An EU court has ruled that online firms must respect individuals’ “right to be forgotten” by removing “irrelevant” or outdated personal information from search results if requested, in a move which will dismay businesses.
The European Union Court of Justice ruling on Tuesday came in response to a Spanish man’s complaint against Google.
In 2010, Mario Costeja González found that search results for his name returned information from a La Vanguardia newspaper dating back 10 years, announcing an auction of his home in order to recover social security debts.
He argued that the proceedings had been resolved and so that specific information was “entirely irrelevant”.
The court agreed, sending down the following judgement:
“An internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties Thus, if, following a search made on the basis of a person’s name, the list of results displays a link to a web page which contains information on the person in question, that data subject may approach the operator directly and, where the operator does not grant his request, bring the matter before the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results.”
Unsurprisingly, Google said the ruling was “disappointing” for “search engines and online publishers in general”.
“We are very surprised that it differs so dramatically from the Advocate General’s opinion and the warnings and consequences that he spelled out,” it added in a statement.
That Advocate General’s opinion came in June last year, when Court of Justice judge Niilo Jääskinen ruled on the case that Google would not be required to wipe search results if requested.
EU justice commissioner, Neelie Kroes, claimed in a statement posted to Facebook that the judgement “is a clear victory for the protection of personal data of Europeans”.
“Today's judgement is strong tailwind for the data protection reform that the European Commission proposed in January 2012 as it confirms the main pillars of what we have inscribed in the data protection Regulation,” she added.
“No matter where the physical server of a company processing data is located, non-European companies, when offering services to European consumers, must apply European rules.”
The “right to be forgotten” is a major pillar of the proposed EU General Data Protection Regulation, and commentators warned that its impact on businesses may be disruptive.
“This move may sound reassuring for individuals and their personal freedom; however, it also looks difficult to enforce on a large scale, and may be very disruptive for the functioning of search engines going forward,” argued Ovum analyst Luca Schiovani.
“These provisions should only apply to the direct controllers of personal data. Involving search engines for something they are not directly responsible for is likely to entail a burdensome cost, especially if the amount of requests of erasure should escalate in the future.”
Mark Brown, director of information security at Ernst & Young, added that the ruling will create “a severe headache” for many businesses as regulators finally play catch up on privacy laws.
“We would not be surprised if businesses are quaking in their boots at the thought of responding to a consumer ‘right be to be forgotten’ request. Ultimately, many have very little understanding of their own IT architecture which means compliance with this announcement would be very difficult until processes are changed,” he added.
"This announcement shows the EU believes end users should have control of their data. It is a very loud wake up call to all those businesses that are hovering up consumer data and hoarding it for their own benefit."
"This announcement shows the EU believes end users should have control of their data. It is a very loud wake up call to all those businesses that are hovering up consumer data and hoarding it for their own benefit."