The UK data protection watchdog has said that it will give search engines like Google some time to put measures in place to respond to requests to take down links in search results.
On May 20, 2014, the UK Information Commissioner’s Office made its first public response to last week’s Court of Justice of the European Union decision against Google and its Spanish subsidiary. The court’s decision requires Google to take down links to lawfully published content about an individual if the individual believes the information to be inaccurate, irrelevant, outdated or excessive. See our advisory for more information about the CJEU ruling.
“We won’t be ruling on any complaints until the search providers have had a reasonable time to put their systems in place and start considering requests. After that, we’ll be focusing on concerns linked to clear evidence of damage and distress to individuals.”
The approach is similar to the informal grace period the ICO provided when unclear “cookie consent” rules were introduced by the EU in 2011.
It is worth noting that the ICO will focus on complaints involving “clear evidence of damage or distress” even though the CJEU says it is not necessary to show that the inclusion of information in search results causes prejudice (harm) to the individual.
The ICO is also careful to only mention search engines when discussing who needs to take steps to comply with the EU court decision. There has been much speculation about the application of the decision to content aggregators other than the major search providers, including social networks.
Helpfully, the ICO is ready to lead an effort with other EU data protection authorities to provide consistent implementation guidance across the EU.
In the meantime, the UK watchdog wants search providers to begin work on compliance:
“[W]e expect search providers to start the process of considering what solutions are needed to deal with requests to remove links. We recognise that the challenge is logistical and technical. Any solutions should enable appropriate consideration to be given to each case, and should reflect a judgment that upholds the data protection rights of individuals.”
The most important impact of the Google Spain decision may be something other than identifying a “right to be forgotten” in EU law. Instead, it may be the court’s ruling that the EU has very broad jurisdiction with respect to data protection regulation. The decision removes any doubts that search engines and similar online services are subject to EU data protection regulation (as they can be considered “data controllers”). The CJEU also takes a broad view of the geographic reach of EU privacy rules: non-EU companies with limited sales operations in the European Union or a limited amount of computer equipment in the EU are considered “established” wherever those operations are located and potentially subject to national data protection legislation in each of those countries. Both are principles the ICO seems ready to embrace.