Are search engines bound by European Data Protection rules?
Are search engines bound by European Data Protection rules?
This case considered some very real data protection issues in the context of the internet (specifically a search engine, in this case operate by Google) and the application of the Data Protection Directive (95/4/EC).
Without going into the lengthy legal battle in this case, essentially the complainant was attempting to get Google to delete historic adverse references to his personal financial situation that had been published in 2010 by a Spanish newspaper and subsequently digitally online. He argued that the financial situation had been resolved and that the continued reference to it through the Google search engine when people ‘googled’ him, was damaging.
Essentially three groups of questions were referred to the CJEU by the Spanish national court: the first concerns the territorial scope of the application of the European data protection rules; the second considers the issues regarding the legal position of search engine service provider as regards the Directive; and the third concerns the ‘right to be forgotten’ and whether or not individuals have the right to request that certain search results are no longer accessible.
The Advocate General ruled that although the Google search engine might be ‘processing’ personal data for the purpose of the Directive, Google is not the ‘controller’ of such data and accordingly national data protection authorities cannot oblige internet search engine providers to withdraw information from their indexes (subject to limited exceptions).
Regarding the ‘right to be forgotten’ the Advocate General considered this question in light of both the Directive and the Charter of Fundamental Rights of the EU. He concluded that the Directive does not provide for a general right to be forgotten simply because the data subject’s subjective view is that the dissemination of such data is damaging. He noted that a newspaper’s freedom of information protects its right to re-publish its own newspapers in a digital format and that data protection authorities cannot censure such re-publishing. He believed that an internet user’s right to information would be compromised if the search for information in respect of a person did not produce search results that provided a truthful reflection of the relevant web pages and that the data subject’s right to protect his private life must be balanced against other fundamental rights of freedom of information.
The interesting issue in this case is that this ‘right to be forgotten’ is one of the widely debated subjects of the Commission Proposal for a General Data Protection Regulation which is currently not in force. If the proposed new right becomes law (and the AG’s decision in this case is accordingly not followed) then potentially under the new Regulation, Google (and other search engine providers) could be subjected to an unmanageable number of requests from data subjects to remove links to their personal data. We wonder a) whether this is the intention of the right to be forgotten; b) how this will be policed in practice given that such requests are subjective and c) whether this eradication of lawfully published digital material might extend to the destruction of other links to personal data too?
Let the floodgates open…..