No ‘Right to Be Forgotten’ on EU Internet

     (CN) – An adviser to Europe’s highest court said Tuesday that Google and other internet search engines bear no responsibility to remove personal information from their indexes.
     Advocate General Niilo Jaaskinen’s opinion comes on the heels of announcements that Spain, France and the U.K. have launched investigations into whether Google’s privacy practices flout EU law after European regulators took no action on a deadline issued last year.
     Tuesday’s opinion stems from an electronic newspaper story — published in 1998 — about a Spanish foreclosure auction prompted by social security debts. The story identified the property owner, who discovered a decade later that the proceedings still came up when he typed his name into Google’s search engine.
     The owner demanded that the newspaper erase the online version of the story, as the proceedings had been resolved long ago and the references to him no longer applied. Finding no resolution with the newspaper, the man asked Google Spain to remove the offending links.
     He also filed a complaint with the Spanish Data Protection Agency (AEPD) against the newspaper and Google. In 2010, the agency ordered Google Spain and California-based Google Inc. to remove the links — and dismissed the case against the newspaper.
     Google lodged two appeals with Spain’s high court seeking to annul AEPD’s order. That court referred the case to the Court of Justice of the European Union for clarification of the EU’s data privacy laws.
     In his opinion — which is not binding on the EU high court — Jaaskinen noted that this is the first case involving Europe’s data privacy laws and internet search engines. He also pointed at the laws have not been amended since they were adopted in 1995 and that Google has changed the internet world immeasurably since then.
     However, EU law doesn’t expressly regulate to search engines, particularly ones — like Google — that receive no payment for providing search services. And in many instances, search engines receive personal information from users themselves or source webpages like the newspaper in question, according to Jaaskinen.
     Furthermore, any applicable law does not extend outside European territory unless the search engine has also set up shop in an EU member state. Google Spain only handles targeted advertising to Spanish users, but information on the exact geographical location of its search engines hasn’t been made public, the adviser noted.
     For the future, Jaaskinen proposed that the Luxembourg-based Court of Justice adopt a finding where any search engine that opens an office in the EU for the purpose of selling advertising also processes personal data within the EU. But he also noted that processing personal data does not always mean controlling it under the outdated EU law.
     “When the directive was adopted the World Wide Web had barely become a reality, and search engines were at their nascent stage,” Jaaskinen wrote. “The provisions of the directive simply do not take into account the fact that enormous masses of de-centrally hosted electronic documents and files are accessible from anywhere on the globe and that their contents can be copied and analyzed and disseminated by parties having no relation whatsoever to their authors or those who have uploaded them onto a host server connected to the internet.”
     The adviser continued: “To my mind, one key question here is whether it matters that within the definition of controller the directive refers to the controller as the person ‘determining the purposes and means of the processing of the personal data. The parties who consider Google to be a controller base this assessment on the undeniable fact that the service provider running an internet search engine determines the purposes and means of the processing of data for his purposes. I doubt, however, whether this leads to a truthful construction of the directive in a situation where the object of processing consists of files containing personal data and other data in a haphazard, indiscriminate and random manner.”
     In the case of personal data published on third-party websites, Google cannot be seen as a “controller” of that information in the eyes of European law, according to Jaaskinen.
     “The internet search engine service provider has no relationship with the content of third-party source web pages on the internet where personal data may appear,” he wrote. “Moreover, as the search engine works on the basis of copies of the source web pages that its crawler function has retrieved and copied, the service provider does not have any means of changing the information in the host servers. Provision of an information location tool does not imply any control over the content. It does not even enable the internet search engine service provider to distinguish between personal data, in the sense of the directive, that relates to an identifiable living natural person, and other data.”
     Finding otherwise would mean all search engines are incompatible with EU law, “a conclusion I would find absurd,” Jaaskinen noted. “Specifically, if internet search engine service providers were considered as controllers of the personal data on third-party source web pages and if on any of these pages there would be ‘special categories of data’ referred to in the directive (e.g. personal data revealing political opinions or religious beliefs or data concerning the health or sex life of individuals), the activity of the internet search engine service provider would automatically become illegal, when the stringent conditions laid down in that article for the processing of such data were not met.”
     However, the adviser suggested finding that search engines like Google become personal data controllers when they refuse to comply with requests to remove webpages and other information from their caches. And he also noted that Europeans have overblown the notion of internet privacy rights — particularly in the area they call “the right to be forgotten.”
     “Jaaskinen continued: “Even if the court were to find that internet search engine service providers were responsible as controllers for personal data on third-party source web pages, a data subject would still not have an absolute ‘right to be forgotten’ which could be relied on against these service providers.”
     In those situations, the adviser urged service providers to bridge the gap between user and publisher, determine that if the disclosed data is legal under EU law, and censure as necessary.
     While Spain’s data protection agency said it was still studying Jaaskinen’s opinion and had no immediate reaction, Google hailed it.
     “We’re glad to see it supports our long-held view that requiring search engines to suppress ‘legitimate and legal information’ would amount to censorship,” Bill Echikson, head of “Free Expression” for Google in Europe, said in a statement.
     Google still faces data privacy-related investigations in six member states, however. Besides Spain, France and the U.K., local regulators in Germany, Italy and the Netherlands are looking into how long the company stores data, whether it uses data improperly or blocks users from exercising their opt-in and opt-out rights.

%d bloggers like this: