'The General Shape of EU Internet Regulation After Google Spain': David Smith

I suppose I should start by saying what a pleasure it is to be here but I have to say it's with some unease that I'm here. Particularly in front of those who study the work that we do as a regulator. I think I should sort of know what I'm doing but I think many of you probably know more about my job than I know about it myself. Actually, there is just a note perhaps of caution there in what we're talking about. Because some of you do analyze what we do as a regulator and you say "this follows this" and "there is this pattern there" which sometimes is true but very often we just, I hesitate to say we make it up as we go along, but we just do what is right at the time.

David has an uncanny ability to make me particularly uneasy because you say "well you said that in that piece of guidance two years ago and now you're saying that today" and "how does that tie-up with this judgment on Satamedia or whatever". And I think I ought better to answer it but I haven't got the foggiest idea. I'm not sure that they did. Not everything necessarily does tie up and I wonder, if certainly for us as a regulator, I wonder if even with the courts a little bit and the CJEU whether you can analyze it too far and sometimes they just decide what's right on the day and in the circumstances.

I have to say David you made me even more uneasy by inviting me very kindly to the post-conference dinner at Trinity Hall which I'm sure much to its regret declined to have me as one of its students some forty three years ago when I applied to them. But you didn't know that unless it's on Google of course! It probably will be now.

What I want to do now and I have not got long is to talk just a little bit about how we see the judgments as the regulator, put it in a wider context, and then talk about not just the Google judgment but about the forthcoming Regulation and the impact that will have on the shape of EU regulation and the Internet.

So the judgment, we've talked about this, the crucial thing really for us was that the Court decided that Google was data controller, the way in which it processes personal data. And the clear message that we read from that is "look, you don’t escape EU law by some argument that you are neither a controller nor a processor or that you’ve come along since the legislation was developed and you are not caught by it. Eventually the law will catch up with you. So if you're doing anything as an organization or a business on the Internet that involves you manipulating information about individuals that has some sort of impact on them, you get caught" and – it's not "it’s not personal data" or "we’re not a controller" - you get caught. And of course you get caught territorially on applicability but I’ll leave that for discussion in the next session.

And then of course, Chris Pounder I think was right, once you get to "you’re a controller", EU law applies. Then it’s just binary. Once you are a controller, the whole obligations of the Directive then fall on you to comply with. Yes - that leaves us with a bit of a mess. There's a quandary: things like sensitive personal data. Forgive me David, don't ask me to answer that. There’s a problem there. But it will be solved somehow at some point and it's the right direction that we are heading in.

Of course implementation of the judgment - yes, there are critics of it - but there are 200,000 people now who have complaints to Google and nearly half of those have had the URLs removed and very few have ended up as complainants to Data Protection Authorities. So there are, I hesitate to say, a lot of satisfied people or a lot of people who have had real concerns and whose up privacy is better protected now so it is having exactly the right effect.

But let's just look at it in context. Again others, particularly Orla this morning, have talked about this as just part of the way the CJEU case law is going so I won't develop that further. I think what is very important for us is the emphasis that is being placed by the CJEU on the Charter and particularly on Article 8, the right to data protection and seeing that coming through and we, I think all of us in this data protection community, owe a huge vote of thanks to a former chair of the Article 29 Working Party Professor Rodota. I have to say, not for the way he chaired the meetings, but for the work he did in actually working politically to get this data protection right inserted in the Charter of Fundamental Rights which was being developed. I don't think any of us, other than him, realized how important it would be and it really is making a big difference now. I think we are seeing this - not necessarily the Charter itself - but the direction of travel flowing through into the UK courts.

There was a case, just a High Court case, a few weeks ago in Northern Ireland concerning Facebook where an individual brought a case to court against Facebook and against someone who was running a Facebook page on "keeping our kids safe from predators." This was about outing paedophiles who had served their sentences and who were being rehabilitated into the community.

The Court there, not under data protection although data protection issues were raised, fined, not just the person running this page but Facebook themselves 15,000 pounds, I think it was, on the basis that they had a responsibility for the content that other people will putting onto Facebook.

We just got this direction of travel where Facebook isn't just a neutral place where you post information and it's only sort of between the individuals who posted it and the people who see it.

I'm sure Hugh will tell us more about today's Court of Appeal judgment which is all part of the same trend.

We talked about the courts being emboldened. I think we as regulators are emboldened as well because we’ve got a fair wind behind us. It’s all going in the right direction of travel.

I remember we at the ICO took a case up, this must be getting on for ten years ago, about police retention of data in the UK and essentially the police retain criminal conviction information forever and we thought that was excessive in data protection terms and although we won our case at the first stage tribunal, the Court of Appeal came down heavily against us. I think the Court of Appeal, well they might come to the same conclusion now, but their reasoning and approach would be much more favourable to our position now than it would have been. We’ve got, as I say, a fair wind behind us.

I think also, and this isn't the Google case, the Snowdon revelations do have a real impact on internet regulation in the future, the lack of trust, the impact on encryption - can we encrypt our messages and trust encryption? - the impact that this has on the draft European Regulation, where we see some of you will know Article 43a introduced by the Parliament, which attempts I think to do the impossible, to reconcile what's a conflict of laws. I mean, everybody points to the US but it's not just the US. Where businesses in Europe are required by US law to release information on, some significant penalty, from the US but releasing that information would actually be breach of the European legal framework. I have to say we as regulators can’t really resolve that, only governments and international treaties can. But it’s all playing into the proposed Regulation/the future Regulation. I think what we are seeing is that case law under the existing Directive is moving us actually closer to what's proposed in the Regulation, so maybe when we get the Regulation, eventually maybe a year's time from now, it won't be quite the leap that we were expecting because the case law will be a long way in that direction already.

Just a couple of points about the Regulation. I won’t go into detail about all of these but the material scope - that processing of personal data is huge - everything is caught. At one time we were talking "are IP addresses is caught by this?". Clearly they are now as technology moves on and we move to IPV6 they will be even more clearly personal information. So again technology is taking us more towards IP addresses being personal data. The law is taking is more to it. It's all converging.

Territorial scope we will not cover.

People place a lot of emphasis on consent and as a regulator I get very concerned about those who see consent as the answer to every problem and if we just give individual's consent to everything, you know, they will be protected that will be fine. And in practice, of course that doesn't work. People don't make informed choices, they just plough ahead. We need to think more intelligently than just seeing our consent as the answer.

We have the "right to be forgotten" in the Regulation as it was called although whether that will be the title at the end [we’ll see] because it was just as inaccurate as a title in the Regulation as it is about the Costeja decision. But what we do have there, that I think is very important, is this "right to object" where, put very simply, the way the law is currently structured, I can object to your processing of my data whether it's on the Internet or not. But I have to make the compelling case to you as to why that should happen. The onus if it goes through will be the other way around. I make my case, I just say I object, and you have to make the compelling case as to why you should continue to process. And I think, although there's been very little attention, if that comes through and that right exists this it really will shift the balance of power and put some very important rights in the hands of individuals.

Just to talk about the exemptions and derogations. David would think I was amiss if I didn't talk about the exemptions for freedom of expression. What I would just say, these are hugely important and the whole basis of the Regulation is about harmonization across Europe, the same rules. Yet when we come to the exemptions for freedom of expression these are left up to Member States. I happen to think that's right because I think harmonization is a step too far - more consistency yes - maybe not harmonization. So we still will see I think potentially significant differences in how this is applied.

I know I’ve only got a minute or so left so just a word about our role as supervisory authorities. I don't make any pleas, but life is getting more and more difficult for us. The Google decision, these decisions on what should be taken down, what links should be removed, are very difficult decisions. I mean there are extremes - anybody can make those - but the ones around criminal convictions and if it should just be spent convictions that come down. And what if they are convictions to do with commercial businesses fraudulent trading and you’re still trading? Even though it’s a spent conviction, should that go? Some very difficult decisions.

I have to say I think the Rynes decision makes life even more difficult for us because it does take us into processing by individuals. Yes you have your CCTV camera on your house, it's overlooking a public area and I think must be, by extension, if it's overlooking a neighbour’s garden, then that's probably not within the domestic exemption. So how do we deal with warring neighbours over someone's camera snooping on another? It's not just difficult to deal with the individuals who are complainants. Our tools, the enforcement tools we have, don’t enable us to deal with that. We have monetary penalties/administrative fines but they are not there for individuals. So we will make it work. We have this arrangement - the one-stop-shop - the consistency mechanism coming up through the Regulation which as it goes through discussions, in particularly the Council in Brussels, is just getting more and more complex. There are pages and pages just about how we ensure consistency across Europe. So I just come back to the point to conclude with, that Orla made, about the courts suggesting they might be indifferent to the disconnect between law and reality. I worry a little bit the same about those who are now drafting the Regulation and, particularly as we get up to the trialogue process, is there going to be a disconnect between those who are trying to come up with a legal instrument that solves everybody's problems and brings the whole of Europe - all 28 countries - together in one solution. They may do that, but will it address the reality? I think one of the realities in the end has to be this access to justice. It’s all about individuals and protecting individuals. Thirty pages of sort of legal niceties on how the one-stop-shop operates don't actually help individuals. They need simple, clear law - rights which are easy to exercise even if they're not perfect. And we aim a bit too much for perfection and not enough for effective rights in reality.