acm-header
Sign In

Communications of the ACM

Law and technology

A Right to Be Forgotten?


A Right to Be Forgotten? illustrative photo

Credit: Andrij Borys Associates / Shutterstock

Court decisions in the field of data privacy rarely make a durable impression on the general public. And European court decisions in any field rarely cause a stir outside Europe. An exception on both counts is the May 2014 decision by the Court of Justice of the European Union (EU) ordering Google to suppress certain Internet search results for privacy-related reasons.1 Popularly characterized as establishing a "right to be forgotten," the decision is unlikely to fade quickly from public memory, either in Europe or many other regions. Since the decision was handed down, its merits have been debated worldwide.

Back to Top

Lines of Debate

Some of the debate has been unnecessarily fueled by misunderstanding of the decision, not least regarding the right it is said to uphold. Although the decision has been commonly flagged as establishing a right to be forgotten, this is a misnomer. The decision does not establish a right to be forgotten. Rather, it upholds a qualified right to be de-indexed, or, more specifically, a qualified right not to figure in a public index of search results. Nonetheless, when put into effect, the right makes certain personal information more difficult to find and thus serves, indirectly, an interest in being forgotten.

At a very general level, the lines of debate over the decision revolve around the balance to be drawn between privacy interests and free speech interests. More particularly, the primary issue concerns the degree to which information about a person's past life ought to be made easily accessible online even when the information has diminished relevance for assessing the person's present life and would be difficult to find offline. Less salient but also significant is the issue as to what extent online mechanisms for data search and retrieval should emulate the standards of the (past) offline world. The importance of both issues is sharpened in an era when the spread and relative indelibility of online data makes it extremely difficult to "let bygones be bygones."

Both issues obviously call into question the role played by Internet search engines, particularly the legal responsibility the search engine operators ought to bear for the search results they generate. Google has usually portrayed itself in this respect as merely a medium for locating and presenting data. And, as such, it has tended to argue that it should escape legal liability for privacy-related harms arising from the information its search engine helps to disseminate. In May last year, the EU court decided otherwise.

Back to Top

Super Mario vs. Googledom

The factual background for the court's decision is briefly as follows: a Spanish lawyer, Mario Costeja Gonzáles, had to sell off some of his property in insolvency proceedings in the late 1990s. A Spanish newspaper reported on the proceedings at the time, and was indeed required to do so under Spanish law. Gonzáles resolved his financial problems, but when the newspaper later established an online service, its reports of the property sale became accessible by googling Gonzáles' name. In 2010, he asked the newspaper to remove the information from its online service but the newspaper refused—a stance subsequently vindicated by Spanish authorities. He also requested that Google remove search results relating to the information concerned. Google's refusal to do so led to the litigation that eventually ended in it sustaining a serious blow before the EU court.

The essence of the court's decision is that European data privacy law obliges Google to suppress search results revealing personal data that is, in the court's words, "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine." This is so even when the data remains lawfully published by the websites to which the search results point.

Back to Top

Google as Mere Medium?

A key question in the litigation was Google's status as a search engine operator under European data privacy law. In particular, was Google to be regarded as a "controller" of the personal data inhering in the links indexed by its search engine? The controller role kicks in when the entity concerned helps to determine the means and ends of data processing, and it enhances the entity's legal responsibilities for the data. Google argued it could not be a controller since it is, in effect, merely acting in a robotic capacity and exercises negligible control over the content of search results. The court disagreed. It thereby cast upon Google a raft of duties under European data privacy law. One such duty, the court held, is to effectuate justified requests to suppress search results in which certain types of personal data inhere.

Back to Top

Competing Interests

In holding Google to account, the court rightly paid little regard to the company's successful business model. Google's economic interests were judged as secondary to the data privacy rights of the persons who figure in search engine results.

As for free speech interests, the court acknowledged that these must be taken into due regard when assessing whether search results ought to be suppressed. And it stated that suppression requests may be trumped by "the preponderant interest of the general public in having ... access to the information in question." Yet, apart from observing the heightened risks to data privacy owing to the Internet's capacity to make search results ubiquitous, the court was remarkably silent about the broad implications of its decision for use of the Internet as a global communications network. For this, the court has justifiably attracted much criticism.


A key question in the litigation was Google's status as a search engine operator under European data privacy law.


One such implication is the decision's potential to exacerbate 'Balkanization' of the Internet by accentuating regional differences in what information can be easily accessed online. Indeed, following the decision, Google has been suppressing search results generated through its European domains but not through google.com or its other non-European domains.2 It is questionable, though, whether the decision permits this practice.

The court also failed to address the practical consequences of the de-indexation right. Over the first five months after the decision was handed down, Google received approximately 143,000 de-indexation requests related to 491,000 links.2 Yet, the court's decision ignores the problem of how to effectuate efficiently but fairly these requests and the thousands more that will follow. It gives scant guidance on the assessment criteria that ought to apply. And it overlooks the issue as to whether a search engine operator is suitably placed to engage in the delicate balancing exercises that such assessments frequently require. These omissions have rightly amplified irritation with the decision.

Nonetheless, Google and other major search engine operators are far from being 'babes in the woods' in this area. They already have experience in handling massive amounts of de-indexation requests related to alleged infringement of intellectual property rights. While the assessments required by those sorts of requests are qualitatively different from privacy-related assessments, the logistics are similar. And European data protection authorities have shown willingness to assist—for instance, in drawing up guidelines to ensure consistency in assessing de-indexation requests.

Back to Top

The Decision in Context

The Gonzáles case is not the first time the EU court has fired across the path of Internet-related technology deployment. Two years earlier, it shot down two proposals in Belgium to employ deep packet inspection aimed at preventing copyright infringement through peer-to-peer file sharing.a The Gonzáles case, though, is the first time the court has fired directly at a commonly used Internet mechanism. It is also the first time it has fired, albeit more indirectly, at a basic element of the eminently successful "Internet economy."

Yet, for those who have followed the development of the court's jurisprudence on data privacy over the last decade, the decision in the Gonzáles case is not unexpected. The court has been increasingly prepared to subject data-processing operations that affect privacy to stringent proportionality assessments. This reflects the fact that, under EU law, protection of personal data is a fundamental right in itself.b Thus, data privacy must be treated on an equal par with other important human rights, such as freedom of expression. Another factor, though one less recognized, is a long-running strand of scepticism within European data privacy law toward fully automated decisions that impinge on personal interests. We see this scepticism manifested, for example, in the 1995 EU Data Protection Directive, which gives a person the qualified right to object to certain types of fully automated decision-making processes that are based on profiles of their character.c Such scepticism made it more difficult for Google to legitimize its search engine operations as value-neutral, robotic applications of algorithms.

The rhetorical battlelines over the decision's pros and cons have largely followed the transatlantic divide. This far from surprising. The relationship between the U.S. and Europe has long been plagued by disagreement over regulatory policy on data privacy. Although sharing some common ground, U.S. and European approaches to data privacy regulation diverge significantly. The U.S. approach is generally less restrictive than the European. Transatlantic tensions in the field have simmered over the last 30 years. They are now close to a boil as the EU considers introducing a new General Data Protection Regulation to replace the 1995 Directive. The proposed Regulation, which is intended to be adopted later this year, contains a number of controversial rights, including an enhanced right of data erasure that has been trumpeted (somewhat mis-leadingly) by the European Commission as a 'right to be forgotten'. Some U.S. government officials have warned of a new trade war if certain rights in the proposed Regulation, such as the putative right to be forgotten, are not watered down.3

However, the fate of the proposed Regulation is tied to the mast of the EU court's case law on fundamental rights. And the judgment in the Gonzáles case has tightened those ropes. Thus, we are unlikely to see in the near future any significant diminishment—at least formally—of Europe's de-indexation dig-in.

Back to Top

References

1. Judgment of May 13, 2014 in Case C-131/12, Google Spain SL and Google Inc v Agenda Española de Protección de Datos (AEPD) and Mario Costeja González.

2. Scott, M. Google details requests in Europe 'to be forgotten.' International New York Times (Oct. 10 2014), 16.

3. U.S. Diplomat Warns of "Trade War" if "Right to be Forgotten" Proposals are Followed Through. Pinsent Masons: Out-Law.com (February 4, 2013); http://bit.ly/1sNMlry.

Back to Top

Author

Lee A. Bygrave ([email protected]) is Professor of Law and Director of the Norwegian Research Center for Computers and Law at the University of Oslo. His most recent books are Data Privacy Law: An International Perspective (2014) and Internet Governance by Contract (2015), both published by Oxford University Press.

Back to Top

Footnotes

a. See its judgments of November 24, 2011 in Case C-70/10, Scarlet Extended v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) and its judgment of February 16, 2012 in Case C-360/10, SABAM v Netlog.

b. See Article 8 of the Charter of Fundamental Rights of the European Union [2010] OJ C83/389; Article 16 of the Treaty on the Functioning of the European Union [2010] OJ C83/47.

c. See Article 15 of the Directive.


Copyright held by author.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2015 ACM, Inc.


 

No entries found