In a landmark case for the future of digital privacy, Europe’s highest court ruled today that internet search behemoths, such as Google, can be required to block access to search results about individuals at their request.
The ruling of the Court of Justice of the European Union in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja Gonzálezhas the potential to drastically alter the privacy landscape. It will allow individuals to assert their right under EU data protection law to require search engines to rectify, erase or block access to search results about them where these are incomplete, inaccurate, irrelevant or outdated or otherwise breach EU data protection law, whether or not they cause prejudice to the individual. It is further evidence that as individuals look to alternative ways to protect their privacy and their reputations in an online world, data protection is now leading the way.
This decision, which cannot be appealed, also moves us further towards one of the fundamental changes in the proposed new EU Data Protection Regulation, namely the “right to be forgotten” (in the latest draft re-named the “right to erasure”). It creates a powerful mechanism for individuals wishing to control the information available about them online, even where an individual is unable to assert his rights against the original publisher. The judgment expressly acknowledges that in certain circumstances, where an individual is precluded from taking action against a publisher, it may do so against a search engine linking to the publication, recognising that the results generated by a search against an individual’s name can provide a detailed and structured profile of information relating to the individual which may concern “a vast number of aspects of his private life.”
It does not create an absolute right for an individual to expunge the historical record: a balance must be struck between the individual’s rights to privacy and data protection (protected by Articles 7 and 8 of the EU Charter of Fundamental Rights), the legitimate interest of other internet users in receiving information about the individual, the economic interest of the search engine and any other relevant rights and interests. The ultimate balance to be struck will depend on factors such as the nature of the information, its sensitivity for the individual’s private life and the interest of the public in accessing the information, which, the Court held, “may vary according to the role played by the individual in public life.” But, crucially, the judgment states that an individual’s rights to privacy and data protection “override, as a general rule, [the] interest of other internet users” to receive the information in issue.
The ruling also confirms that the activities of entities outside the EU, such as Google’s search engine service in the US, can be brought within the ambit of European data protection law where they direct commercial advertising at individuals within the EU via their European offices. It is a surprising departure from the earlier opinion of the Advocate General, who was suspiciously terse in reasoning that Google was not responsible for personal data appearing on third-party web pages, and it may be that in coming to its conclusions that US-based Google Inc. is a data controller for the purposes of EU law the Grand Chamber has one eye on the draft EU Data Protection Regulation (which, after considerable delay, is likely to be in an agreed form towards the end of this year, coming into force two years thereafter).
The proposed Regulation is even more radical in bringing within the scope of EU data protection law entities based anywhere in the world provided they offer goods or services to individuals in the EU or monitor their behaviour, for example, through targeted advertising. Like the recent and important judgment in Vidal-Hall v Google Inc.  EWHC 13 (QB), today’s decision is another example of Google finding itself unable to use its US status as a shield against the obligations imposed on it by European privacy and data protection law.