(LONDON) Google – along with the rest of us – is still considering the implications of the European Court of Justice’s May 13, 2014 decision that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant or accurate. This decision by Europe’s highest court is unappealable, so the Google Spain case is law throughout the European Economic Area (EEA) until changed by legislation (unlikely) or modified by the ECJ in a later decision (also unlikely).
To reach this conclusion, the ECJ found that:
Google is a data controller (and not merely a data processor) because it indexes information gleaned from the Internet in order to create its search results.
The information in question (which had to do with a government order that a house be put up for auction due to its owner’s failure to pay certain taxes) is protected personal data despite the information having been properly published at the time of its initial publication. (Ironically, the Spanish newspaper that initially published the information was not required to remove the article – Google just can’t include the article in its search results.)
Countervailing considerations such as the potential burden on Google that will arise from having to consider “right to be forgotten” requests and the interest of the public in having access to past public information are outweighed by the right of the individual to be forgotten.
From one perspective, this is just a search engine case, and the only companies that need to worry about it are search engine companies with some kind of business presence or technical facilities in Europe (which creates the nexus for the EU’s legal jurisdiction). And of course, historians might be worried, along with anyone else who thinks that public information should stay publicly available to safeguard freedom of expression, or the integrity of the historical record, or the democratic process, or the like. And EEA residents might even wonder what their life would be like if all search engines blocked off European results because the compliance burden outweighed the ad revenues – or, because, now that they are deemed to be data controllers, they couldn’t work out a way to comply with the Eighth Principle restricting transfers of personal data outside of the EEA . . .
No, the reasons that other (non-search) businesses, particularly in the US, should be concerned about the Google Spain decision are the following:
The EU notion of personal data is not the same as the US notion of private information. It is far broader and includes information obtained from public sources as well as information that an individual has voluntarily disclosed to the world. When you evaluate your company’s data collection and processing activities, you need to remember that, in Europe, personal data is virtually everything about, or written by, an individual, whether or not the information has already been made public.
The EU is unconcerned about imposing huge burdens on companies. Well, at least it’s unconcerned about imposing huge burdens on large companies that aren’t headquartered in the EEA – but it would be unwise to look at the Google Spain case as inherently exceptional. There’s a draft Data Protection Regulation making its way through the EU legislative pipeline that will levy fines for breaches in the order of up to 5% of global turnover. The draft Data Protection Regulation imposes very strict standards and processes on businesses that process personal data, and the Google Spain decision simply underscores that the balance of rights and interests in the EU is tipped firmly in the direction of the individual. Message to business? Get ready for the hammer. The Google Spain decision shows where it’s going to strike.