22 May 2014
The Court of Justice of the European Union (EUCJ) has backed the right to be forgotten, ruling in its favour.
The ruling places the responsibility of amending search engine results at the request of the public regarding their personal data, in the hands of search engine operators.
Therefore, engines such as Google, Bing and Yahoo will need to comply, which will require amending how the companies currently deal with data published by third parties and its appearance on search engine results.
The EUCJ’s ruling came about as a result of a case brought by a Spanish man regarding an old newspaper post detailing the auctioning of his repossessed home that appeared on Google as a search result. He claimed the post infringed his privacy.
Speaking to Governance + Compliance, technology partner at Stephenson Harwood LLP Jonathan Kirsop said, ‘there are a number of aspects of this decision which are troubling’.
The most fundamentally troubling aspect of this decision Kirsops says, is that ‘the development … of the existing right of rectification/erasure into a so-called ‘right to be forgotten’ has great ramifications, not just for freedom of speech but also for a business’s ability to be able to comply effectively with (at times) competing regulatory requirements. For example, how will future requests for the deletion of a bad credit history be squared with financial and other business’ ability to ‘know their client’ and make sensible lending decisions? Likewise, even where a legal gateway does exist to retain the information, the judgment call required to decide whether or not it is reasonable to retain will be difficult (and costly) to implement on a standardised basis, not least due to the EUCJ’s insistence that privacy should – ‘as a rule’ - prevail over other competing rights.’
He adds that ‘the wide interpretation which the court gave to the Directive so as to grant the Spanish regulator the jurisdiction over the complaint, suggests that an international business with any established presence in a European jurisdiction may fall under European Data Protection laws, even if that presence is largely irrelevant to the processing in question.
‘Secondly, the finding that Google was a data controller of information contained on another website also potentially brings companies who provide aggregator or similar reference services into the scope of the legislation and gives them liability for information that may be controlled and contained elsewhere.’