There has been a lot of business and legal commentary about the European Court of Justice’s recent decision in the Google “right to be forgotten” case. The holding itself is rather narrow. The ECJ, at the request of a Spaniard who felt that articles about the foreclosure of his house 15 years ago did not accurately reflect his present situation, ordered links to articles about the house sale removed from the results returned when a Google search for his name is conducted in the EU. The ECJ found that the U.S. parent Google Inc. was subject to the jurisdiction of Spanish courts and the Spanish Data Protection Authority (DPA) as a result of its operation of Google Spain SL. The ECJ held that the parent’s search function (which takes place in the U.S.) and the Spanish subsidiary’s advertising sales function (which collects personal data about EU citizens, enables the search function to be economically profitable and takes place in Spain) were “inextricably linked.” Because the combined Google entity was determining the means and purposes for processing personal data in an EU member state, the ECJ held it was a Data Controller subject to the EU Privacy Directive and to Spanish jurisdiction, at least for privacy complaints related to its search business. The ECJ stated that any request to remove links must be balanced against the “preponderant interest of the general public.” When it examined the merits of the case, it concluded that the information at issue was “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which [it was] processed and in the light of the time that has elapsed.” Therefore, the court ordered Google to remove links to the information from its search results in the EU.
When and how the decision can and will be implemented is up in the air. The DPAs from EU countries have begun working on guidelines for how search engines (and presumably other companies that are or may be recognized as Data Controllers) should handle “right to be forgotten” requests. Press reports indicate that the guidelines are expected to be ready in September and will standardize the process of handling removal requests and appeals of removal denials across all EU member states.
Google’s response has to date been measured. It has placed a “right to be forgotten” request form on its website and started putting together a committee of outside experts to vet difficult requests. The company apparently will remove “forgettable” references only from the EU search engine results, and it has announced that it will disclose in those search results that certain URL results are omitted. Google claimed that in the first week after the decision, 41,000 EU citizens asked to remove links to outdated information about them.
The full effect of the ruling will not be known for some months. The ruling does not require deletion or takedown of the documents or any URLs, just that Google or any other Data Controller not display them in the search results. This seems an open invitation for inquiring minds to use other search engines, including the U.S. version of Google, to circumvent the ruling. The decision no doubt affects other search engines, to the extent that they have an “establishment” (i.e., an affiliate or subsidiary) in a particular EU country. Yahoo, Microsoft and other search engine operators are already receiving requests that individuals’ information be deleted or omitted from search results. They will have to create their own “right to be forgotten” processes and decision criteria. Given the lack of guidance from the ECJ, it seems likely that at least in the short term there will be little uniformity in the takedown decisions, so an individual’s data could be “forgotten” by Google but readily available in Bing and other search engines.
The logic of the ECJ decision is not limited just to search engines. It is likely to be applied to find that blog hosting companies, social media and other intermediaries are Data Controllers with establishments in the EU. There is a potential for the concept to be applied even more broadly, to any U.S. companies that publish the personal data of E.U. citizens and that can be classified as Data Processors or Data Controllers (terms of art under the EU Privacy Directive). This is important for two reasons. First, the EU concept of personal data is broader than the U.S. notion of private or personally identifiable information. “Personal data” in the EU includes almost any information about an individual, including information obtained from public sources (such as the house sale records at issue in the Google case) and information that an individual has voluntarily disclosed publicly.
Second, many U.S. companies may not realize that they are publishing personal data of E.U citizens. For example, the websites of many U.S. companies not falling in any of the categories above provide website search capability or links to search engines or other third party websites. The result pages of such searches could produce references to the personal data of E.U. citizens. If the U.S. company has a European affiliate or subsidiary, it may be subject to EU jurisdiction. This risk may require review and revision of the group’s corporate structure and business operations.
One final issue is worth mentioning. There is an inherent tension between the right to be forgotten and two key concepts in U.S. law – the First Amendment right to free speech and the idea that truth is a defense to any sort of libel or defamation claim. At some point, these will collide. The most likely battlefield will be a blog, with an international hosting company caught between an order from a European court and a blogger’s U.S. First Amendment claims. It will be interesting to see the outcome.
 C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González.