On 13 May 2014, the European Court of Justice issued its decision in the Google Spain “Right to be Forgotten” case.
The case was initiated in 2010 when Spanish citizen Mario Costeja Gonzalez found that the results of a Google search of his name included a 1998 newspaper article detailing his debt status and the forced sale of his property. Given that it was 10 years later and he had resolved the financial issues, he felt that the link should not still be available. After both the newspaper itself and Google refused to remove the information, a complaint to the Spanish data protection authority (AEPD) was made. After investigation, the AEPD ordered Google to remove the links, but Google challenged the ruling, eventually leading the case to the European Court of Justice.
This week’s decision is in stark contrast to the preliminary ruling in June 2013 where the Court’s Advocate General disagreed that Google was a data controller and thus that they had an obligation to delete the links. The full court found that, in fact, the operator of a search engine by scanning and indexing does in fact collect, retrieve, record, organize, disclose and store information and accordingly does fall into the category of data controller. As a data controller, in this case they did have an obligation to remove the data.
It is worth noting, however, that the obligation to remove data was not put forward as always applicable or absolute, with the court instead recognizing (a) that there were certain situations in which such removal would be appropriate, and (b) that the individual’s rights of informational self-determination must be balanced against the interest(s) of the public in knowing or having access to the information. How or whether that works in practice remains to be seen.
Identifying the Catch-22 implicit in the decision, Zittrain has commented that:
In fact, I can’t tell if the Spanish citizen actually won anything. The Court’s own press release names him, and the fact that he at one point owed so much money that he had a property foreclosed. Not only does that illustrate the Streisand Effect, giving attention to exactly the thing he wanted to keep private, but more important, it appears to show that the Court doesn’t see a problem with publishing the very data it thinks sensitive enough to be worthy of an entirely new category of protection.
The decision has garnered all sorts of media coverage and expert opinions, forecasting everything from business as usual to the end of the internet as we know it. Perhaps the most balanced (and honest) response came from the Information Commissioner’s Office in the UK, who essentially congratulated the court for including Google under the rubric of EU data protection law and promised discussion on the practical implications of the decision once there had been an opportunity to review and consider the decision.
Discussions about the “right to be forgotten” are not new. Perhaps this decision will facilitate that right. I think, however, that one of the things we must consider before speaking out about this decision is the larger question of why anything need be hidden or forgotten. The right to be forgotten is, at least in part, predicated on concern(s) about the permanence of data online and the effect of long-ago moments, actions, or otherwise less than flattering information upon individuals as they go through their lives. Is the right to be forgotten the only way to deal with this? Couldn’t we instead take our current understandings (that youthful indiscretions needn’t define someone’s whole life) and apply it to information available online? Learning and strengthening critical reading skills rather than placidly accepting any and all information presented online as both relevant and accurate?
15 May 2014: And so it begins: Reuters reports that Google have already received multiple takedown requests. Let's wait and see how this plays out shall we....