No doubt Google does not feel it received a boon after the Court of Justice of the European Union (CJEU) established a “right to be forgotten” on the Internet. This ruling gives individuals the right to request the removal of reputation-harming links from Google’s search engine.
What salacious, reputation-harming information was at the heart of this quest to cleanse Google’s search? Alas, it was a rather mundane notice of Mario Costeja González’s real estate auction to pay off a social security debt published in a newspaper in 1998 – pretty boring stuff by internet standards. The law at issue here was the 1995 EU Data Protection Directive. The Directive orders EU member states to grant their citizens the right to object to the further processing of personal information by a data controller and the right to erasure when data is inaccurate or incomplete. González first took his complaint to the Spanish data protection agency (AEPD) claiming that both the newspaper and Google violated his data rights by continuing the process the information after he requested its removal. The complaint against the newspaper was not part of the appeal heard by the Court, because the AEPD rejected it on grounds that the newspaper had “lawfully published it.” Google, on the other hand, was still on the hook and appealed the decision ordering it to remove links to the newspaper article all the way to the EU’s highest court.
The case caught many onlookers off-guard, because it looks nothing like the June 2013, Opinion of the Advocate General, which are advisory opinions generally relied upon by the Court. The decision is otherwise shocking because of the position it puts Google in.
The CJEU labeled Google a “data controller,” and the company now carries the huge burden of addressing any number of user takedown requests. Up to this point, Google has directed unhappy users to a help page that tells them to contact the site operator to get their problematic content removed and explains that Google may remove links under rare circumstances but usually requires a court or executive order. When the company receives takedown requests from a governmental body, it simply verifies the legitimacy and complies. This is true for all legal domains except copyright. When Google is notified of copyright infringing content, it automatically removes the content to avoid secondary liability. Compliance costs have been kept relatively low. Now actual humans at Google will have to consider each user request for removal to determine whether it is a valid right to be forgotten claim, with the only guidance from the Court being that it must take into account amorphous and jurisdiction-specific values like the “public interest.”
The problem is no one knows what the right to be forgotten means. There is no body of law giving this right shape or edges. Sure, there is some scattered case law related to past criminal activity from a few EU member states, but the only guidance the CJEU gives Google is that the data subject’s rights override the interest of internet users, as a general rule, and that the balance of interests should be case specific.
The understandable intention of the European Union to redistribute power away from companies and toward users backfired here. Vivienne Reding, the EU Commissioner who has long championed the right to be forgotten, celebrated the ruling with a Facebook post: “Companies can no longer hide behind their servers being based in California or anywhere else in the world.” But, this decision does not take power away from Google. It gives Google Almighty more power than ever. Google gets to decide what the right to be forgotten means, because its interpretation of the right will be as good as anyone else’s guess. Without any sense of what the right is and is not, Google will have to create its own policy for addressing user takedown requests. The various beginnings of a right to be forgotten amongst EU member states is clear in the CJEU’s decision as it waded through the variations taken by countries other than Spain. Google will come up with rules to respond and try to comply with requests from various countries by piecing together what little each member state has said on the issue. Either way, Google’s guess on removal requests will then be tested in courts across the EU over the course of many years, if and when Google decides to fight for the decisions it never wanted to make in the first place.
Expanding the ruling beyond Google, we will see other data controllers, from search engines to social networks, just removing content upon request, not wanting to bother with inevitably having to defend their decisions in court.
The Data Protection Regulation, set to replace the Directive, is now the last ditch effort for both advocates and opponents of the right to be forgotten, which suffered a name change in recent edits to the proposed Regulation and for no obvious reason was retitled the right to erasure. For advocates, the right offers an opportunity for a networked world that promotes more expression and freedom than one where information lasts indefinitely. The right handed down by the Court, however, is not the nuanced and delicate touch required to balance the many interests at play when limiting access to publicly available information. For opponents to the right, significant lobbying will be required to rework, limit, and define the right to erasure exceptions in the Regulation, which allow a data controller to retain information for reasons related to expression, historical and statistical purposes, and public health and safety. Again, no idea what any of that means – can’t anything be kept for historical purposes?
So congratulations Google! While your robe and gavel will be expensive, you now have the (unwelcome) honor of shaping Internet content (even more than you already did).
For my long academic warning about this (although I predicted the problem arising from the Regulation, not the Directive), check out the draft version of my article presented at the Telecommunication Policy Research Conference being published by Telecommunication Policy.
More of my thoughts can be found here:
NPR All Things Considered