In a case that triggered a mass media storm, the European Court of Justice recently ruled that a Spanish man had the “right to be forgotten” in online searches.
Despite the widespread reports to the contrary, the court’s decision does not amount to an indiscriminate right to have personal data removed. Rather, the case reaffirms law which is already in effect and imposes that law on Google as a search provider and “data controller”. The law in question is that a data controller – meaning an organisation which determines the purposes for which and manner in which an individual’s personal data is to be processed – must only process data lawfully and for a legitimate purpose and must be satisfied that such data is accurate and relevant.
The case was very specific in that it applied to a search engine operator, of which there are only a few. It remains to be seen how the ruling may apply to other websites and online service providers. Nevertheless, it is a useful reminder that data controllers must process data lawfully and must consider any requests that personal data be updated, rectified or removed.
See below for further details on the case and commentary. The Information Commissioner’s Office has also published an interesting overview of what it has learnt from the EU judgment, which you can view here.
Mario Costeja González argued that a 1998 report about his repossessed property, which is still available online, was appearing in Google results and adversely affecting his reputation and financial status despite his finances now being in order. He argued that the information was now inaccurate and irrelevant and displaying it was an invasion of his privacy.
Google argued that it is merely a service provider and not a publisher, meaning it merely displays data which others publish and control and that it should not be held responsible for such data. However, the court disagreed and found that, under the EU’s Data Protection Directive, Google is both a data processor (because it accesses and processes data from other websites) and a data controller (because it has the power to decide how it uses and displays the data) and is therefore bound by the obligations set out in the directive.
Those obligations include a duty to ensure that all data held is accurate and, where necessary, kept up to date; to process data fairly and lawfully; and an obligation to consider and respond to any objection to the processing of data and/or comply with a request to have any non-compliant data (i.e. inaccurate or out-of-date data) corrected, erased or blocked.
Therefore, the court ordered Google to remove the relevant links and said that it – and other providers in the same position – should examine any future requests of this sort on its merits. Where a data controller does not grant the request, a data subject may take his or her case to a relevant regulatory or judicial authority.
This case is unusual for two reasons:
First, the court did not apply the same ruling to the original publisher – a newspaper – on the basis that the article had been lawfully published at the time and there is an exemption in the data protection laws for media organisations. Its justification for singling Google out rather than also applying the exemption to links to that data, was that Google brings various sources of information together into one service, enabling people to easily access a lot of personal data which they might not otherwise find.
Second, the court went against the opinion given by Advocate General Niilo Jaaskinen in June 2013. He said that Google should not be responsible for content published by third parties and that the Data Protection Directive does not establish a “right to be forgotten” but merely the right to rectification or deletion of incomplete or inaccurate data. He said that enabling the deletion of personal data at an individual’s request would amount to censorship.
It is difficult to assess the full effect of the case at this early stage but, for the most part, it does little to change the underlying EU and UK data protection laws. The key aspect is the confirmation that Google is a data controller like any other and must comply with the data protection laws.
Other online service providers who receive, store and process data are likely to be in the same position. It is important to emphasise that the ruling only applies to out-of-date (meaning information which is no longer relevant or applicable – details of Mr González’s property repossession in this case), incomplete or inaccurate data. Therefore, fears about a blanket “right to be forgotten” and censorship are unlikely to be realised.
Also, the court has said that the rights of the individual must be balanced against the wider public interest, so if there is an ongoing public interest in the data, it will not need to be removed.
Still, this ruling and the avid attention it has received, is likely to result in a spike in so-called “subject access requests” (a legal process by which individual’s request a copy of the data held about them) and requests to remove or edit personal data. Data controllers must consider these requests on their merits and respond accordingly. If you are a service provider but do not ‘control’ the data, the ruling may well not apply to you but you may still have to expend the time and resources to consider and respond to requests.
In any event, it may be that ongoing law reforms amend this area further in the future.
If you are a business handling personal data and would like further advice and information on data protection compliance, please feel free to contact a member of our Commercial team.