be Forgotten” trials in England”

A Soundtrack for Data Security

A Soundtrack for Data Security

So much of the explosion in innovation in the music industry is around technological processes. But artists still need to focus on their art. To do so, they need to surround themselves with tech-savvy people. And hire a good lawyer.
– Gigi Johnson, Director of the Center for Music Innovation, University of California Los Angeles

Privacy policies are painful to read, not least because they’re very technical, boring, and long. According to a recent study, if the average person read every privacy policy for each website they visited in a given year, it would take approximately 244 hours, or 40 minutes each and every day. In spite of this, privacy policies have begun to attract mainstream attention.

Continue reading “A Soundtrack for Data Security”