Last week, the Court of Justice of the European Union ruled that individuals have the “right to be forgotten.” In other words, individuals have the right to control their data and can ask search engines to remove links to results containing certain information. This ruling has far-reaching implications not only for the EU but also for the United States.
This case involved an appeal by a Spanish national who had complained to Google about online newspaper reports Google had indexed relating to debt-recovery proceedings against him from 1998. When the individual’s name was entered into Google, it brought up results providing a link to newspaper accounts of the debt proceedings. The court ordered the links stricken from Google’s search results.
Interestingly, the newspaper that first indexed the information online was not required to remove any information; instead, Google was required to remove the link to the information. After this ruling, search engines – at least in the EU – are required to remove links to material posted lawfully on third-party sites – although the sites do not need to remove the information. This means, at least conceptually, that more information may be available on U.S. cyber networks than in the EU.
According to EU Commissioner Viviane Reding, “Data belongs to the individual, not to the company. Unless there is a good reason to retain this data, an individual should be empowered by law – to request erasure of this data.” This ruling is a clear victory for advocates of the “right to be forgotten,” and could potentially impact businesses in the United States.
Consider, for example, businesses that collect information in the United States that have offices in the EU. These businesses are required to comply with EU laws. This case was limited to an individual’s request that Google remove certain links, but what about the next case that requests the newspaper remove the online reference?
The ruling also raises a number of complex questions: Does this mean that search engines will now act as censors of certain information because an individual objects to the information? How do you balance freedom of information against the right to privacy? Do people have a right to remove potentially damaging information – such as a convicted sex offender or a lawyer who was disbarred?
Regardless, companies should have appropriate policies and procedures in place now to address data retention and destruction. Understanding what information you have, what information you retain and deleting information you no longer need will help substantially to reduce your risks.