EU High Court Ruling for Privacy Sends Shock Waves through Internet (5/14)     Print Email

By James D. Spellman, Principal, Strategic Communications, LLC

Europe’s highest court has strengthened privacy safeguards by requiring Google to remove when requested Web links for individuals, setting a precedent that gives credence to the “right to be forgotten” on the internet, a right the European Commission wants to introduce explicitly into law.[1]

In its surprise ruling overturning a preliminary decision, the European Court of Justice said “an internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties.”[2] Hence, an individual may ask the search engine to remove the links. Companies like Google could be “obliged to remove links to web pages” unless there are “particular reasons, such as the role played by the data subject in public life,” not to.   This is true even when the original “publication in itself on those pages is lawful,” the court said.

If this request is not fulfilled, the individual can “bring the matter before the competent authorities…to obtain, under certain conditions, the removal of that link from the list of [search] results,” the court said.  The court emphasized the need to strike a balance between privacy and the ”legitimate interest of internet users potentially interested in having access to that information.”

The foundation of the court’s decision is the Commission’s 1995 Data Protection Directive requiring member-countries to provide citizens with a means to have “erased or rectified” “inaccurate or incomplete data.”[3] Personal data collectors are held “accountable” for adhering to the directive’s seven principles.

While noting that it needs to “take time” to study the implications, Google said it was “a disappointing ruling for search engines and online publishers in general.... We now need to take time to analyze the implications.”

“It could result in giving people a line-item veto over results on searches about themselves,” said Jonathan Zittrain, a professor at Harvard Law School, in the New York Times. “Some will see this as corrupting. Others will see it as purifying.”

“The court was very careful to say this is not a carte blanche,” said Viktor Mayer-Schönberger, professor of internet governance and regulation at Oxford University, in the Financial Times. “You would have to file a request with a data protection authority, who has to balance the public interest right” for the information to stay on the search engine. The "practical implications will be limited because it still requires individuals to make claims and vigorously pursue them not shying away from spending time and money. Only few will do so."

In his book, Delete: The Virtue of Forgetting in the Digital Age, Mayer-Schonberger expresses concerns that the Internet’s easily retrievable, ever-expanding, seemingly permanent memory may pose unnecessary harm to individuals who may suffer the consequences of old, unfavorable information that while accurate is no longer valid or relevant. "Forgetting is at least in part a constructive process of filtering information based on relevance," he writes. “More and more Internet users want a little of the ephemerality and the forgetfulness of the pre-digital days,” he told the New York Times. “They don’t want their drunken pictures to follow them the next 30 years.”

In January 2012, the European Commission published plans for a "right to be forgotten" law (Articles 17 and 21), allowing people to request that data about themselves to be deleted. The plans are part of a wide-ranging overhaul of the commission's 1995 Data Protection Directive. This “right” would be applied to “any information relating to a data subject” for three categories of information: information a person personally provides and now wants removed; information previously provided by a person that is reposted and that person referenced in this information now wants it removed; and information about a person posted by a third party, such as a newspaper. The latest drafts suggest the proposal has been watered down.

“If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system,” explained the European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding.[4] “The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a database.”

Critics have focused on the proposal’s provisions and the implications for free speech.

George Washington University Law Professor Jeffrey Rosen argues that the proposal itself fails to contain the “explicit provisions that ensure the respect of freedom of expression and information.” The proposal is “not limited to personal data that people ‘have given out themselves’; instead, they create a new right to delete personal data, defined broadly as ‘any information relating to a data subject.’”[5]

Free speech concerns are many.[6] “From a free expression perspective, we’re very concerned,” said Justin Brookman, director of the Center for Democracy and Technology’s Project on Consumer Privacy, in the Wall Street Journal. “I am worried about the ability of people to eliminate truthful facts about them from the Internet. Will newspapers have an obligation to redact old press stories if the personal facts become less relevant to the general public over time?”

Technical criticisms abound, too, as voiced by European Network and Information Security Agency (ENISA).   How does the right apply to data that “can be used to identify a person with high probability but not with certainty”? To “aggregated and derived forms of information”? What must search engines do to “forget” the information?[7]

The timetable for EU finalization of a new directive is on hold until after the parliamentary elections in late May.

 



[4] Viviane Reding, Vice President, Eur. Commission, “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age”, January 22, 2012.   Available at: http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/26&format=PDF . “ The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a database. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media. The new EU rules will include explicit provisions that ensure the respect of freedom of expression and information.”

[5] See, for example: Jeffrey Rosen, “The Right to be Forgotten.” The Atlantic. July/August 2012. Available at: http://www.theatlantic.com/magazine/archive/2012/07/the-right-to-be-forgotten/309044/ Also: Jeffrey Rosen, “The Right to be Forgotten.” February 13, 2012.   64 Stanford Law Review Online 88. Available at:

http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten .

[6] Katharine Larsen, “Europe’s ‘Right to Be Forgotten’ Regulation May Restrict Free Speech.” American Bar Association, First Amendment and Media Litigation. Fall 2012/Winter 2013, Vol. 17 No. 1 . Available at:  http://www.lskslaw.com/documents/EuropesRighttoBeForgottenRegulationMayRestrictFreeSpeech%2800588595%29.PDF .

[7] ENISA, “The right to be forgotten - between expectations and practice.” November 20, 2012. Available at: http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten