Out-Law News | 21 May 2014 | 3:27 pm | 2 min. read
Last week the EU's highest court, the Court of Justice of the EU, ruled that Google's search business is a data controller and that it is therefore subject to Spain's data protection regime. As a result it also found that the company, and similarly structured businesses, must comply with the qualified 'right to be forgotten' that individuals enjoy under EU data protection laws.
Under those laws, organisations are generally allowed only to collect and store personal data that is strictly necessary and proportionate for its purposes. An individual has the "right to obtain, at his request ... the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued" by organisations responsible for, and in control of, their personal data, known as 'data controllers'.
The CJEU said that search engine businesses have a general duty to stop lawfully published content being available to read via their search rankings where individuals seek the erasure of their data from those indexes. This duty even extends to information that may not be prejudicial to a person’s interests. However, it said that there would need to be a balancing of the privacy rights with the right of freedom of expression and that therefore, particularly in cases where requests stem from public figures, there may be grounds to refuse to takedown references to their data.
The Information Commissioner's Office (ICO) has now outlined how it will prioritise its own handling of complaints about the way in which search engines' deal with 'right to be forgotten' requests. However, it said it recognised the "logistical and technical" challenge search engines face in complying with individuals' 'right to be forgotten' and said they need to be given time to develop and implement those solutions for managing such requests before it steps in to resolve complaints.
"This judgment was only made last week, and the companies will need some time to work out how they’re going to handle this," David Smith, deputy information commissioner and director of data protection at the ICO, said. "We won’t be ruling on any complaints until the search providers have had a reasonable time to put their systems in place and start considering requests. After that, we’ll be focusing on concerns linked to clear evidence of damage and distress to individuals."
The ICO also said that it would push for consistent guidance to be issued by data protection authorities (DPAs) from across the EU on how the judgment of the CJEU should be interpreted and applied.
"We believe the judgment provides space to strike a balance between the right to privacy and the public’s right to know, recognising the role search engines play in facilitating access to information in today’s society," Smith said. "Guidance will be needed from data protection authorities to ensure search providers take the right approach. We will be discussing this issue with our fellow European Data Protection Authorities in the Article 29 Working Party at the start of next month, to ensure a consistent approach is taken across Europe. Once we have done that we will be speaking to the main search providers established in the UK."