Be honest: how many of us had ourselves forgotten that a profoundly important ruling from the European Court of Justice on the so-called "right to be forgotten" was imminent? That ruling, in the case of Google v the Spanish DPA, was finally handed down on 13 May and has significant implications for all online businesses (available here).
By way of background, the case concerned a Spanish national who complained to Google about online newspaper reports it had indexed relating to debt-recovery proceedings against him. When the individual's name was entered into Google, it brought up search results linking to newspaper announcements about these proceedings. The actual proceedings in question dated back to 1998 and had long since been resolved.
The matter escalated through the Spanish DPA and the Spanish High Court, who referred various questions to the European Court of Justice for a ruling. At the heart of the matter was the issue of whether an individual can exercise a "right to be forgotten" so as to require search engines to remove search results linking to personal content lawfully published on third party sites – or whether any such requests should be taken up only with the publishing sites in question.
The specific issues considered by the ECJ principally concerned:
- Whether a search engine is a "controller" of personal data: On this first question, the ECJ ruled YES, search engines are controllers of personal data. For this purpose, the ECJ said that it was irrelevant that search engines are information-blind, treating personal data and non-personal data alike, and having no knowledge of the actual personal data processed.
- Whether a search engine operated from outside the EU is subject to EU data protection rules if it has an EU sales subsidiary: On this second question, the ECJ ruled YES. Google wholly operates its search service from the US, but has a local sales subsidiary in Spain that makes online advertising sales to local customers. On a very broad reading of the EU Data Protection Directive, the Court said that even though the processing of search data was not conducted "by" the Spanish subsidiary, it was conducted "in the context of the activities" of that subsidiary and therefore subject to EU data protection rules. This is a particularly important point for any online business operating sales subsidiaries in the EU – in effect, this ruling means that in-territory sales subsidiaries potentially expose out-of-territory HQs and parent companies to local data protection laws.
- Whether individuals can require search engines to remove search results about them: Again, the ECJ ruled YES. Having decided that a search engine is a "controller", the ECJ ruled that an individual has the right to have search results about him or her removed if they appear to be "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue". To this end, the ECJ said there was no need to show that the list of results "causes prejudice to the data subject" and that the right of the individual to have results removed "override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject's name".
Why this matters
This ruling is one of the most significant – if not the most significant – data protection ruling in the EU to date, and the findings of the ECJ will come as a surprise to many. A constant theme throughout the ECJ's decision was its clear desire to uphold European citizens' fundamental rights to privacy and to data protection, as enshrined in the European Union's Charter of Fundamental Rights, and it interpreted the EU's Data Protection Directive with this consideration in mind.
Few expected that search engines could be required to remove search results linking to material posted lawfully on third party sites, but that is precisely what the ECJ has ruled in this instance. Quite how this will work from a practical perspective is another matter: in future, when search engines receive a request to have personal data "forgotten" from their search results, they will have to tread a fine line between balancing the individual's right to be forgotten against other relevant contextual considerations such as "the role played by the data subject in public life" and whether "the interference with the fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question".
Put another way, search engines will need to act not just as gateways to information on the web, but also – in some circumstances – as censors preventing access to information based on objections received. This raises some very complex challenges in terms of balancing right to privacy against right to free speech that will clearly take time to work out.
Practical implications for online businesses
But it would be wrong to think that the relevance of this decision is limited to search engines alone. In fact, it has much broader implications for online businesses, including that:
- Non-EU businesses with EU sales offices risk exposure to EU data protection law: Non-EU data hungry businesses CAN be subject to EU data protection rules simply by virtue of having local sales subsidiaries in the EU. This is particularly critical for growth businesses expanding into the EU through the set-up of local sales offices, a common model for international expansion.
- Data blind businesses need to comply: Big data businesses CAN be subject to data protection rules, even if they are data blind and do not distinguish between personal and non-personal data. A head in the sand approach will not protect against risk – any data ingesting business needs to have a clear compliance framework in place.
- Data deletion a priority: Individuals CAN require deletion of their data under EU law – businesses need to architecture their systems to enable data deletion on request and to adopt appropriate data retention and deletion policies. Without these, they will face particular exposure when presented with these requests.
Taking into account the critical implications of this ruling, it's fair to say it's one that won't be forgotten soon!