The Court of Justice of the European Union (CJEU) has ruled that Google must remove links to reports of Spanish citizen Mario Costeja Gonzalez’s social security debts. Google has reacted to this saying: “This is a disappointing ruling for search engines and online publishers in general”.
This is effectively an endorsement by the CJEU of the “right to be forgotten”. The EU Commission is attempting to introduce such a right as part of the General Data Protection Regulation but this ruling is based on the existing Data Protection Directive that data must be “adequate, relevant and not excessive” and “accurate and, where necessary, kept up to date”. The Directive has other guiding principles including that there must be appropriate technical and organisational measures to prevent unauthorised or unlawful processing. There’s also the one that everyone is familiar with, that data must not be transferred outside the European Economic Area unless to country with an adequate level of protection. That’s the one that gave rise to the US Safe Harbor.
There are a few interesting issues here. Some commentators have expressed surprise that the CJEU ruling applies to Google, a US-owned company which processed the information in California. But the CJEU said that Google has a Spanish presence to generate advertising revenues and this means the EU data laws bite. Also, others have expressed surprise that this allows an individual to edit their own (embarrassing) internet history. But again, that’s not new – that provision has always been in the Directive.
What’s interesting is that this ruling applies to a search engine
No, what’s interesting is that this applies to a search engine. You might think that the more logical approach would have been to attack the source of the information rather than a search engine operator. But, as the CJEU recognised, the information was published lawfully. This case was about information that is historically accurate but no longer up-to-date. Google doesn’t hold that information but it must prevent it from showing up in its search results unless that data is in the public interest or if it is necessary to remain online for the use of other people. How will search engine operators work that out? Will they evaluate each request in future? Or will they simply extend their complaints policy to include automatic removal of personal data on request? Will removing data from search results amount to a form of censorship? And will this ultimately affect the accuracy of search engines?
I’m all for protecting personal data but sometimes there are rulings that make me scratch my head. It’s also an interesting contrast to the US ruling recently forcing Microsoft to hand over data held in Ireland. The data protection battle continues…