If happiness is good health and a bad memory then the recent decision by the Court of Justice of the European Union that data subjects under Directive 95/46 have ‘a right to be forgotten’ after a certain period of time should be a welcome one. However, the decision presents obvious practical challenges for search providers and guidance from regulators is required to make sure search providers adopt the right approach in response to it.
The decision arose out of a complaint lodged by Mario Costeja González, a Spanish National, against Google Spain and Google Inc. as a Google search of his name produced results which included links to articles in a newspaper’s archives which referenced his historic social security debts. Mr Costeja González successfully argued that as the proceedings relating to the debts had been fully resolved, they were now irrelevant and should be erased.
As a result of the decision, data subjects are now able to request that certain links which appear when their name is searched are erased where the content behind them can be shown to be ‘inadequate, irrelevant or excessive’. Google was held to be a data controller in its own right by virtue of the systems it uses to process and index data which it then provides as search results. Consequently, requests for erasure can be made by data subjects even where the information available on the underlying website is lawfully published and the publishers cannot be compelled to alter or remove it.
On 20 May, the ICO, the UK regulator, published four points of reflection arising from the judgment in which it highlighted the practical challenges for search providers and emphasised the need for data subjects to be to be realistic about how difficult it can be to completely remove all traces of personal information online. The ICO has acknowledged the logistical and technical challenges faced by search providers and has granted a grace period until more guidance is available, stating that;
“We won’t be ruling on any complaints until the search providers have had a reasonable time to put their systems in place and start considering requests. After that, we’ll be focusing on concerns linked to clear evidence of damage and distress to individuals.”
In the meantime, Google has already responded by producing a form that users can fill in to request that specific URLs are removed from the results of a search of their name. The form requires proof of identity to be provided and has already been challenged by the data protection authority in Hamburg which is concerned about the processing of the personal data contained on the identification.
The issues arising from the decision have been discussed at a plenary meeting of the Article 29 Working Party meeting at the beginning of June who now intend to provide guidelines for search providers which will be consistent across the EU after consultation with relevant stakeholders.
On 3 June, the European Commission published a fact sheet which supports the Court of Justice’s decision and seizes the opportunity to discuss the merits of the proposed new Data Protection Regulation (for more detail on the proposed regulation, see the reform trackeravailable via CMS RegZone). However, the factsheet does not add any clarity to assist search providers in understanding the practical steps required in their response to the decision.
Clearly, search providers need to exercise caution in response to the decision in order to avoid falling foul of the data protection authorities and, until detailed guidance is published, a lot of uncertainty remains as to how they can best do this. It is hoped that the approach of the Article 29 Working Party in the development of their guidance produces an outcome that data subjects and search providers alike can be happy with.