Google fined in Peru for Ignoring the “Right To Be Forgotten”

The Peruvian Data Protection Authority has decided the first case in which applies the “Right To Be Forgotten.” Last March, this administrative office fined Google with USD 75,000 for refusing to remove negative search results linked to the name of a Peruvian citizen and impeding him exercising his right of cancellation of personal data. This decision from an administrative office, not a court, could have a deep impact on freedom of speech and innovation in Peru and everywhere.

The case

Since 2011, Peru has a Personal Data Protection Law which grants Peruvian citizens the rights to ‘access’, ‘rectification’, ‘cancellation’ and ‘opposition’ to the use of their personal data by third parties which records, stores, disseminates it. Whenever a citizen wants to exercise one of those rights, they must do so against the companies treating their personal data. Afterwards, if they don’t receive a satisfactory response, they can appeal to the Peruvian Data Protection Authority seeking a remedy.

In 2009, the news of a Peruvian citizen facing criminal charges for child pornography appeared in several national media outlets online and offline. Years later, his case was dismissed by the Peruvian justice due to lack of evidence. However, whenever someone searched for his name on Google, the original reports about the trial still appeared everywhere. He tried contacting every website to delete the reports but couldn’t reach all of them because they were abandoned blogs and bulletin boards. Then, he sent to Google a request for the removal of those links but the company answered him that they didn’t control the information and he should address his request to the webmasters of the sites troubling him. Finally, in late 2015, the citizen decide to take his case to the recently created Data Protection Authority at the Ministry of Justice.

The decision

The Data Protection Authority deemed Google responsible for treating personal data of Peruvians and, hence, compelled to respect their right to oppose or cancel their information from its database. In its resolution, the Peruvian Authority said that Google treats personal data because: (1) they use an automated and technical operation for the collection, storage and dissemination of information on their servers; and, (2) they allow the general public to conduct searches by first and last names, and showing links to sites containing potentially private information.

The company tried to argue that the party responsible of Google Search was Google Inc., not Google Peru S.R.L., and that they should be properly notified in its offices at Mountain View, California. For the authority, the activities of both companies were complementary and chose to fine both. Also, Google argued that the proceeding should be against the administrators of the websites where the contents were originally published. However, the authority considered that the use of web crawlers and the indexing of the information obtained were in itself a form of treatment of personal data.

In its decision, the Authority fined Google with USD 75,000 for (i) systematically impeding the exercise of data protection rights through a series of negatives, and, (ii) treating personal data without allowing the exercise of cancellation and opposition rights. The administrative office also ordered Google to block a list of sixteen URLs from being showed in connection with the name of the citizen. This decision could still be challenged in court by Google.

The implications

This decision closely follows the criteria set by the Spanish Data Protection Authority and presents the same challenges to free expression, innovation and due process already analyzed by several commentators. Mainly, this case opens two different discussions: (i) if the Data Protection Law applies or does not apply to search engines; and (ii) if that’s the case, if this so-called “right to be forgotten” is in accordance with the values of democracy and public memory. However, three other issues are remarkably particular to the Peruvian case and should be studied carefully.

First, the notion that Peruvian Data Protection Law could be applied to any foreign company using personal data from Peruvians. In previous decisions, the Data Protection Authority limited the scope of its jurisdiction to national domain names, web pages with a Peruvian IP address or with a known office in the country. This time the Authority was clear in establishing that not one but a series of (highly debatable) clues granted them jurisdiction over Google Inc.: (i) the treatment takes place in a Peruvian location, (ii) the responsible can be located in Peru, (iii) the tools from the treatment are located in Peru, (iv) the notification to the foreign company could be done over email.

The second controversial issue is the fact the administrative decision doesn’t precise if the blocking should limit to the Peruvian version of Google (.com.pe) or should be applied globally. In other countries, the decision of Google to obey national authorities in blocking search results in local domains but keep them unaltered in its global .com domains has been highly criticized. In this case, the Peruvian Data Protection Authority has addressed to both Google Inc. and Google Peru but without mentioning specifically the treatment to each domain.

Third, that every website that merely mentions the name of an individual is processing personal data under the Law. Although this is casually mentioned by the Authority, it means that every newspaper, blog or even social media account could receive requests for the cancellation of personal data registries and should grant them. Otherwise, they could be fined on the same grounds as Google. This mechanism doesn’t allow the publisher to oppose the cancellation for public interest reasons or other defenses, and his only mean to escape a fine is to act upon the request.

With its decision, the Peruvian Office creates a new private procedure that would allow any citizen to request that something that displeases them became “hidden” on the Internet to virtually any company local or foreign. In correspondence, it empowers national or foreign private companies to decide what has to be removed from the Internet under secret procedures. We believe that this solution is wrong and, if it’s confirmed in the Courts of Peru, there’s a lot to be worried about.

Illustration: Google Doodle

Leave a reply

Basic HTML is allowed. Your email address will not be published.