TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | How the European Google Decision May Have Nothing To Do With a Right to Be Forgotten Related reading: Automaker, data broker sued for alleged consumer privacy violations

rss_feed

""

""

After almost a month since the CJEU decision on Google and (allegedly) a “right to be forgotten” stirred up not only the international privacy community but also all of the digital world, managing to even occupy prominent general press space—among others, in The Economist, The New York Times and The Guardian, and while Google has already published a “search removal request” webpage that already attracted more than 40.000 applications within the first days it became operational, it is perhaps time to calmly assess what the CJEU decision really is and is not about.

What Google Does

With Google accounting for more than 90 percent of Internet searches in Europe, it shall be used from now on as showcase for any (successful) Internet search engine. Although it is obvious, we need to be reminded that Google links information – it does not create content. By scanning interminably, through automatic means, the web in order to create new connections and correlate more information leaves no record unsearched and no information unrelated to another. Given the exponential growth of digitized information and the lack of structure on the web, Google is the non-human, file-keeper of the past. Admittedly, it executes its task brilliantly: Through its successful search engine discovery of personal information on any individual that would otherwise take significant resources to carry out takes only moments and may be performed even by the most inexperienced user. This contribution is neither insubstantial nor without legal consequences. One should always keep in mind that, at least in the EU, data protection legislation emerged during the 1970s as a privacy spin-off only when the first computers entered public administrations in order to do exactly the same thing, for until that time, manual records were kept in cabinets and storage rooms. In other words, the efficiency of the personal data processing matters.

The EU Principle of Proportionality: Even Lawful Behavior May Be Found Infringing, Depending on the Actual Conditions

Such qualitative effect is court assessable. In EU law this is mostly performed by application of the principle of proportionality: All other factors found lawful, measures also need to be proportionate to their aims. This is an ever-present principle that at times had led to unexpected results, as was, for instance, the case in April when the same court annulled (retrospectively!) the EU law on the retention of telecoms and Internet data by their providers for law enforcement purposes. The same principle is embedded in EU data protection legislation as well. The processing needs to be proportionate to its purposes, meaning that if it is not, even if all other circumstances relating to it are lawful, it will be ultimately found unlawful. Perhaps this is the case in U.S. law as well. Although we would generally hesitate to approach U.S. Supreme Court rulings, the case of Grokster (and, we also think, secondary copyright infringement) was similarly based on a qualitative criterion (the volume of illegal downloads and Grokster behavior) and not on the action itself (enabling users to exchange files) that is otherwise lawful.

The CJEU Decision Is, More Than Anything Else, An Exercise of the Principle of Proportionality.

The CJEU expressly used proportionality-related reasoning in order to reach its decision:

processing of personal data, such as that at issue in the main proceedings, carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him. Furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous”.

Subsequently, the court weighted the above against Google’s legitimate interest to process the information—also acknowledged in EU data protection law—but found an imbalance in the relationship: “In the light of the potential seriousness of that interference, it is clear that it cannot be justified by merely the economic interest which the operator of such an engine has in that processing”. Hence, Google processing was found unlawful —see, however Christopher Kuner’s critical approach to the same balancing here.

The CJEU Decision Has Nothing To Do with the Freedom of Expression (And Much Less, with Freedom of the Press)

The CJEU did not order the newspaper on whose webpages the information on the claimant originally appeared to delete them. The newspaper post on the claimant is still online, available for anyone to see. What the CJEU prohibited is automated perpetual linking to this information—when, more particularly, they refer to “anonymous” individuals. Google does not express an opinion—nor may what it does be considered journalism. It only brings up information, perhaps enabling others to express an opinion (See also Solove questions, under 5). Google is an accessory, not required but certainly facilitating, to the freedom of expression—and to a bunch of other freedoms as well. However, to our knowledge at least, there is to-date no such thing as protected secondary exercise of human rights—although there appears to exist secondary copyright infringement. Until that time, enabling tools have nothing to do with the freedom or rights per se.

Even More Surprisingly, the CJEU Decision Has Nothing To Do with a “Right To Be Forgotten”

A “right to be forgotten”, if ever acknowledged to humanity even in digital context—there certainly is none in the offline world context—would essentially include a “right to delete” or “to have deleted.” As already explained, this is not what the CJEU decision under consideration does. It did not ask for deletion of the original information—according to the UK ICO blog, “It is important to keep the implications in proportion and recognise that there is no absolute right to have links removed. Also, the original publication and the search engine are considered separately.” This is also not what the draft EU data protection regulation at least today speaks of. Its Article 17 asks for deletion of the actual data, not third-party links to them. If we ultimately believe that by deleting Google links people forget, then we need to seriously reconsider the mechanics of human memory today and in the foreseeable future.

The Pragmatic Approach: This May Be Only A Mid-term Problem

We often forget that the Internet has a history of only 20 years or so. After a few more years have passed and a few hundred million or even billions of new users have been added to it while several thousands of its first users will have presumably “left” it, and a couple of social networks will have gone bankrupt and several webpages will be discontinued but still online, the qualitative criterion that annoyed the EU court will have been abolished because it will be far more difficult to establish that Mr. González (the claimant), still appearing in that Spanish newspaper, is indeed the same person who had his real estate auctioned back in 1998 and not one of the millions of others carrying the same name. Until that time, however, it is probably true that unsuspecting individuals who once in their lifetime erred or, even worse, allegedly erred, may need protection from super-efficient seemingly perpetual, automated associations of that one time with their name. In essence, this is perhaps an Internet infancy disease brought by the formidable work performed by Google and its competitors. The CJEU decision is trying to balance things, perhaps assisting individuals a bit more than they deserve, until we all—Internet users, the Internet and Internet companies—get to better grips with the, still new, medium.

6 Comments

If you want to comment on this post, you need to login.

  • comment John Tomaszewski • Jun 20, 2014
    I completely agree with the authors. In point of fact, the decision is more of a practical analysis of how to use Article 7(f) - which most recently had an Art. 29 WP opinion passed on it - than anything else. I did a pair of blog posts on this issue a couple of weeks back where I reached much of the same conclusion. For those who are interested it is at www.globalprivacywatch.com
  • comment Sunghee Chae • Jun 22, 2014
    I am a Korean Lawyer working for a Korean IT company. In Korea, personal data protection law will not bring the same result as in the CJEU case. In my opinion, it is highly likely that Korean data protection law and relevant law will not apply in the same fact patterns as in this case. However, Korean civil law does have a tool which I think will lead to the same conclusion as in the CJEU case, which is 'injunction for cease and desist'(in German, 'Unterlassungsanspruch') based on 'a right to determine whether and how his/her peronal data will be used by other person' or 'right to personal data' as a kind of 'right on personality'('allgemeines Persoenlichkeitsrecht' in German). Korean Supreme Court has been applying very similar criteria to determine whether an infringement on the 'right to personal data' as applied in the CJEU case, which is to balance conflicting interests or rights against one another. And I think the author of this colums's logic is very close to what we Korean lawyers would come up with. I am very interested to see this. 
  • comment Biddy Wyles • Jun 24, 2014
    The whole topic is fascinating and the above article gives a welcomed perspective to the debate. Can anyone comment on the  exercise which Google is embarking upon and whether it will attempt to balance the parties'  respective rights?  Will it simply delete links upon request, or is it going to be exercising some sort of judgment as to the public interest and proportionality? 
  • comment Vagelis Papakonstantinou • Jun 24, 2014
    It is perhaps too early to say how Google will react to the CJEU judgement. According to this NYTimes information (http://bits.blogs.nytimes.com/2014/06/18/google-ready-to-comply-with-right-to-be-forgotten-rules-in-europe/?_php=true&_type=blogs&_php=true&_type=blogs&emc=edit_tnt_20140618&nlid=28836431&tntemail0=y&_r=1&) we are only at the beginning of the process. It is also likely that developments with the EU Regulation (ie. its final wording on issues such as territoriality or the right to be forgotten) will affect Google's point of view. At any event, given the volume of applications, we would expect that a streamlined "objection process" will ultimately be adopted.
  • comment Vagelis Papakonstantinou • Jun 24, 2014
    Thank you, interesting point about the "data brokers". Although, as you note, it is difficult to say what a "data broker" is maybe we could use the EU Data Protection Directive definition of "controller" ("the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data") in order to establish whether data brokers are of interest to the data protection purposes. Perhaps too long have "data brokers" hidden behind the same Directive's definition of "data processors" ("a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller"), a person generally bearing very limited obligations (and liabilities) with regard to its processing (please see also the case of cloud computing).
  • comment Alvaro • Aug 28, 2014
    When I read the post title, the word tax popped up in my mind triggering my interest on it, but unfortunately taxes were not even mentioned on the post.
    
    My guess is that this ruling is putting the avantgarde part of the base for the collection of taxes from US companies that are not currently paying taxes, or are just paying peanuts in European countries using fiscal engineering.
    
    It is funnny how the ruling forgets about Electronic Commerce Directive, safe harbors it brings in the benefit of, among others, search engines and  even when it declares privacy is applicable to them. Previous General Advocate opinion was mentioning such Directive and argumenting on Personal Data Protection Directive jointly with Electronic Commmerce Directive.
    
    There are better ways to solve the issue, but CJEU has opted for the one is blaming and making accountable only to Google.
    
    What about fostering a review of robot.txt protocol that permits both search engines and content providers to jointly manage this issue? Why are search engines supossed to be exclusive accountable organizations to solve the problem?
    
    Another thing that surprises me is that considerable time has past since the ruling, and yet there is no chance in Google Privacy policy informing on personal data published by content providers or even by people themselves and processed by Google´s crawler and on its index.