Mostly we like to be remembered, but when it comes to negative online content, it’s good to be forgotten. Except that often, search engines such as Google don’t forget. A landmark Court of Justice of the European Union (CJEU) ruling yesterday may change that.
In many years of running “online reputation” training courses, I frequently encountered people who were affected by negative or out of date content that ranked highly on search engines for their name.
Their options: contact the publisher or ISP to request removal, publish optimised positive content, follow Google’s advice on online reputation management and how to remove content from Google search results and so on, with varying results.
On 13th May 2014, the CJEU on ruled that search engines, in principle, are responsible for information they index (i.e. process) about an individual on a third party website. Data, initially lawfully processed, could in time become (under data protection law):
“inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed”
Key Points of CJEU Ruling
Indexing information by a search engine constitutes “processing of personal data”
In this context, Google is a controller of personal data (and as a result, responsible to a data subject – you)
Even if published lawfully, search engines should remove links to indexed pages containing a data subject’s personal data, if so requested by the data subject
A fair balance should be found between the legitimate interests of search engine users and a data subject’s privacy rights
A Member State’s national data protection law applied to this case, even when indexing took place in the U.S., as Google was incorporated in Spain
The case dates back to 1998, when legal proceedings taken against a Spanish citizen were published in La Vanguardia, a major Spanish newspaper. More than ten years later, this information was still appearing in Google’s search engine results pages (SERPs) for the complainant’s name. He asked La Vanguardia and Google to remove the relevant pages, as the legal issues had been resolved so this information was irrelevant, and his reputation was being damaged.
The Spanish data protection authority (AEPD) agreed to take on the case and some issues were referred to the CJEU by a Spanish court, regarding how the Data Protection Directive of 1995 applied in this case.
As a result of yesterday’s judgment, search engines may be obliged to remove SERPs which
“are liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the webpage.”
How will or can this ruling be enforced?
How does it square with the right to freedom of expression?
Does it or will it apply also to indexing or publishing by social media networks referring to a data subject?
How will Google facilitate or respond to requests to remove pages from its SERPs?
Will this affect the quality of search engine results?
Given the volume of potential requests, will Google automate a removal process?
Remember, that didn’t work out so well for Google in tidying up closed businesses on Google Places – their Mountain View office was ‘closed’ by cheeky bloggers with a couple of clicks:
More questions than answers and, although this ruling only relates to personal data online, it is helpful for businesses struggling with online reputation issues, as the right to be forgotten was upheld and is an important element of the proposed Data Protection Regulation due to replace the 1995 Directive.
In the meantime, it is a step in the right direction for an individual’s right to privacy.
Further reading: Judgment in Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González