Friday, May 16, 2014

EU’s Judicial Ruling on “Right to be Forgotten” (Takedown Rights) for Claims by Individuals against Search Engines, and Implications

A recent ruling by the Court of Justice of the European Union (CJEU) has potentially far reaching implications for data privacy in support of an individual’s “right to be forgotten” online both inside and outside the European Union.  Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (CJEU, May 13, 2014).

It raises serious liability issues for every Internet search engine and international data collection company. To the extent that increased compliance costs will be passed on to advertisers, the opinion increases the cost of doing e-business with EU customers and could increase prices for consumers.

Responsibilities of A Search Engine as a “Data Controller” under EU Privacy Law.  In the case in Spain, which prompted this ruling, a man requested that Google Spain remove the links to old newspaper articles, lawfully published, which were no longer relevant to his situation, but could create a negative impression of him when read.  Google refused, claiming that a search engine creating links to the content of other websites is not the “data controller” but merely an intermediary in relation to third party websites and could neither monitor nor remove this data.

In addition, Google alleged that it was not subject to the 1995 EU Data Protection Directive because its search engine was in the US and it did not have a nexus on EU soil.  Google Spain’s office only sold advertising.

The Spanish court ordered Google to remove the links. Google appealed and the court referred the case to the CJEU for an opinion.  In summary, the CJEU opined:

1) Jurisdiction.   Google was subject to the EU’s jurisdiction because the processing of the data was carried out in the context of the activities of its subsidiary located in Spain and directed at EU member states.

2) Redefinition of “Data Controller.”  Google is indeed a “data controller” because while it just processes the data, even more than third party sources, it controls the dissemination of the data and therefore plays the key role in how such information (already available on other websites) affects the personal privacy and data protection of the individual, making it subject to the EU Directive.

3) Right to be Removed from a Search Engine (sometimes, “the right to be forgotten”). The fundamental rights of the individual to privacy and data protection override the right of Google for economic gain and the right of the public to access this information unless it is in the public interest to do so (as in the case of a public figure).  The individual should be entitled to go to search engines and request that links that were “inadequate, irrelevant or no longer relevant” be removed.

Impact within the EU.
Impact on Search Engines. The decision will reduce the ability of search engines to publish links to personal data of complaining European nationals, will add operating costs for search engines and potentially increase litigation where search engines refuse to “take down” personal data about ordinary citizens.

Impact on EU Data Protection Authorities.   The Google Spain  decision will require each European Data Protection Authority to balance policy factors of free speech versus personal privacy.  This will result in costly, complex and policy-based decisions by administrative bodies, a nightmare for both administrators and litigants.

Impact on Non-EU Web Services Companies.
Jurisdiction.  If you have a “sales subsidiary” in an EU country, your e-commerce operations will now be subject to the full direct application of EU data protection and personal privacy rights, even though your servers, operations and accounts are outside the EU.  The concept of EU judicial jurisdiction over foreign companies in data protection and privacy now looks analogous to broad U.S. federal constitutional limits on judicial jurisdiction, where your “presence” plus your “purposeful availment” of activities in a foreign state will subject you to the jurisdiction of the foreign state under “long arm” statutes.  If there was any doubt, it is now clear that running an e-business globally will subject you to local long-arm jurisdiction on data protection and privacy.  The irony here is that you might be properly outside the taxing jurisdiction (under traditional norms of international jurisdiction within the definition of a “permanent establishment” in tax treaties) while being subject to long-arm jurisdiction for regulatory compliance and privacy torts in a foreign jurisdiction.

Vicarious Liability of the Search Engine as Data Controller without Primary Liability of the Offending Websites whose Sites are Linked by the Search Engine.   One key irony of this decision is that the website publishing the “offensive” “personal data” is not mandated to take down the individual’s “personal data,” but that the search engine that multiplies the number of people who access such content is deemed the “data controller” held liable to honor the “fundamental rights” of the individual.  The ruling imposed vicarious liability for making links but not direct liability for publishing the “private” personal information.

Developing Best Practices for Compliance.   Assuming a search engine accepts a takedown notice as a matter of policy, how can it comply?  How can it be certain that the complaining individual is entitled to a takedown?  If any discretion is involved, it will gum up web commerce.  If no discretion is involved (and one can make new rules that favor takedowns), the technology that allows “opt-outs” and “unsubscribes” can be reconfigured to allow takedown notices.  But the costs of verification of the identity of the affected party will have to be borne by someone, and the decision is one more step towards balkanization of the Internet for free speech and e-commerce.

Impact on US-EU Free Trade.   Privacy law has become a trade barrier of sorts.  The CJEU decision interferes with attempts at harmonization of privacy rights under the pending negotiations for the Transatlantic Trade and Investment Partnership between the US and the EU.  To the extent the Data Protection Directive (1995) and the proposed “General Data Protection Regulation” fail to provide some form of US safe haven (beyond the existing one), the Google Spain decision will likely promote more compartmentalization, less international commerce in data processing services and more localized separate computing environments (e.g., a local “EU Cloud”).

Penalizing the Wrong Business.   The Google Spain decision on data protection and privacy gives preference to privacy rights over freedom of expression.  It punishes the business that links Internet searchers to a validly published Internet website. It adopts a bludgeon against the business that scrapes information from other websites, not the “offending” websites.   The decision punishes the wrong business.

No comments:

Post a Comment