The Court of Justice of the EU has ruled that Google must amend some of its search results if requested by members of the public and found that there is a “right to be forgotten” when it displays links to outdated or irrelevant information.
The decision means that internet users may address a request to remove incorrect or irrelevant personal data directly to the operator of a search engine which must examine its merits based on the nature of the information, its sensitivity and the public interest. The court ruled that Google must remove links to pages containing the information from results “unless there are particular reasons, such as the role played by the data subject in public life, justifying a preponderant interest of the public in having access to the information when such a search is made”.
Perhaps the most significant aspect of the ruling is the finding that that Google's search engine business is that of a 'data controller' and therefore subject to EU data protection laws. Google had argued that it does not control personal data, it just offers links to information already freely and legally available on the internet, but the court found that this was not the case. Google had also argued that it should not be forced to play the role of censor, especially when offering links to information that was already published.
Data controllers have significant obligations relating to the storage and use of personal information. The decision greatly increases the responsibility of search engines for search results containing personal information and may also have serious implications for how search engines present data in the future.
Google has since posted a web form enabling individuals to request the removal of URLs from the results of searches that include their name where those results are inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.
The decision also has wider implications outside the search engine sector. The ruling means that service providers set up in an EU country are subject to that country’s data protection laws for a related service targeted to that country even if that processing takes place elsewhere. This will be the case where the processing of personal data occurring outside the EU may still be considered to be "in the context of" an EU establishment.