After years of attempts by Brussels to tighten up Europe’s data privacy rules in the face of US lobbying, yesterday (13 May) the European Court of Justice (ECJ) achieved that effect by backing a ‘right to be forgotten’ against Google, in a blow for the search engine and advisers Cleary Gottlieb Steen & Hamilton.
The court in Luxembourg found that in certain circumstances individuals can request that operators remove the links that appear during searches of their name, meaning that Google will now need to set up a technical solution to a potential minefield of requests.
A team from Cleary led by Brussels-based partner Francisco Enrique Gonzalez-Diaz represented longstanding client Google, in a case that stemmed from a complaint lodged by Spanish national Mario Costeja González against Google in 2010, who contended that when his name was typed into the search engine, the results would display links to newspaper reports showing an auction notice of his repossessed home. González argued that since the proceedings concerning him had been fully resolved for several years and that reference to him was entirely irrelevant, the data should no longer appear in the results.
This is the latest instruction by Google of Cleary, which acted on the search engine’s $12.5bn acquisition of Motorola Mobility including 17,000 patents and marks in 2012, constituting the company’s largest-ever acquisition. The firm also represented Google on multiple other acquisitions including Wildfire, AdMob, Admeld and ITA Software.
Significantly, the ECJ rejected the submission that Google does not exercise any control over personal data published on the websites of third parties, finding that an internet search operator is a ‘data controller’ and subject to data privacy rules. While the operator does not have to comply with every request and deletion is subject to certain conditions, an individual can ask their national data-protection authorities to order links to information be removed if the operator does not comply.
Yesterday’s surprise ruling will have significant implications not only for search engines across Europe, but potentially other publishers of personal information.
Former Field Fisher Waterhouse partner Stewart Room, who is currently acting as director of The Cyber Security Challenge UK and is set to join PwC Legal in October to head up its cyber and data security business, said: ‘The judgment, which should apply to technology companies with equivalent powers, such as social networks, does not place a distinct, pre-emptive monitoring role on Google, but it will effectively achieve this result, because Google will be forced to put in place complex systems for data reviews in light of the inevitable deluge of complaints that will follow from citizens all around the world.’
The decision is in marked contrast with the conclusion of the European Union’s advocate general Niilo Jääskinen, who said last year that there was no right to be forgotten under current data protection laws and search engines were not obligated to withdraw information.
One in-house senior data privacy lawyer commented: ‘Unusually, [the ECJ judgment] ignores the earlier Advocate General’s non-binding guidance – which was pro-Google.
‘There is no appeal from this decision because it’s not determinative of the issue before the Spanish court. However, this statement of what the law means now goes back down to the Spanish court to overlay on the facts of the particular case it is hearing. Google could appeal the decision which the Spanish court reaches provided there’s locus for an appeal.’
Room added: ‘The irony, if there is one, is that the EU Commission rolled back its proposals following intense lobbying by the US technology sector. I expect that there were some rye smiles on the faces of Brussels’ bureaucrats yesterday afternoon.’