Google Spain v AEPD and Gonzáles and retention directive – European Court of Justice v Information Age
At first glance recent ruling by European Court of Justice in Google Spain v AEPD and Mario Costeja González was nothing but victory of privacy rights. Restriction in Google’s seemingly unlimited power in revealing or obscuring content related to personal data might be seen as a significant step towards transferring control over personal information back to those who are most interested in their flow. On the other hand isn’t it a form of censorship and ‘re-writing history’? As always with intersection of law and new technologies question remains whether there are technical means to implement the ruling – while everyone is aware that Google is able to control the search results content (eg SafeSearch) it appears that removing specific information about specific person is much more challenging – to begin with how many ‘Gonzalezes’ are there in Spain. Google v Gonzales is not first judgement of the year related to privacy and personal data. In April ECJ ruled that retention directive is invalid due to interference with fundamental rights – which from legal standpoint is even more interesting since at the time directive came into force, fundamental rights were not codified within European Union. However let’s begin with Google Spain v Gonzales.
The idea of right to be forgotten in EU dates back to 2012 when European Commission proposed a directive which would enable control of content related to personal data by users, including possibility of requesting deletion, aimed at helping ‘teenagers and young adults manage their online reputations’. Just as nowadays, opponents raised arguments of limiting collection of historical information and allowing form of censorship. Mr Gonzales however had much more precise request. The case was not about his whole online persona, just information related to his debts, which in fact had already been paid. He began by reaching Google directly, and then filed a complain to Spanish data protection office (AEPD – Agencia Española de Protección de Datos). The latter contained request for both removal of links from the google and search and removing the information from newspaper website which was the source of data. AEPD rejected claim in regard to newspaper, but upheld claim to google. As a result Google brought action against the decision to the High Court of Spain raising issues related to territorial scope of data protection directive, definitions of data processing and data controller and finally legality of removing legally published information. These questions were then brought to preliminary ruling before Court of Justice of European Union.
Court ruled that Google was processing data – which is hardly surprising given wide definition of the processing, was a data controller and by establishing subsidiary on the territory of Spain was under the scope of the directive, even if processing itself was not performed in Spain. Finally due to necessity of balancing rights to protection of personal data and privacy with rights of data controller allowed requests for erasure of data.
To comply google set up a form for the users to inform about their requests to be forgotten (which interestingly is quiet hard to find with google as it does not show up after entering “right to be forgotten google form”). Soon after form was used over 40000 times in four days following.
The debate which followed up ruling established two main trends of thought – either ruling gives back control of the data to the rightful owners who no longer have to worry about their reputation being damaged by unfavourable positioning of search results, or it is a first step towards censorship and almost Orwellian ‘improving’ historical records. It seems that there is a grain of truth in both approaches. Right to be forgotten has essentially become a double edge sword. Given the amount of data passed by users to various services (both social and others), without any chance of effectively removing them, it seems essential to have legal framework of tools available to have control of at least exposure of the data. Furthermore while opponents of the ruling claims that is is exactly like removing news pieces from newspaper archives, the archive does not position its catalogue. It is easy to imagine that news of someone being accused of crime is available much easier than news about the aquittal. On the other hand the requests in itself might cause significant Streisand effect, as it already happened with Mr Gonzales and others who are now listed on website collecting ‘forgotten’ sites. What about censorship? There is certainly a potential for abuse and removal true, but inconvenient results. Up to this day it is not known how exactly Google judges which requests are really within the scope of the ruling – however given general nature of Mr Gonzales’ situation it is difficult to imagine what would be excluded from removal. What is irrelevant? What is no longer relevant? Google requires listing arguments for removing each of urls, but it is impossible to tell whether legal team really leans over every request, carefully applying ruling to specific case.
The ruling seems like sharp turn forward privacy and digital rights in European law. Combining it with overruling of data retention directive, right after Sweden was fined for not implicating it in time picture of heavy influence of fundamental rights into digital world.