Subscribe

RSSAdd blog to your RSS reader

All Topics

Contact Us

212.451.2258

ADVERTISING@OLSHANLAW.COM

EU Right to Be Forgotten Decision May Impact US Data Processing Activities

Online businesses that interact with the EU need to carefully examine their practice to be sure that they are either not triggering EU Data Protection requirements or are in compliance therewith.

The recent ruling by the European Court of Justice against Google and Google Spain relating to the EU Data Protection Directive has generated significant publicity regarding the “right to be forgotten.” The decision is also notable, however, for the expansive view the high court has taken with respect to the EU’s jurisdiction over non-EU data controllers and processors. As such, online businesses that interact with the EU need to carefully examine their practices to be sure that they are either not triggering EU Data Protection requirements or are in compliance therewith.

Background

The EU Data Protection Directive has the objective of protecting the fundamental rights and freedoms of natural persons (in particular, the right to privacy) when personal data is processed, while removing obstacles to the free flow of such data. The case was brought by a Spanish citizen, Mario Costeja Gonzalez to the Spanish national data protection agency pursuant to the EU Data Protection Directive against a Spanish newspaper publisher and Google and Google Spain. 

The complainant challenged articles published in the newspaper in 1998 that were indexed and linked to from Google and were displayed when his name was entered into the Google search bar. The complainant claimed that his personal information was illegally collected and retained in violation of the data protection directive as the matters were long since resolved. The case against the newspaper was rejected by the agency; but the case against both Google entities was upheld. Google appealed to the Spanish national high court (the Audiencia Nacionale), which in turn asked for an interpretative ruling on the privacy issues from the EU’s Court of Justice, the EU’s highest court.

A summary of the decision can be found here. Briefly, the court ruled that an internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties. Accordingly, if a person's search results display links to a web page which contains information on the person in question, that data subject may approach the operator directly to have them removed. Where the operator does not agree, the data subject can bring the matter before the local privacy authorities. The authorities would then examine whether the links should be removed. In evaluating the request, the authorities need to balance whether the displayed data is inadequate, irrelevant, no longer relevant, or excessive in relation to the purposes for which it was processed and, in the light of the time that has elapsed, as compared to the public interest.

How will the ruling be implemented?

The EU decision was an interpretative ruling. The Spanish court will still have to decide whether there was a compelling public interest in having the links to the articles remain available on Google. If not, the citizen can request that the links to the articles be removed, even if it is against Google’s economic interest to do so. This is likely to be the general process going forward in these types of situations.

When does it go into effect?

The case has been referred back to the original Spanish court for further proceedings with respect to the public interest issue. The overall determination about the meaning of the EU Data Protection Directive in relation to search engines is in effect immediately and binding on other EU search engines.

What does this mean for other business?

Any search engine under the jurisdiction of the EU and/or its member states (Google has operations in the EU, as do other search companies) is bound by the interpretative ruling of the high court. However, the decision has the potential to impact many other businesses located outside of the EU. Google and its data processing activities were well outside the EU, yet Google was found to be subject to the Directive. Other businesses that process EU citizen data outside the EU may now similarly find themselves subject to the substantial compliance requirements of the EU Data Protection Directive despite having separate corporate structures.

Click here to watch Andrew Lustigman’s Arise TV News interview on the subject, beginning at 52:00.  

Back to Page