ECJ ruling “creates new class of data controllers”
The principles of data protection, privacy and the so-called “right to be forgotten” were in “urgent need of attention” before the controversial decision in Google v AEPD and Costeja-Gonzalez C-131/12, and “a great deal more guidance and litigation is required”, says barrister Jocelyn Ledward, of QEB Hollis Whiteman.
The European Court of Justice ruling split opinions both domestically and internationally. The case, in which a man brought an action for Google to delete an auction notice of his repossessed home, has now been remitted to the Spanish courts.
In terms of legal principles, says Ledward, the decision establishes that search engines “process” personal data within the meaning of the EU Directive 95/46/EC and the data Protection Act 1988. “This has wide-ranging implications for those who have previously been considered neutral third party conduits, in terms of privacy and data protection law, creating a whole new class of ‘data controllers’ who must comply with European data protection regimes,” she says.
The potential territorial impact of the ruling is also key—Google’s marketing activities via its Spanish subsidiary bring it within the ambit of the Directive.
The court recognised there has to be a fair balance between the data subject’s rights and the legitimate interest of internet users in accessing information. It found that Google has responsibility for removing links to web pages.
“This opens the door to large numbers of such requests being made and having to be determined, in the first instance by Google and other search engines, in compliance with a large and complex body of European and national law and regulation, with the prospect of referrals to the national data protection agency and litigation beyond,” notes Ledward.
