EU Court Backs 'Right to be Forgotten'ENISA Praises 'Landmark Decision' in Google Case
Internet users in the European Union can ask Google and other search engines to remove certain sensitive information from Internet search results, Europe's highest court ruled on May 13.
See Also: The Evolution of Email Security
"This is a landmark decision for the privacy of EU citizens," says Udo Helmbrecht, executive director of ENISA, an agency who's role is to enhance the cybersecurity prevention work of the EU and member states. "It is a fundamental ruling ... namely how we deal with our personal data and the digital tracks we leave behind."
The ruling, handed down by the Court of Justice of the European Union, states the "operator of the search engine ... is, in certain circumstances, obliged to remove links to Web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person's name."
The court's ruling on the "right to be forgotten" stems from a case involving a man in Spain who argued that Google's search results disclosed details about the auction of his repossessed home over unpaid debts. "[The man] stated that the proceedings concerning him had been fully resolved for a number of years and that reference to them was now entirely irrelevant," the ruling states.
Google, in a statement provided to Information Security Media Group, said: "This is a disappointing ruling for search engines and online publishers in general. We now need to take time to analyze the implications."
Analysis from ENISA
The court's ruling falls in line with ENISA's earlier recommendations around the right to be forgotten, Helmbrecht says. Specifically, ENISA said search engine operators and sharing services within the EU should be required to filter references to forgotten information stored inside and outside the EU region.
"This is a positive step in the correct direction," Helmbrecht says. "You as a citizen should be able to delete your own old data or photos online, just as you do with printed paper."
Helmbrecht says it will be interesting to see how search engines implement the court's ruling, since the verdict only affects European citizens. "This is an important first legal step to regulation, to develop the legal right for the citizens to delete their data ... a process which is just in the beginning," Helmbrecht says. "We would like to have a global legal system for the Internet which is prepared for the future. This is a fundamental issue for our society."
EU Justice Commissioner Viviane Reding, the European Commission's vice president, said on her Facebook page May 13 that the judgment is a "clear victory" for the protection of Europeans' personal data.
"Companies can no longer hide behind their servers being based in California or anywhere else in the world," she wrote. "Today's judgment is a strong tailwind for the data protection reform that the European Commission proposed in January 2012 as it confirms the main pillars of what we have inscribed in the data protection regulation. The ruling confirms the need to bring today's data protection rules from the 'digital stone age' into today's modern computing world."
Privacy attorney Francoise Gilbert of the U.S.-based IT Law Group notes: "This ruling should make it easier for individuals who seek the removal or blocking of links to information that they find offensive, irrelevant or obsolete to obtain redress if the search engine ignores their request."
The fundamental question in this type of case, Gilbert says, "is finding a balance between the public's right to have access to any information that has been legally published, and the individual's right to obtain the blocking of data that might be inadequate, not relevant or no longer relevant, or excessive in relation to the purpose for which they were processed, and in the light of the time that has passed.
Trevor Hughes, president and CEO of the International Association of Privacy Professionals, says the EU court's ruling presents an "incredibly complicated issue [that's] being dropped into an incredibly dynamic and multi-faceted and technological business world. It's impossible to assess today all of the potential implications of this decision and potential implementations. Much remains to be seen, and I think there will be much analysis done to get a clear picture as to how significant this actually is."
The ruling changes the risk landscape for not only services that are publishing information as first-party original content, but any service that aggregates data from other websites, such as Facebook, Twitter and search engines, Hughes says. "This is an incredibly significant decision for all of them."
Hughes says momentum continues to grow for the rights of individuals to control, manage and have authority over their data. "Ensuring that systematically your organization has the ability to address that type of access to data is going to be very important," he adds.The European Commission has proposed data protection reform to overhaul the EU's 1995 data protection directive (see: EU Data Protection Reform Endorsed). But despite the European Union Parliament's recent endorsement of a proposed rewrite of Europe's vaunted privacy rules, the rewrite remains stalled, and the situation likely won't be resolved this year (see: EU Privacy Rules Rewrite Still Stalled).