Data Protection

Google data protection issues with right to be forgotten

Google data protection issues might increase as a consequence of the ruling of the European Court of Justice that obliged search engines to remove the link between search results and a webpage if it contains information the individual deems should be “forgotten“.  But it is argued that this decision might have relevant consequences also for the development of technologies based on Big Data including Internet of Things and wearable technologies.In the decision the Court held that:

  1. Indexing information by a search engine is “processing of personal data”;
  2. Google is a “controller” of such personal data;
  3. Local data protection laws are applicable, even if indexing happens in the US when the local entity is promoting and selling the advertising space on the search engine;
  4. Google should remove links to webpages containing personal data, even if the webpages themselves are lawful; and
  5. A fair balance should be sought between the legitimate interests of search engine users and the privacy rights of individuals.
The dispute arose in 1998 when a major Spanish newspaper published two short announcements about a real estate auction due to social security debts of a Spanish citizen. In 2009, this person contacted the newspaper, complaining that the announcements appeared in Google searches of his name.  He argued that the search results were damaging his reputation and that the attachment proceedings relating to his social security debts had been resolved many years ago.  He asked the newspaper to block the pages with the announcements from being indexed by search engines.  The newspaper declined to remove the offending content, stating that publication had been ordered by the Spanish government.
The person then contacted Google in 2010 and filed a complaint with the Spanish data protection authority that agreed to take on the case and sued Google.  The Spanish data protection authority took the view that it has the power to require the withdrawal of data and the prohibition of access to certain data by the operators of search engines when it considers that the locating and dissemination of the data are liable to compromise the fundamental right to data protection and the dignity of persons in the broad sense, and this would also encompass the mere wish of the person concerned that such data not be known to third parties.
The European Court of Justice ruled that Google is not a mere processor but also a controller of personal data on third party web pages, because Google decides upon the purposes and the means of the indexing activity.  Likewise, the Court held that indexing information by a search engine is “processing of personal data” for data protection law purposes.  The consequences of such position have been undervalued by some commentators, while others stressed that – if this is the case – such position might have relevant consequences for companies relying on Big Data to provide marketing services.
Indeed, if the collection and indexing of information from the web pages which include also web pages on social media (e.g. a Facebook comment revealing my preferences or a Tweet on my favourite football team) are meant to be data processing and the entity performing such activity is a data controller, it might be discussed whether such conduct requires a prior consent from the relevant individuals which would be clearly unmanageable.  Likewise the same issue might arise in relation to Internet of Things and wearable technologies in which the level of services provided users often depends on the amount of information collected from different sources.
But another relevant issue of the decision is that, according to the European Court of Justice, despite the fact that the indexing was performed through servers located in the US, Google was subject to Spanish data protection law since it has a Spanish subsidiary based in Madrid that promotes and sells advertising space for the search service and because the company targets its search services at the Spanish public.
This is interesting evolution of the position as to the applicability of European data protection laws to non-EU entities since it might imply that the mere targeting of customers located in Europe and the usage of local marketing agencies might trigger the circumstance that the entity is subject to local data protection laws and therefore it has to comply with its obligations!  This means that most of the US Internet companies that have a mere marketing office in the main European countries might all of a sudden become subject to European data protection laws.The uncertainty on the matter will be sorted with the coming into force of the new EU Privacy Regulation that will make companies subject to the data protection laws of the country of the recipients of the services.  However, such decision might oblige non-European companies to speed up their privacy compliance programs to avoid fines that under the new EU Regulations will be equal up to 5% of the global turnover.
We shall see the developments of the matter, but feel free to contact me, Giulio Coraggio ([email protected]), to discuss.  And follow me on my Facebook pageTwitterGoogle+ and become one of my friends on LinkedIn.

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button