There is no right to be forgotten… However, under EU data protection laws, search engines are data controllers and data controllers are obliged not to process personal data (i.e. in their case display results) relating to individuals where such results point to content that is “outdated, irrelevant or excessive”. So effectively a person can ask a search engine to remove links to information about them and the search engine needs to decide whether the request falls into this category.
The same doesn’t necessarily apply to the originator of the content – the European Court of Justice case that made this decision related to a newspaper website (that for other legal reasons was able to continue to display the content) while the search engine (Google in this case and they are the ones most talked about and reportedly receiving most requests) was obliged to stop showing links to the content. Search engines’ categorization as data controllers is not affected by the fact that the data is available elsewhere or that they do not control the sources of the data.
Should we be surprised by the decision? Not really. In the EU a data controller is obliged to ensure that data processing is undertaken “fairly” and only where “adequate, relevant and not excessive” and to process a data subject’s data only for as long as necessary. If the processing is justified by legitimate interests of the data controller then this may be overridden if this conflicts with the fundamental rights and freedoms of the data subject. EU personal data rules are based on a “high level of protection” and may outweigh competing interests of the data controller, including economic activity and freedom of information. The decision wasn’t based on withdrawal of consent (in the particular case before the court, consent had never been given to the initial processing), nor on there being any harm to data subjects – but on the fact that the data subject enjoys this overriding right.
It would have been different had there been a public interest in the data processing – so for example a politician or public figure would be not normally to be able to use the rules to delink information because their personal interests would not necessarily override the legitimate interests of web users.
What is new is that a search engine might have been expected to be regarded as a mere intermediary or data processor while the controller of the data to whom such requests would normally be directed would be the website where the information is published (of course individuals can still do that – however the importance of search engines for the web is underlined by the fact that their not linking to the content is regarded as effectively enabling the content to be “forgotten”. EU E-commerce rules require an intermediary to take down “illegal” materials if it has effective knowledge of the illegality. However, on the facts of the case before the court the source publication of the information was entirely legal and so may continue to be published even if search engines must remove the links.
Finally, a key question was whether the legislation was applicable at all to a non-EU search engine such as Google which undertakes the data processing outside the EU. The EU rules apply to data controllers that process data “within the context” of a permanent establishment in the EU. The fact of Google having subsidiaries in the EU that are responsible for selling advertising around search results was deemed to be create an inextricable link between the processing and the activity of those subsidiaries such that EU data protection laws must apply.
Search engines (and Google in particular) have started to receive requests under these rules and are having to make the judgment as to whether links are “outdated, irrelevant or excessive”. Journalists and others have raised concerns that the rules are contrary to freedom of expression and in any event unworkable in a world where information is freely published in multiple places globally.
It may be that this situation is only temporary. A “right to be forgotten and to erasure” (which in conjunction with a clarified “right to object” to processing would cover withdrawal of consent to processing data voluntarily provided but also the types of situations covered by this decision) was proposed by the EU Commission in 2012 as part of the draft General Data Protection Regulations (see related post here). The Regulations would also clarify the point regarding jurisdiction over processing by non-EU data controllers. In July 2014 we don’t know whether this right will actually be adopted or in what form – or whether it will be adapted in the light of this decision.