Chris writes:
If as a private citizen in the EU you construct a card-file index of newspaper cuttings (or any other kind of database) including personal details about a group of individuals, you are becoming both a "data processor" and "data controller".
I think that's the plain meaning of the ECJ decision.
It would be hard to argue that a Wikipedia article or Wikidata entry does not represent personal data in a retrievable form.
I agree here too.
It would be an interesting question whether the Wikimedia Foundation or individual Wikimedians were data processors and controllers. The court would have to decide who was the "controller" of this data, if indeed there was one.
My intuition is that a European court, and certainly the ECJ, would be likely to hold either or both WMF and individual Wikimedians liable. No need to choose between one or the other, given the breadth of the definitions.
I don't believe Wikipedia could be a data controller as it has no legal personality, and legal personality is quite difficult to acquire when you set out to avoid acquiring it.
On this point I must disagree.
However, even if my line of thinking is correct, I think Wikipedia's existing policies wouldn't need much amendment. Processing of personal data is allowed so long as it complies with the various duties on data processors, e.g. being accurate and processed for a legitimate purpose.
Accuracy is no defense! That's one of the chief lessons of the ECJ opinion. And building an encyclopedia is not named as "a legitimate purpose" by the ECJ. (If it were, all Google would have to do is revive its own experiment in encyclopedias, Knol, but this time give it a compatible Creative Commons license.)
We have quite a clear purpose in processing data - the provision of an encyclopedia. We already limit ourselves to truthful and accurate coverage of data subjects (e.g. the BLP policy); and we already have something analogous to a public-interest test as to whether we process this data at all (the notability principle).
Google has a clear purpose too, and it was no defense. Plus, there is a public-interest argument in favor of eschewing the erasure of true, accurate public data that happens to be old.
Plus, it must be said, Wikimedia Foundation is not well-positioned to litigate these issues again and again in Europe.
--Mike
On Mon, Jun 2, 2014 at 4:02 PM, Chris Keating chriskeatingwiki@gmail.com wrote:
On Fri, May 30, 2014 at 6:39 PM, Mike Godwin mnemonic@gmail.com wrote:
Chris writes:
As I understand it, the "right to be forgotten" will only affect the discoverability of content, rather than existence of content.
So if we rely on a source which says that person X did Y many years ago, and X succeeds in invoking their "right to be forgotten", then the source will no longer appear in search engine results. The source, whether offline or online, will continue to exist and will continue to be a valid reference.
My understanding may well be wrong, and if there is anything that summarises this issue as it affects Wikimedians I would be really interested to read it.
Your understanding is essentially correct, as far as it goes. The ECJ (aka "Curia") opinion makes clear that the decision applies to search engines but not (yet) to the databases of source journals (such as The New York Times or the Guardian).
But of course it can affect the work of Wikipedia editors and other Wikimedians looking for online sources if search engine results can be censored in this way. In addition, it seems possible that the ECJ opinion can be understood to apply to Wikipedia itself, which, while not a search engine, may qualify as a "controller" as that word is defined under Article 2 of Directive 95/46 of the European Parliament ("on the protection of individuals with regard to the processing of personal data and on the free movement of such data"). Look at these relevant definitions from the text of the ECJ opinion:
Hi Mike - thanks for the reply! Having looked and thought about it in a bit more depth, I am pretty sure that you're right and that a case can be made this precedent will apply to Wikimedians and possibly the Wikimedia Foundation.
Whether that is something we need to worry about is another issue, but this is my reasoning (obviously I'm not a lawyer, etc, and I doubt this post contains anything you don't already know but it's a useful thought process for me);
If as a private citizen in the EU you construct a card-file index of newspaper cuttings (or any other kind of database) including personal details about a group of individuals, you are becoming both a "data processor" and "data controller".
This judgement determines that Google's indexing of information about an individual is covered by the rules that apply to data processors and controllers. Google argued that their work was not covered, a) because they did not know the contents of their own data (it all being generated algorithmically) and b) because the personal data was entirely intermingled with non-personal data.
It would be hard to argue that a Wikipedia article or Wikidata entry does not represent personal data in a retrievable form.
It would be an interesting question whether the Wikimedia Foundation or individual Wikimedians were data processors and controllers. The court would have to decide who was the "controller" of this data, if indeed there was one. I imagine they would be hard to persuade that the data had no "controller", and easy to persuade that the WMF's provision of technical infrastructure which interprets the data and present it represented "control" in the sense of 2d. Wikimedians might however jointly be "controllers" if they played a particularly important role.
I don't believe Wikipedia could be a data controller as it has no legal personality, and legal personality is quite difficult to acquire when you set out to avoid acquiring it.
However, even if my line of thinking is correct, I think Wikipedia's existing policies wouldn't need much amendment. Processing of personal data is allowed so long as it complies with the various duties on data processors, e.g. being accurate and processed for a legitimate purpose.
We have quite a clear purpose in processing data - the provision of an encyclopedia. We already limit ourselves to truthful and accurate coverage of data subjects (e.g. the BLP policy); and we already have something analogous to a public-interest test as to whether we process this data at all (the notability principle).
Regards,
Chris
Article 2 of Directive 95/46 states that ‘[f]or the purposes of
this Directive:
(a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(b) “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
...
(d) “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
...
Article 9 of Directive 95/46, entitled ‘Processing of personal
data and freedom of expression’, provides:
‘Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.’
(Note that "processing of personal data" need not be done "by automatic means." I read this to mean that Wikipedia editors themselves may qualify as engaging in the "processing of personal data." And the definition of "controller" expressly includes a "natural ... person."
Assuming that Member States would assert jurisdiction over Wikipedia (even though Wikipedia is hosted in the United States), could Wikipedia articles be defended under the "solely for journalistic purposes or the purpose of artistic or literary expression" language of Article 9 of the Directive? That language doesn't strike me as a very good fit for what Wikipedia does.