The European Union's top court this week ruled that Google and other Internet search providers must honor certain individuals' requests to remove links to personal information appearing in search results.

The Court of Justice of the European Union (ECJ) essentially upheld the so-called “right to be forgotten,” which gives users the right to ask that personal information about them be removed from search results if, as the ruling stated, the information is “inadequate, irrelevant, or no longer relevant.” The court  said the right applies even in cases where the information is not erased beforehand or simultaneously from the web pages themselves, and even when the information's publication on those web pages is lawful. The ruling distinguishes between private citizens versus those considered to be public figures.

Search engine providers must reach “a fair balance” between legitimate interest in the information and individuals' rights, with the individual rights generally carrying more weight, the court ruled.

The ruling applies to Internet companies operating in the EU, including Google, Yahoo, Microsoft's Bing, and social media sites like Facebook.

The case was brought by Spanish citizen Mario Costeja González, who objected that a search on his name turned up links to 1998 newspaper announcements of a real estate auction following proceedings against him for unpaid debt. Costeja González lodged a complaint against Google Spain and Google Inc. in 2010, with the Spanish Data Protection Agency (AEPD), arguing that the matter had long been resolved and was irrelevant. The Spanish agency sided with Costeja González, but Google asked that the decision be annulled by the courts.

The court ruling states that individuals may take their requests directly to the search engine providers. If requests are not granted, individuals may seek intervention from the relevant national supervisory or judicial authority.

Privacy advocates hailed the decision while free-speech advocates claimed the decision amounts to censorship. Industry experts said the decision could be a logistical nightmare for the companies involved, as they potentially face an avalanche of removal requests and must figure out a method of handling the requests.

A spokeswoman for the Spanish Data Protection Agency told Reuters the case was one of roughly 220 similar complaints lodged against Google regarding removal of personal information from search results. She welcomed the court ruling, saying it would put an end to “the ferocious resistance” by Google to comply with her agency's decisions.

A spokesman for U.S.-based Google told Reuters the company was disappointed with the ruling, especially since it reversed a non-binding opinion from the top court's adviser last year, which sided with Google on free speech grounds.

“We are very surprised that (the ruling) differs so dramatically from the Advocate General's opinion and the warnings and consequences that he spelled out,” Google spokesman Al Verney told Reuters. “We now need to take time to analyze the implications.”

John Armstrong, a lawyer with CMS Cameron McKenna LLP in London, told Bloomberg that the ruling's impact may be felt not just by search engines, but by the press, social media sites, and other businesses publishing links to personal data online.

“Any individual will be able to require any of the businesses affected to re-examine whether” they should continue to provide access or link to the information, Armstrong was quoted as saying.

It is unclear what if any impact the ruling may have on European lawmakers as they grapple with an overhaul of data protection rules. In 2012, the European Commission endorsed the “right to be forgotten” for individuals. European Parliament passed a preliminary version of the overhaul, which still requires approval from Member States.

European Commission Vice President for Justice Viviane Reding posted on her Facebook account that the ruling is a “clear victory” for Europeans who want to protect their personal data.

“Today's judgment is a strong tailwind for the data protection reform that the European Commission proposed in January 2012, as it confirms the main pillars of what we have inscribed in the data protection regulation,” Reding wrote. “No matter where the physical server of a company processing data is located, non-European companies, when offering services to European consumers, must apply European rules.”

Topics