There’s been a long standing dispute between the EU regulators and Google over whether it could be forced to remove links from its web search results. Today, the European Court of Justice issued a final ruling against Google. While this is being billed as a “right to be forgotten” victory, actually these words don’t appear in the court’s decision. It turns out that current EU regulations—the Data Protection Directive or DPD—gives consumers other powerful data privacy rights.
The case stems from a complaint made against Google back in 2010 by a Spanish man. On searching for his name, he discovered there were links to newspaper articles about his house being repossessed. He asked the Spanish DPA to remove the links. Eventually the case made its way to the central EU court—Google v. AEPD.
One of the nitty legal arguments Google unsuccessfully made was that it wasn’t a data controller. That’s a key point because it’s data controllers—the original collectors of consumer data—that have obligations under the DPD, including giving consumers the right to remove or change inaccurate data. In so many words, Google said it’s just processing data and would have no way of knowing it’s collecting personal data.
The EU Court of Justice found that Google and, by extension, any company that collects and publishes web data is a controller. And that while the articles linked to from Google weren’t inaccurate, the Court decided that EU citizens have basic privacy rights—i.e., The EU Charter of Fundamental Rights—that override the interests of generic Internet users in having that information.
This decision really puts not just search engine companies but all the social media services—in other words, Facebook—on notice. While we’re waiting for the new Data Protection Regulation to be finalized, it’s looking like the existing rules—which include data retention and minimization principles, along with the data correction and erasure rules—are still quite relevant and enforceable.