Will E.U. Court's Privacy Ruling Break the Internet?

In 2012, a bevy of internet companies and web sites waged a successful campaign against bills in Congress -- the PROTECT IP Act and Stop Online Piracy Act (SOPA) --  meant to combat copyright privacy. In the face of this opposition, the proposals were dropped (although their legacy survives). One of the major claims by the opponents was that the bills would "break the Internet" by requiring the disabling of URLs and removal of online links to sites that include unauthorized uses of copyrighted materials (although not all agreed with this assessment).

Now, the European Court of Justice has issued a decision (summary) that could require search engines to remove links to online information about individuals that is "no longer necessary in the light of the purposes for which they were collected or processed." The court's decision does not discuss how the removal of these links should be accomplished.

The court's decision stemmed from a case brought by Spanish citizen Mario Costeja González, seeking removal from a newspaper's web site images of pages from January and March 1998 that included announcements for a real estate auction stemming from attachment proceedings for the recovery of social security debts owed by Costeja González. He complained to Spain's Agencia Española de Protección de Datos (Spanish Data Protection Agency; AEPD) (Spanish site; English resources), seeking removal of the information from the paper's website and from Google's search results.

AEPD held that the newspaper need not remove the material, since it published it under a legal directive. But it upheld the complaint against Google, saying that Costeja González had the right to shield the information from public view via the search engine. Google appealed to Spain's Audiencia Nacional (National High Court). That court sought an advisory opinion from the European Court of Justice -- the highest court in the European Union -- regarding the applicability of EU privacy laws to the case.

European law embodies a concept of privacy that is in many ways alien to American law, and would be unconstitutional under our First Amendment. This includes a right to bar or recover for publication of true but "private" information that is readily available publicly, and a right to shield dated information, often referred to as a "right to be forgotten."

The question before the court was whether the EU directive embodying these notions (Directive 95/46) applied to Google. This, in turn, depended on whether Google could be considered a content provider. The court held that it was, even though the information that Google collects and displays in its search results is already published online by someone else. Since Google is a content provider, the court held, it is obliged to follow the privacy directive.

Inasmuch as the activity of a search engine is therefore liable to affect significantly, and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data, the operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.

Google Spain SL v. Agencia Española de Protecc