Google – and anyone else providing links to personal information on the web – must delete stale and unwanted information about someone if asked to do so, Europe’s top court has decided. This is a landmark decision and not, by my reckoning, an entirely good one.
It’s not that I object to the principle of the so-called “right to be forgotten”, but rather that such a right is difficult to enforce in the context of an open internet. That said, in this particular case enforcement is not difficult. Confused? Read on.
The Spanish inquisition
The case in question dates back to 1998, when a Spanish chap named Mario Costeja González (there is an unfortunate Streisand effect at play here) was in financial trouble and his home was repossessed. A local newspaper called La Vanguardia published notices of the house’s auction, mentioning González by name. Fast forward to 2010 and González was keen to have that public record expunged, as it no longer mattered but came up whenever someone searched for his name.
Spain’s data protection agency, the AEPD, rejected González’s claim against the newspaper (which published the information lawfully) but upheld his claims against Google Spain and Google Inc., calling for the search engine to de-list references to the original articles. Google appealed and the Spanish courts asked the Court of Justice of the European Union (CJEU) to weigh in.
In its judgment on Tuesday, the CJEU confirmed that Google qualifies as a data “processor” and “controller” of its processing by virtue of its indexing activities, meaning the company has to abide by the provisions of the EU Data Protection Directive. The court also rejected Google’s rather spurious claim that, because it is headquartered outside the EU, it should somehow fall outside the directive’s scope.
Now here comes the kicker:
“… the Court holds that the operator is, in certain circumstances, obliged to remove links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name. The Court makes it clear that such an obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”
The ruling goes on to refer to striking the balance between the data subject’s rights and those of other internet users with legitimate interests in finding information, before noting that even data that was compatible with privacy rights when published can over time become incompatible.
So what’s the problem?
Firstly, there are some positive aspects to this ruling, chief among them the issue of territoriality. As European Commission privacy chief Paul Nemitz tweeted:
Ovum analyst Luca Schiovani also weighed in with a statement, saying that “involving search engines for something they are not directly responsible for is likely to entail a burdensome cost, especially if the amount of requests of erasure should escalate in the future.” A fair point, but not the biggest issue here – complying with local law comes with a cost, and if Google wants to operate in Europe it needs to suck it up. Generally speaking, privacy outweighs profits.
The major problem here is one of enforcement. González will now get what he wants, once the Spanish court acts on the CJEU’s ruling, but that’s only because Google has a monopoly on the European search market, with a share of more than 90 percent. Stop Google from linking to the repossession articles and they are as good as gone, but how would this work in a more competitive search market?
Would a data subject who wants information expunged need to go to each major search provider? What about the minor ones? What if a future search engine operates on a distributed basis, rather than in a centralized fashion as Google does today? What if there’s simply nobody to contact about a problem? And what is the point of muzzling the gatekeepers if the source material remains online?
For other problems with the “right to be forgotten” concept, it’s also worth looking back at a 2012 report by Europe’s cybersecurity agency ENISA, which pointed out that EU laws can’t be enforced against companies that hold the relevant data (or data derived from that data) but that don’t have a real EU presence. That report pretty accurately foresaw today’s ruling, noting: “A possible partial solution may be a legal mandate aimed at making it difficult to find expired personal data, for instance, by requiring search engines to exclude expired personal data from their search results.”
That’s only a partial solution, though – it won’t do the job the “right to be forgotten” sets out to do, and may cause more problems than it solves. What goes onto the internet can be copied and moved all over the place, and if you really want to be able to track down and delete data, you need to institute a metadata tracking system that would run completely counter to privacy rights. Then there are the potential implications for free expression, which the ruling mentioned but not with great weight:
Let’s not even talk about the fact that the right to be forgotten is only supposed to brought in by an as-yet-unfinalized revision of the Data Protection Directive — the CJEU appears to have decided that it logically follows on from what’s already there, which is… interesting.
In short, I find the CJEU’s ruling well-meaning but short-sighted, and am a bit nervous about how Europe’s national courts will decide to apply it.