21.04.2017
What is the Commercial Registry’s Memory Span or How Broad is the Scope of the Right to be “Forgotten”?
On the March 9, 2017 the Court of Justice of the EU (CJEU) came forward with a decision on the Manni Case C-398/15, which clarified several key aspects of the right to be forgotten and more specifically some of the conditions under which the right can be exercised in pursuance of the erasure of data stored in public registers.
The right to erasure, widely known as the right to be “forgotten”, emerged from CJEU’s case-law after the renowned Google Spain decision from the spring of 2014. Recently, the right has been also embedded in Article 17 of the newly adopted General Data Protection Regulation (GDPR), which is expected to come into effect in May 2018. Therefore, the CJEU’s decision in the Manni case sheds some light on this new instrument in the hands of data subjects for the protection of their rights.
Facts of the Case
Mr. Salvatore Manni, an Italian citizen and director of a developing building company, has been awarded a contract in a public procurement procedure for the construction of a tourist complex in Lecce, Italy. Not long after, he found that the buildings of the complex were selling badly due to information available in the Company Register of Lecce showing that Mr. Manni has been the sole manager and liquidator of a company, which had been put into insolvency in 1992 and accordingly struck off the Company Register in 2005. This incentivized Mr. Manni to bring a claim before the Lecce Chamber of Commerce for the erasure, anonymization or blocking of the data, which he considered as highly outdated and causing damage to his reputation and to his present-day business activities.
After the dispute was transferred to the Court of Lecce, the judge upheld the claim and ordered the Lecce Chamber of Commerce to anonymize the data concerned. Following an appeal against that judgment, the Italian Court of Cassation decided to stay the proceedings in order to seek assistance for the resolution of the legal dispute before the CJEU. The questions focused on whether the company register is obliged, after a certain period of time has passed from the dissolution of a company, to erase, block or anonymize personal data upon request from the data subject.
Legal Context
The questions in the reference for a preliminary ruling concern First Council Directive 68/151/EEC on safeguards for the protection of the interests of company members and others (First Council Directive) and Directive 94/46 on the protection of individuals with regard to the processing of personal data (Directive 95/46).
In brief, the First Council Directive aims to harmonize the frameworks, regulating the disclosure of company information in different Member States in order to better safeguard the interests of third parties, engaging in commercial operations with companies throughout the whole EU. Article 2 of the First Council Directive obliges Member States to ensure as a necessary minimum the disclosure of, inter alia, information about each person who takes part in the administration, supervision or control of the company.
Directive 95/46/EC, on the other hand, aims to protect the fundamental rights and freedoms of individuals, and, more specifically, their right to private and family life and the right to protection of their data. Directive 95/46 should be interpreted in light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which proclaims respect for private and family life and protection of personal data as two separate fundamental rights. Article 6, paragraph 1, subparagraph (e) of Directive 95/46 provides that personal data must be kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected or processed in the first place. Apart from this, article 12 of Directive 95/46/EC grants data subjects the right to obtain rectification, erasure or blocking of their personal data the processing of which does not comply with the provisions of Directive 95/46/EC.
CJEU’s View on the Matter
Navigating through this legal context, the CJEU’s task was to counterbalance the right to data protection of Mr. Manni against the right of third parties to consult this personal data since they carry specific interests to do so. The Court started with a preliminary note that despite being provided in a professional context, the data concerning Mr. Manni constitutes ‘personal data’ within the meaning of Article 2 (a) of Directive 95/46. Therefore, the CJEU started its analysis with a review on the legal grounds for the data processing by the company register, acting as a “data controller”[1].
First, CJEU concluded that the processing carried out by the company register satisfies several grounds for legitimation provided for in Article 7 of Directive 95/46/EC, and namely those, envisaged in subparagraph (c) compliance with a legal obligation, subparagraph (e) exercise of official authority or the performance of a task carried out in the public interest, and subparagraph (f) realisation of a legitimate interest pursued by the controller or by the third parties to whom the data are disclosed. (§42 of the decision)
Further, CJEU employed a fundamental rights approach by reviewing the facts of the case from the prism of Mr. Manni’s data protection right, proclaimed in Article 8 of the EU Charter of fundamental rights. It was reminded that this fundamental right has been largely implemented in Article 6 of Directive 95/46/EC. Article 6 sets forth the mandatory principles, which must be adhered to for each processing activity. One of these principles, as per subparagraph (e) of the Directive, sets forth that data must be kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the data were collected or for which they are processed (data retention period limitation). When a controller fails to comply with this requirement, data subjects have the right to demand their personal data to be erased by the controller under Article 12 of Directive 95/46/EC. Nonetheless, the right to be “forgotten” is not an absolute right. This is also confirmed by the existence of subparagraph (c) in Article 17 of the new GDPR, which sets forth exemptions where the right to erasure cannot be exercised due to the existence of other public or private interests in having that information.
This is exactly the CJEU’s line of thought, when analysing the aims of the processing, which helps bringing legal certainty in the relationships with commercial companies, which often provide to third parties no safeguards, other than their assets. Therefore, in order to ensure the desired level of legal certainty and to promote fair trade and proper functioning of the internal market, the commercial registry must contain not only company documents, but also information about the individuals, who are authorised to represent or bind the company. Furthermore, as correctly pointed by the advocate general, even after the dissolution of a company, the necessity to retain this information public would not disappear, since rights and legal relations relating to the company would continue to exist. CJEU also takes into account the heterogeneity of limitation periods applicable in various Member States, which may lead to a “range of possible scenarios” [2] where various questions requiring information about the persons, involved in the life of the company, may arise.
In light of the aforesaid, CJEU concludes that in the case at hand, the fundamental rights of Mr. Manni, namely the right to respect for private life and the right to personal data protection as guaranteed by Articles 7 and 8 of the Charter have not been disproportionately curtailed. First of all, only a limited amount of personal information has been disclosed in the register (information about identity and the respective functions within the company). Secondly, Mr. Manni has been aware of the obligation to disclose his personal information for an unlimited period of time to an unlimited number of people before choosing to participate in trade activities through the now insolvent company.
Therefore, CJEU reaches a final conclusion that Member States cannot envisage as a matter of principle, a single time limit as from the dissolution of a company, at the end of which a right to erasure can be successfully exercised. Such a decision should always be taken based on a case-by-case assessment. Yet, the Court does not deny the existence of specific cases where the significant time from the dissolution of the company, alongside other legitimate and overriding reasons, could exceptionally justify limiting third parties’ access to the data concerned. In this sense, the Court makes a remark that the mere fact the properties of a tourist complex do not sell because of potential purchasers of those properties having access to data in the respective company register, cannot be regarded as constituting such a reason.
CJEU’s conclusions and the increasingly important role of the right to be “forgotten”
The CJEU’s decision in the Manni С-398/15 case deserves a positive appraisal mainly because of the balanced arguments and the high pragmatic value of the final conclusion adopted by the Court. Unarguably, it is impossible to define a unified period after the dissolution of a company after which it is permissible for the right to erasure to be exercised (§55 of the Decision). This, without doubt, is a question, the answer to which must be given only on the basis of a case-by-case assessment.
Yet, there is one aspect of the case that seems to elude the Court in its detailed analysis. The decision lacks a thorough review about the proportionality of the interference with Mr. Manni’s fundamental rights against the right to information of third parties. CJEU has not given any weight to the fact that the personal data in the company register associated Mr. Manni with events, which have occurred more than twenty years ago. This circumstance significantly deprives the data concerned from its informational value. Furthermore, although in the majority of cases insolvency is caused by the personal actions of the managers of a company, this is not always the case. A company can become over-indebted or insolvent as a result from various other objective factors such as market conditions, commercial risk, the actions of other persons, participating in the administration, supervision or control of the company, etc. Despite its arguable accuracy and up-to-dateness, the data has served mainly discriminatory purposes, since third parties have consulted it in order to assess the creditworthiness of Mr. Manni instead of assessing his personal qualities as a businessman.
This can make one easily call the personal data in the company register “irrelevant” or “excessive in relation to the purposes of the processing”. This is actually the exact wording of the CJEU in its landmark decision on case C-131/12 - Google Spain and Google, which for the first time confirmed a right to be “forgotten” to Mr. Costeja González in regard to news articles for social security debts, which had been paid over sixteen years ago. Even though the Google Spain case did not show such significant public interest in preserving the access to the personal data concerned, as in Manni С-398/15, both cases share notably similar consequences of the processing for the data subject’s fundamental rights.
On a more general level, Mr. Manni’s case gives food for thought about the double-edged role of public registries in the information society. The emergence of big data and data analytics, will open doors for processing and cross-referencing public data (including information from public registries) with alternative data channels, in the pursuit of various legitimate and not-that-legitimate purposes. I.e. a credit institution could easily process the public data about Mr. Manni’s recent insolvency issue alongside his contact info in order to promote fast cash solutions or for some other direct marketing purposes. In a similar manner, Mr. Manni’s future employer could get his hands on the personal data in the public registry and use it in for the assessment of Mr. Manni's employability even before seeing him in person, without Mr. Manni even having the slightest idea why he had been turned down. These scenarios serve as an appropriate example of how personal data, which is made available to an indefinite number of persons by the virtue of a law, can be used for an indefinite number of purposes, thus breaching one of the main data processing principles of purpose limitation, envisaged in Article 6, Par. 1, subparagraph (b) of Directive 95/46. As demonstrated, circumventing the purpose-limitation principle can lead to the severe infringement of fundamental rights, such as the right to personal life and the right to informational self-determination. In this sense, all privacy precautions must be taken seriously in light of the current development of both e-Government and e-Justice in Bulgaria and the building of various public registries. The right to be “forgotten” will serve as an additional safeguard, where such precautions have been skipped for whatsoever reasons. Its official place in Article 17 of the newly adopted GDPR is an important step forward in the path to ensuring the fundamental rights of citizens in the digital environment. As one of the latest instruments in this framework, the right to be “forgotten” will gradually develop driven mainly by the case-law of both national and European courts.
You can find the full text of CJEU’s decision on the Manni case under the following link.This publication is originally written in Bulgarian language and most of the sources lead to texts in Bulgarian. In case of any questions on the English translation of the publication or the cited sources, do not hesitate to contact the team of LIBRe Foundation at: office@libreresearchgroup.org.
All publications and comments published on the LIBRe Stories platform can be quoted in other websites or in articles in the press subject to the condition of identifying the author, the publishing date and their source (URL address of the publication in question).
[1] As defined in Article 2, item d of Directive 95/46
[2] § 55 of the Decision