Google Spain v AEPD and Gonzáles and retention directive – European Court of Justice v Information Age
At first glance recent ruling by European Court of Justice in Google Spain v AEPD and Mario Costeja González was nothing but victory of privacy rights. Restriction in Google’s seemingly unlimited power in revealing or obscuring content related to personal data might be seen as a significant step towards transferring control over personal information back to those who are most interested in their flow. On the other hand isn’t it a form of censorship and ‘re-writing history’? As always with intersection of law and new technologies question remains whether there are technical means to implement the ruling – while everyone is aware that Google is able to control the search results content (eg SafeSearch) it appears that removing specific information about specific person is much more challenging – to begin with how many ‘Gonzalezes’ are there in Spain. Google v Gonzales is not first judgement of the year related to privacy and personal data. In April ECJ ruled that retention directive is invalid due to interference with fundamental rights – which from legal standpoint is even more interesting since at the time directive came into force, fundamental rights were not codified within European Union. However let’s begin with Google Spain v Gonzales.
Recent EP directive which replaced Council Framework Decision 2005/222/JHA at first glance doesn’t seem too differ much than retired document – specifically it attempts to push the law into territory of more sophisticated attacks without tinkering too much with already set guidelines and nomen omen framework. Most significant is probably mention of botnets. Approach to up-to-date network security problems gives hope of reasonable and professional law. Unfortunately, the directive copies many troubling solutions that were part of the original document.
Some attention should be paid to preamble, which in most cases is – and let’s face it – padding. Here however, it is important to get a grasp of thought process behind the law, as unfortunately its purpose is not always obvious. First of all, lot of pressure is directed towards larger scale, more economically damaging attacks, including mentioned botnets. It seems that current trend of cybercrime prevention will be set more to protect enterprise targets rather than individual, ‘private’ networks. Even though it might seem almost cliche – big corporation gets more from law than common citizens, it is hard not to agree with the assessment. Attacks on single computers are common and almost impossible to trace most of the time. Furthermore in purely quantitative terms, damages to economy are certainly more significant when companies are affected. It is almost needles to say that in modern times, with increasing reliance on digital services a successful breach can disable smaller company. Second, as usual with EP directives, need of harmonization is emphasized. Again, it is quite obviously fair point, especially because of borderless nature of cybercrimes. Perhaps more important point is underlining importance of providing adequate training for law enforcement and judiciary. In Poland problem of lack of qualifications becomes especially visible when dealing with lesser crimes. These are reported to local police stations, where common officers does not even know how to approach the subject. Observing current situation it becomes obvious that significant shift in policy is required – it is no longer possible to afford not to train every policeman in at least basics of cybercrime. Finally, compared to earlier act, part about respecting privacy and protecting fundamental rights has been extended. To what degree is it reaction to NSA leaks remains open case.