On 13 May 2014 the Court of Justice of the European Union (ECJ) ruled that Google is a “data controller” within the meaning of the Data Protection Directive 1995 [DPD] and as such it must remove references to an individual’s personal data where it is inaccurate, inadequate, irrelevant or excessive.
The consequence is that, while the internet remains a virtual library of information about everything, the index to this information can be edited on request, so that personal data cannot easily be found.
The case concerned Mr Costeja González who claimed that, when someone searched for his name on Google, the results included links to pages on the Spanish newspaper’s website La Vanguardia. Those pages referred to a real-estate auction organised following attachment proceedings for the recovery of social security debts owed by Mr González. Mr González said that the attachment proceedings had been fully resolved for some years and that therefore the reference to them in the Google results was out of date and irrelevant.
The ECJ held that Google as a search engine provider is the “data controller” in respect of the locating, indexing, storing and making available of information accessible on the internet, and that under the DPD Mr González has a right to rectification, erasure or blocking of that information, and a right to object to the processing of the information in certain circumstances. This has been termed a “right to be forgotten”.
The ECJ’s decision has sent shock waves through the online community as rights of privacy appeared to trump rights of free speech. This has led to accusations that the decision encourages individual reputation management, re-writing history and, ultimately, censorship.
However, the ECJ made it clear that while Google’s commercial interests in processing the information will not, as a rule, override an individual’s rights to privacy, a balancing of the individual’s rights and the interests of other internet users in accessing that information must be carried out. The interest in the public being able to access the personal information may override the individual’s interest in cases where the individual plays a prominent role in public life and being able to access the information is “in the public interest”.
The Information Commissioner has welcomed this decision as upholding the data protection rights of individuals. However, Google is now faced with an onslaught of requests to remove information. It is placed in the invidious position of having to act as judge and jury and balance the interests of the individual as against the public interest.
In a speedy response to the Court ruling, Google have created an online “Search removal request” form. When requesting a removal you have to explain how the web page in the search results is “irrelevant, outdated, or otherwise inappropriate”.
Google do not welcome being an arbiter of public opinion and indicate that they may seek guidance from the ICO as to how to apply the ruling. Also, Google may tell source websites that the link to the information has been removed (if it is); as can happen when a person takes legal action for defamation, there is a risk that seeking the remedy will attract more attention to the issue than might otherwise have been the case.
It remains to be seen whether Google will decide that it is easier to grant requests which appear to be genuine or to refuse requests unless and until a court order is obtained or further guidance issued by the data protection regulators. Questions remain as to what liability a search engine may face if it decides not to remove a link which a court later decides it should have removed.
Whatever the case, the ECJ decision to enforce a “right to be forgotten” is far-reaching and will continue be a key issue over coming months, not only for search engines but also for social media platforms and others who host content which includes personal data. It also highlights the direction of travel and focuses attention on the proposed new EU Data Protection Regulation, which has for some time included a specific “right to be forgotten” (re-branded in the latest draft as a “right to erasure”). Ironically, with this decision, the ECJ has found that this “right to be forgotten” – which for some time has been proposed and debated as a new development in data protection laws – already existed under the out-dated but still in force 1995 Data Protection Directive.
The Google request form can be accessed here.