EU Court Rules Against Google in Data Privacy Case

shutterstock_133120046The European Union Court of Justice has ruled against Google in a landmark case, issuing a directive that puts responsibility for personal data firmly in the hands of search engine operators.

The cases origins trace back to 2010, when Spanish citizen Mario Costeja González lodged a complaint with the Spanish Data Protection Agency against newspaper publisher La Vanguardia Ediciones, which was eventually rejected, and Google, which was upheld, regarding a real estate listing from 1998 that was still visible to the public by searching for Gonzálezs name.

Today, the Court has ruled that, by collecting and storing data – which it defines as processing – makes the search engine operator the controller of said data, even if it is listed on third-party sites.

The subjects of data may request that a search engine removes links to pages containing their data – essentially, the much-discussed right to be forgotten. If this request is rejected, it can be passed onto a supervisory authority or judicial authority, who will assess if the subject has a case and act accordingly.

The ruling rejects the argument that the operator is not answerable because its physical servers, which process the data, are located outside of Europe. If the company operates in a European country, it must obey this directive.

“Todays judgement is strong tailwind for the data protection reform that the European Commission proposed in January 2012 as it confirms the main pillars of what we have inscribed in the data protection regulation,” said EU Justice Commissioner Viviane Reding, in a Facebook post celebrating the move. “This is exactly what the data protection reform is about: making sure those who do business in Europe, respect European laws and empowering citizens to take the necessary actions to manage their data.”

Ovums Schiovani believes the ruling may do more harm than good

“This announcement shows the EU believes end users should have control of their data,” comments Mark Brown, director of information security at Ernst & Young. “It is a very loud wake up call to all those businesses that are hoovering up consumer data and hoarding it for their own benefit. “

“This move may sound reassuring for individuals and their personal freedom,” argues Ovum analyst Luca Schiovani, “however, it also looks difficult to enforce on a large scale, and may be very disruptive for the functioning of search engines going forward.

“Policy makers in the EU have long advocated for the introduction of a clear “right to be forgotten”, which is included in the draft of the new Data Protection regulation under discussion in the EU Parliament and Council. However, these provisions should only apply to the direct controllers of personal data – for example, a social network complying with the request to fully delete information related to an account. Involving search engines for something they are not directly responsible for is likely to entail a burdensome cost, especially if the amount of requests of erasure should escalate in the future.”