EU: Google Has to Let You Be 'Forgotten'

Once it’s on the internet, there’s no getting it back. Google your own name and you might be surprised at what results appear, and in what order. Perhaps an old news story sits above your own web page; maybe that dodgy Facebook photo trumps the headshot you had specially taken.

But the European Union is turning that idea of irretrievable data on its head with a court ruling today that backs the “right to be forgotten.”

This idea, touted by the EU since 2012, is that individuals—particularly those not in the public eye—should have more control over their own data. Where information about themselves online is irrelevant or outdated, they should be able to request its removal, even if it was published perfectly legally.

It’s obviously fraught with complications on both sides of the debate, but the ruling is a strong assertion of an individual’s power over their own information in the face of modern life's data deluge. The case in question was referred to the European Union Court of Justice after being upheld by one of Spain’s top courts: In 2010, Spanish national Mario Costeja González brought a complaint against Google regarding the information that appeared when people searched for his name.

Specifically, googlers would be referred to pages from local newspaper La Vanguardia from 1998, which revealed that González had had his home repossessed. The Spanish data protection agency AEPD ruled that Google had to remove those results as they were no longer relevant.

Unsurprisingly, Google refused and a legal tussle ensued—but the decision has been upheld.

The first obvious point of disagreement is over what responsibility Google has over the data it organises. Again and again, Google has insisted that it isn’t responsible for the information it works with. But in its decision, the Court firmly stated that search engines do enough to be considered “processors” of information under an EU directive that protects people’s private data. A statement from the Court explained:

In today’s judgment, the Court of Justice finds, first of all, that by searching automatically, constantly and systematically for information published on the internet, the operator of a search engine ‘collects’ data within the meaning of the directive. The Court considers, furthermore, that the operator, within the framework of its indexing programmes, ‘retrieves’, ‘records’ and ‘organises’ the data in question, which it then ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of results. Those operations, which are referred to expressly and unconditionally in the directive, must be classified as ‘processing’, regardless of the fact that the operator of the search engine carries them out without distinction in respect of information other than the personal data.

The ruling points out that, without Google, the information and its link to the private individual in question would be a lot more difficult—perhaps even impossible—to find. And given the impact your internet profile can have, the Court argued that interfering with people’s rights to privacy “cannot be justified by merely the economic interest which the operator of such an engine has in that processing.”

While Google has previously cried censorship to calls for it to remove data, it’s interesting to note that the Spanish and European Courts did not rule that the paper which initially published the information should delete it. So the information will still be available for people who really look for it—it just won’t be so obvious when looking up details on Mr. González.

In some ways, it’s a heartening David versus Goliath story that backs an individual’s right to control their own data in face of pressure from one of the most formidable tech giants. But the ruling—which is the first real test of Europe’s laws on the matter—also raises freedom of information issues, and begs a few questions of how this sort of thing could possibly occur on a widespread scale. Basically, putting the “right to be forgotten” into practice sounds like a lot of work.

The Court explained that the data people can request to have removed must be incompatible with the directive. That doesn’t mean it would have been illegally published in the first place, but rather that it now appears “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.” Obviously, there’s a lot of subjectivity in those adjectives, which will make investigations into complaints tricky.

That’s compounded by the significant grey area and flexible lines between granting one person’s privacy and satisfying other users’ interest in accessing potentially useful information. To that, the Court said that a “fair balance” must be found—which sounds like the oft-desired but perhaps mythical happy medium between freedom of speech and privacy rights. It’s not always going to be an easy call.

If you’re having ideas about scrubbing some of your own less savoury personal details, the process would require you to first go to the search engine and, if they refuse, to legal authorities. My suggestion of an easier option? If you don’t want other people to hear about it, don’t do it.

As for the complainant in this case, it looks like he got his wish. Google Mario Costeja González now and the first page is full of news reports about privacy rights, not a repossessed home somewhere in Spain. Though he's perhaps unwittingly ensured that tidbit will persist within the many retellings of his landmark case.