On March 9, 2017, the Court of Justice of the EU (“CJEU”) handed down a ruling limiting the reach of its prior “right to be forgotten” jurisprudence, by holding that the right does not prevail over society’s interest in access to official public records of company details required by law.

In its famous Costeja/Google Spain ruling, the CJEU upheld a man’s request to have the Google search engine remove links to press articles about debt recovery proceedings he had been involved in 16 years earlier.  The CJEU held it was no longer legitimate to process his personal data and return those results when searching for the man’s name online via a search engine.

In today’s case (C-398/15 Manni), Mr Manni complained that references to his prior directorship of an insolvent business in an official and publicly available Italian register of companies were impeding his ability to do business.  Mr Manni’s company had gone insolvent in 1992, and was wound down and struck off the register of active companies in 2005.  Details of Mr Manni’s links to the insolvent company had been picked up by credit rating agencies, and this was, he alleged, preventing his new company from completing real estate sales.

Relying on Costeja/Google Spain, and pointing to the age of the records in question, Mr Manni requested the deletion or anonymization of the records, and claimed 2,000 Euros in compensation.

Declining to uphold his request, the Court held that in light of the range of possible, legitimate uses for data in company registers (even after a company has ceased trading), and the different limitation periods applicable to such records found in Europe, it was impossible to identify a suitable maximum retention period.  EU Member States therefore cannot provide a general right to be forgotten from public company registers.  The CJEU gave several reasons why depriving individuals of a blanket right to be forgotten was “not disproportionate” in this case:

  • Only a limited amount of personal data needs to be included on the register;
  • The data is made publicly available, in part, due to the economic risk that third parties face when dealing with limited liability and joint-stock companies.  Therefore, “it appears justified that natural persons who choose to participate in trade through such a company are required to disclose the data relating to their identity and functions within that company, especially since they are aware of that requirement when they decide to engage in such activity;”
  • Generally, “the need to protect the interests of third parties in relation to joint-stock companies and limited liability companies and to ensure legal certainty, fair trading and thus the proper functioning of the internal market take precedence” over the rights of an individual making a right to be forgotten request;
  • However, there may be “specific situations” where an exception can be made owing to “overriding and legitimate reasons”, but in those cases the data should not be anonymized or deleted, but rather access to it should be limited, after a “sufficiently long period” after the dissolution of the company, to third parties able to demonstrate a “specific interest” in consulting that data. Even so, national legislatures are entitled to decide whether or not members of the public can in fact apply for such “exceptional” limitation of access to their data in public company registers.

The CJEU then held that Mr Manni’s loss of business opportunities was not a “legitimate and overriding reason” for the registry record to be restricted from public view.

The Manni case represents an interesting development in the Court’s jurisprudence relating to the newly established “right to be forgotten”.  It also remains an open question to what extent the right, as established by the CJEU in the Costeja/Google Spain case, will be altered or revised as a result of the codification of the related right in the General Data Protection (“GDPR”), which comes into force in May 2018.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.