ECJ's right to be forgotten ruling against Google: a sign of things to come?
27 May 2014
A recent European Court of Justice (ECJ) ruling against Google could have far-reaching implications for data protection negotiations in Europe and all data-driven businesses that operate within the European Union.
On 13 May, the ECJ ruled in favour of the Spanish National Data Protection Authority and Spanish citizen Mario Costeja González, in a landmark case which upheld an individual’s right to be forgotten.
The ECJ confirmed that Google must delete personal information about González linked on its search results from a 1998 Spanish newspaper relating to debt-recovery proceedings against him or risk facing a fine. The ECJ held that an operator of a search engine is under an obligation under the 1995 Data Protection Directive to remove personal information from a list of search results when asked to do so by the individual in question.
This ruling could be a game-changer not only for search engines but for any organisation that uses data in its day-to-day activities. The ECJ ruled that an individual has the right to have search results about them removed if they appear “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue”.
Data privacy vs freedom of expression
What appears to be a victory for the individual’s right to privacy is a blow for the freedom of expression and we could see search engines turn into unwilling censors. Since the ruling Google has been flooded with requests from individuals to have personal information deleted (1,000 in the first three days after the ruling) including a former MP seeking re-election and convicted criminals.
The ECJ acknowledged that the initial processing of the personal information by the internet search engine may be lawful but, as in the case of González, the processing of such information may after a period of time become unlawful because the personal information is no longer relevant. The court held that the information in this case was no longer relevant after 16 years. The court acknowledged that such information might be relevant if the individual had a role in public life such as a politician. However, the individual is not required to show that they are prejudiced in order to exercise the right to have personal information blocked.
The ruling, and the media attention it has received, will lead to greater awareness among consumers of their rights and businesses could be flooded with requests for the deletion of personal data in the future.
Search engine as a controller of personal data
The ECJ held that an internet search engine is a data controller because it is processing personal information automatically as it explores the internet constantly and systematically in search of information which it publishes on its links. The search engine is responsible even though it is simply linking to information published on the web by other parties. This has implications for all businesses that process data in this way – even if they don’t distinguish between personal and non-personal data.
Businesses based outside the EU subject to EU data protection rules
The High Court of Spain asked the ECJ whether Spanish national data protection law was applicable given that Google Inc is based in the USA. The ECJ held that the Spanish national data protection law was applicable because Google Spain sold advertising space offered on Google Inc.’s search engine to organisations and individuals based in Spain.
Implications for the negotiations on the draft EU Data Protection Regulation
The decision of the ECJ seems to reflect the extension of the right to erasure (previously known as the right to be forgotten) in the draft Regulation. It also appears to take account of the provision in the draft Regulation that EU data protection law should apply to the processing of an EU citizen’s personal information no matter where in the world the processing takes place.
What are the implications for DMA members?
If a member is a subsidiary of a parent company located outside the European Union but is selling services on behalf of the parent company then it may be held based on this judgement to be a data controller within the EU and therefore subject to the national data protection legislation of the member state where it operates. Individuals can require the deletion of their data under current EU data protection law so it would be wise for all businesses that handle personal data to put systems in place to allow a business to delete an individual’s details on request. Google is reportedly preparing an online tool to enable individuals to request that search results about them are removed. A Google spokesman said: "The ruling has significant implications for how we handle takedown requests. This is logistically complicated – not least because of the many languages involved and the need for careful review. As soon as we have thought through exactly how this will work, which may take several weeks, we will let our users know."
The DMA will keep members updated of the implications of this case and the negotiations on the EU draft Data Protection Regulation.
James Milligan, Solicitor, DMA
Please login to comment.
Comments