The ‘Right to be Forgotten’: Implications for European businesses
The European Court of Justice has ruled that individuals have the right to have search engine results removed, where they may affect privacy rights.
Going against the Advocate General’s recommendation, the ECJ concluded that Google’s search function meant that it acted as a ‘data controller’ within the meaning of the Data Protection Directive, even though Google did not actually control the information appearing on third-party websites. This meant that Google was obliged to comply with the data protection laws within the Directive.
The ruling has divided opinion, with some championing a victory for individual privacy, while others claim that it is akin to “marching into a library and forcing it to pulp books.” Whatever your view, it is clear that the decision has implications, not only for search engines but potentially for any content providers with European operations.
Google was held to be a ‘data controller’ because it “determined the purposes and means of the processing of personal data.” ‘Processing’ has a very wide meaning under the Directive, and includes, for example, the act of loading personal data on a web page. The practical upshot is that a business does not have to have control over the information itself in order to be considered a data controller for the purposes of the Directive; all that is necessary is for the business to have some control over when and where the data is displayed.
Companies must consider whether they are likely to be considered ‘data controllers.’ If so, they may be obliged to comply with data protection laws, regardless of whether they are the content provider.
The Implications for Businesses
Any company with EU corporate entities may be ‘caught’ by the EU ruling, even if the bulk of the business is outside the EU, and even if the servers performing the ‘data control’ functions are themselves based outside the EU. Essentially, if the goals of the EU entity are aligned or intertwined with the goals of the non-EU parent (as would be expected), and if the service is aimed at the EU market, then EU law might apply to the non-EU entity. Companies involved in functions such as the distribution of personal data, and who might therefore find themselves categorised as ‘data controllers’, should review their operations and structures accordingly.
The ruling also creates difficulty for companies looking to target their products or services at EU citizens, in that internet search findings will inevitably be impacted, with less complete results returned. This may make targeting those consumers that much more difficult. One way to surmount this would be to search using a ‘.com’ extension of your chosen search engine, rather than a ‘.co.uk’ or EU equivalent. This incidentally highlights a rather problematic limitation in the ruling; namely, that since it can only apply to the EU, search results on US versions of any website will be unaffected.
Companies may also need to review any links to third-party websites that they display on their own websites, as the inclusion of the link may not comply with the Directive. Even data that initially is considered to be acceptable may, with time, become incompatible with the directive.
Finally, it is noteworthy that the ECJ gave very little guidance on how to implement the ‘right to be forgotten’. A company that qualifies as a data controller is therefore going to have to be very careful in how it goes about ensuring compliance.
The ruling is not without controversy, nor irony. The fact that the purpose of the ruling is so easily circumnavigated (by using American versions of web pages) is a problem difficult to rectify without resorting to draconian measures similar to those used in China. The irony, of course, is that Mr. Costeja Gonzalez, who initially bought the case to the courts, now finds the very information that he had wanted ‘forgotten’ widely re-publicised in the furore surrounding the case.
Nonetheless, any businesses with European operations should carefully consider their internet presence and policy in light of the new ruling, to ascertain whether they are at risk of being considered a ‘data controller.’ If a business falls under this definition, it should take steps to ensure compliance. Moreover, given that previously acceptable processing of personal data can become non-compliant with the lapse of time, companies may wish to consider the procedures by which they monitor the personal data that they process or disseminate.