We may have a right to privacy, but do we have the right to be forgotten?
That’s the central issue in a landmark legal decision by Europe’s highest court, which recently ruled that Google must listen to individual complaints and — in some cases — remove links containing potentially offending information from its search engine results.
Don’t start dialing the Internet search giant just yet to demand that unflattering newspaper article be taken down, however. American law has a much different approach to privacy than European law, so the impact of the ruling won’t be felt immediately in Michigan — unless, of course, you work for an international company with operations in the European Union.
But the decision will require Google, Yahoo, Bing and other search engines, and maybe other businesses, to take a hard look at how they handle complaints, and perhaps exchange their current approach of “tough luck” for something more responsive to consumer objections.
Google as data controller
The May ruling by the Court of Justice of the European Union stems from a 2010 complaint filed by a Spanish citizen against a large daily newspaper, Google Spain and Google Inc. The man in question had defaulted on a loan in 1998 and had his home repossessed and auctioned off to cover his debts. Spanish law required a public notice of the auction, which was published in the La Vanguardia newspaper.
A decade later, doing a Google search with his name still brought Internet surfers to a link to the auction notice — long after his debts were discharged. He asked La Vanguardia to take down the link, but the paper declined. He complained to Spain’s data protection agency, which also declined to intervene, saying the information had been published lawfully.
So he switched tactics, filing a lawsuit against Google and the newspaper in which he argued that the issue was over and done with and should not continue to haunt him. The Court of Justice agreed with his “right to be forgotten” and took the somewhat extraordinary step of requiring Google to delete links to the offending information.
The decision recognized Google as a “data controller,” meaning it is subject to EU data protection laws where its branch offices operate. As a data controller, Google cannot be seen as a “neutral intermediary” but must be responsible for the content it links to.
In their ruling, the justices noted that the material in question could “appear to be inadequate, irrelevant or not longer relevant or excessive … in the light of the time that had elapsed.” Current EU data protection laws meant that even factual information legally published could “in the course of time become incompatible with the directive.” In this light, the court said that Google is required to police its links and put into place a mechanism to address individual concerns.
This is the first of 200-plus similar cases against Google currently making their way through the Spanish courts. For its part, Google responded that it was “a disappointing ruling for search engines and online publishers in general” and that it planned to “take time to analyze the implications” since it has no resource to appeal.
Financial, data implications
The implications — and potential costs — are staggering when you consider how much content Google touches. A more sensible result might have asked Spain to put “sunset requirements” on its public records, which would have allowed the newspaper to remove the notice.
As it stands, the ruling opens the door to hordes of unhappy online users petitioning for the deletion of content that is outdated, outmoded or just plain embarrassing. It could easily lead to websites, social media platforms and search engines reconsidering the way they handle links and shared information, putting into place expensive mechanisms for reviewing and complying with removal requests.
And it doesn’t necessarily stop there. For example, if a company maintains a database about customers, EU residents may have the right to request their names and information be removed. In fact, the EU is working on developing privacy regulations that expressly grant an individual the right to request personal data be deleted from a database — a potential right that is likely to be strengthened by this court decision.
While it will take some time to understand the full implications of this ruling, West Michigan companies with an international presence should consider how they would evaluate and implement a request to “forget” someone’s data.
Norbert F. Kugele is a partner at the law firm Warner Norcross & Judd LLP. He concentrates his practice on employee benefits and privacy and information security laws. He can be reached at firstname.lastname@example.org.