On 13 May, the European Court of Justice (ECJ) issued a ruling that will give EU citizens the opportunity to request the removal of sensitive information on them from internet search results. The judgment ruled that when search engines produce search results, they are not simply hosting data from other websites, but also acting as data controllers and must therefore take responsibility for data protection laws applying to the content.
What does this mean for you? Press coverage of the decision has, not surprisingly, largely focused on the ‘right to be forgotten’. The ECJ delivered a clear message on this point – an individual has a fundamental right against a search engine or content provider who processes their personal data in breach of that person’s data protection rights.
This effectively allows you to request a web platform for rectification or removal of results when your name is searched against, particularly where you can demonstrate that the personal data is excessive, irrelevant or no longer required in relation to the original purpose for posting it.
Exemptions remain in place to protect news sources or where there is an overriding public interest in publication, but the ECJ has clearly swung the balance in favour of the individual with this judgment. It is all too easy to be breathily scandalised at the decision and its arguably chilling effects on free speech.
But there is another side to the story which, in the interests of fairness and balance, should be told. Indeed, telling only half the story and disseminating misinformation and half truths is, according to recent off-the-cuff comments by the Pope reported on the official website of the Holy See, a mortal sin.
While it is right that we should not, wholesale, recreate or erase history, it is also right that history should not constantly be a part of the present. But that is what it has become today, with the ubiquitous nature of the internet, where everything is now digitally recorded and where information anywhere, is information everywhere.
Those of us old enough to remember life before the internet may have made mistakes, a bad fashion choice perhaps, or a bad political decision. But today, more or less everything we do or say, and what we write about ourselves or what others write or say about us, is recorded, forever, digitally. It has proven impossible for us now to allow our past mistakes to fade into the mists of time and, sooner or later, for us to become rehabilitated from our past.
The younger generation in particular, who have been born into a world tangled up in the World Wide Web, are too young and inexperienced to know the huge and significant ramifications of disgorging their personal lives across the online ether. Until this judgment, they faced a future in which they would be forced to live with the digital millstones around their necks of every unfortunate decision or mistake, irrelevant piece of data, or recorded word or deed that has ever been published by or about them.
So is this decision the right one? It may be difficult to implement in practice; it may be costly; it may even result in some information being deleted from websites where it would otherwise have stayed – or perhaps we should say, may have festered forever, causing harm and upset to its subject.
The decision significantly expands who may be caught by data protection law. In particular, search engines and content aggregators who saw themselves simply as hosting third party content with little or no legal responsibility for it can now be found liable for that material where it reveals personal data in contravention of data protection law. It does not matter that the same information is publically available from other sources on the web.
This marks a significant step away from the position that Google and other platforms adopted up to this point – that they are not legally responsible for the results that appear when using their service.
The decision also arguably extends the territorial scope of EU data protection law. The ECJ case was brought against Google by a Spanish national, and the search engine giant argued that, because its search business was hosted and run solely by its US parent company, EU data protection law did not apply to its Spanish subsidiary, which simply sold advertising space.
The ECJ disagreed with this approach and its comments about what constitutes data processing ‘in the context’ of an EU establishment may be seen as an expansion of EU jurisdiction to organisations in the US and other non-EU countries, who may only have a small branch or agency presence in Europe.
The internet has changed the world, and has robbed us of an otherwise entirely obvious human need – to be able to move on, learn form and rehabilitate ourselves from past mistakes – and it is surely right that a happy balance must be achieved, between maintaining accurate records of relevant, public interest information, and allowing to recede into history, material that is irrelevant, or the publication of which has served its purpose.
Amber Melville-Brown specialises in reputation management and Kenny Mullen specialises in IP, technology and data protection. Both are partners at Withers LLP