In what many are calling an historic decision, the European Union’s highest court has ruled that Google must provide users, in certain instances, with a right to delete links about themselves, including in some cases, public records.
The European Court of Justice (ECJ) said the automatic indexing of information that contains personal data “must be classified as ‘processing of personal data’” and that “the operator of the search engine must be regarded as the ‘controller’ in respect to that processing…” Additionally, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person,” even “when its publication in itself on those pages is lawful.”
An individual’s fundamental rights, the court also ruled, override “the economic interest of the operator of the search engine but also the interest of the general public” in having that information. The exception would be the role played by the subject in public life and if the general public’s right to access the information is justified.
On leave from her role as European justice commissioner, Viviane Reding said, “Companies can no longer hide behind their servers being based in California or anywhere else in the world” and that “the data belongs to the individual, not the company.”
In comments provided to The Privacy Advisor, German Green Member of Parliament and architect of the proposed data protection regulation Jan Philipp Albrecht said the ruling “is the right decision” and that it “clarifies that European data protection law is applicable as soon as a data controller is operating on the European market.” He also stressed the importance of adopting “a uniform and consistent data protection regulation in order to strengthen the enforcement of such rights in all areas of the law and throughout the EU” and that governments “must finally deliver on this issue at the next Justice and Home Affairs Council in June.”
Companies can no longer hide behind their servers being based in California or anywhere else in the world.Viviane Reding, European Justice Commissioner
For some, however, the fact that existing legislation provides for the right to be forgotten puts in question the need for a new regulation at all. Richard Cumbley of Linklaters told The New York Times, “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.”
But Wilson Sonsini’s Christopher Kuner said this ruling could actually provide further impetus to pass the proposed General Data Protection Regulation, as it more clearly spells out the Right-to-be-Forgotten concept and is more uniform in its application. Right now there are 28 different countries with 28 different privacy regimes. “If I were a company,” he said, “I’d say bring on the regulation because at least there’s a specific article on this, but today’s ruling is based on multiple articles” from the Directive.
Calling the decision “a real game-changer,” privacy expert Eduardo Ustaran, CIPP/E, told The Privacy Advisor, “As a result, search engines operating in Europe will now have to deploy measures to deal with the obligations and rights attached to the personal information revealed in searches.”
Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.” In a 2012 article for The Privacy Advisor, a number of experts detailed some of the technical problems companies may face in implementing such controls.
The case goes back to a 2009 incident involving a Spanish citizen who objected to having a Google search of his name include a 1998 Spanish newspaper article that reported on his financial debts and the forced sale of his property. The plaintiff said he had resolved the financial issue and demanded that the local newspaper delete the links to the story. When it refused, the plaintiff asked Google to do the same. The case made its way to the Spanish data protection authority, which ordered Google to remove the links. Google challenged the DPA’s ruling and the case was finally referred to the ECJ.
The most recent ruling contrasts with a preliminary ruling in June 2013 by the ECJ’s Advocate General Niilo Jääskinen, who decided Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.
In the past, Google has argued that the right to be forgotten amounts to censorship. A Google spokesman told Wired, “This is a disappointing ruling for search engines and online publishers in general. We are very surprised that it differs so dramatically from the advocate general’s opinion and the warning and consequences that he spelled out. We now need to take time to analyse the implications.”
The ECJ ruling has some up in arms about potential freedom of expression and censorship concerns. Ustaran said, “Whilst the court does not go so far as letting people share their online persona without taking freedom of expression into account, it allows some form of tailor-made censorship.”
George Mason University’s Adam Thierer went further, arguing, “Right-to-be-forgotten efforts are well-intentioned and seductive, but ultimately, they will require onerous censorial controls that place serious pressure on free speech, journalistic pursuits and net freedom more generally.”
As legal experts begin parsing out the legal ramifications of the ruling—Patrick van Eecke takes an initial swing in this post for The Privacy Tracker—ultimately, commenters agree, the ripples will be felt for some time.
Technologically speaking, Prof. Joel Reidenberg points out that algorithms are at play here as well.
ECJ decision http://t.co/xkjJGY0BV8 means automated algorithms are not shield against privacy rights. #privacy
— Joel Reidenberg (@jreidenberg) May 13, 2014
Kuner said there remain a lot of unanswered questions and that this ruling “opens the door to many unintended consequences.”
Beyond Google, what other companies will this apply to? If your website has a Google search bar in it, does that make you a co-controller? He also said the ripple effect will not only place an administrative burden on search engine companies, but on the courts and data protection authorities as well. Will they have the resources to deal with a flood of complaints?
“In summary,” Ustaran concluded, “this decision could have very serious implications for the way in which we all access information on the Internet.”
If you want to comment on this post, you need to login.