Google and other search companies can be required, under some conditions, to remove outdated and harmful information about individuals that can turn up in online searches, according to a new ruling by the Court of Justice of the European Union.
The ruling is a stunning reversal of an earlier opinion by an adviser to the Court of Justice of the European Union in June 2013 that said Google should not have to delete information from its search results when old information is pulled up that is damaging to individuals.
In its May 13 ruling on the matter, the full Court said that Internet search engine operators are in fact responsible for the processing of personal data that appears on Web pages published by third parties and must remove or correct the information in some cases. “Thus, if, following a search made on the basis of a person’s name, the list of results displays a link to a Web page which contains information on the person in question, that data subject may approach the operator directly and, where the operator does not grant his request, bring the matter before the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results,” the decision states.
In the 2013 case, a man in Spain had argued that Google searches of his name had uncovered a then-15-year-old announcement in a newspaper describing how a property he owned was up for auction because of nonpayment of Social Security, the court stated. The man wanted Google to remove the old information, which was damaging his reputation, according to the earlier case. The Spanish court originally accepted the man’s argument and ordered Google to remove the information from its search results. Google then appealed that decision and received the favorable opinion from the Court of Justice adviser, who ruled that the original Spanish court decision was wrong.
The latest Court of Justice action, however, trumps the original opinion by the court’s adviser. That means that Google and other search engine operators might have to make changes in such cases in the future and comply with some requests by individuals to remove old, outdated personal information.
The court’s decision is not the final word on the matter at this point, though, because the member nations of the EU must approve the ruling to make it law, according to a Reuters report on the action.
Google and other search engine operators must comply with certain removal requests because they are the “controller” of the information in the processing of the Web page data for display, the court ruled.
“The Court holds that the operator is, in certain circumstances, obliged to remove links to Web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name,” the decision states. “The Court makes it clear that such an obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”
In response to an eWEEK request for comment on the EU court’s ruling, a Google spokesman wrote in an email, “This is a disappointing ruling for search engines and online publishers in general. We are very surprised that it differs so dramatically from the Advocate General’s opinion and the warnings and consequences that he spelled out. We now need to take time to analyze the implications.”
Google has been in the legal crosshairs on privacy issues around the world for some time. In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there. France’s National Commission for Computing and Civil Liberties (CNIL) had sent Google a questionnaire about the new privacy policy in March 2012, but the agency complained that Google’s answers were “often incomplete or approximate.” A follow-up survey also left questions remaining.
In January 2014, the CNIL hit Google with a $204,200 fine in connection with changes Google made to its data policies in 2012 that continued to be in conflict with the French Data Protection Act. The fine was the highest financial penalty ever assessed at that time by the French data protection agency. The CNIL’s decision related to Google’s move back in March 2012 to merge many of the company’s privacy policies into one overarching policy for some 60 Google services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs and Google Maps, according the CNIL.
In April 2013, France and five other European nations had announced that the slow pace of Google’s progress on privacy issues caused them to plan their own steps to ensure improved data privacy for their citizens.
In January 2012, Google announced major changes to its data privacy policies, which folded 60 of its 70 previously separate product privacy policies under one blanket policy and broke down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report. Google’s streamlining came as regulators continued to criticize Google, Facebook and other Web service providers for offering long-winded and legally gnarled privacy protocols. The Google privacy policy changes went into effect March 1, 2012.