Yesterday, in a sweeping and dangerous judgement the Court of Justice of the European Union ruled that Google should de-index a lawfully published newspaper article about a Spanish citizen. Access believes the Court erred in increasing liability for intermediaries online, unnecessarily and wrongly pitting privacy against access to information, with an unfavorable result.
Tuesday’s deeply flawed ruling highlights the urgent need to update the current privacy framework to meet the challenges of the digital era. Indeed, this ruling is an interpretation of the Data Protection Directive, an outdated piece of legislation passed in 1995, when only 1% of Europeans had access to the internet.
Perhaps the most dangerous finding in this case was that private citizens can have even lawfully published information about them censored. In particular, the Court ruled that because search engines make information easier to find, search results can be asked to filter results, even though the information in question was lawfully published and would remain online. To be hyperbolic to prove a point, should we also get rid of the internet because it makes it easier to find lawfully published information about a person?
Online services, such as search engines, should not be held liable for the availability of content over which they have no control. From a human rights perspective, internet platforms should not be playing judge, jury, and executioner over the legality of content, nor do we want lawfully published information to be effectively disappeared. Doing so would lead to a perverse incentive to deploy measures such as blocking, filtering, or de-indexing, that would result in the violation of freedom of expression and access to information. Such a scenario could lead internet platforms to implement monitoring technologies like Deep Packet Inspection (DPI) in order to filter out results, a move that would ironically undermine the privacy rights of internet users.
Mitigating the ruling
So how do we mitigate this dangerous ruling? It’s worth noting that the CJEU onlys answers the questions that it is asked. In this particular case, the Court was asked to look at three issues: the territorial and material scope of the Data Protection Directive, and the more controversial aspect on the right to erasure and the right to object, which has been interpreted as the “right to be forgotten.” For more detailed legal analysis on the case, see here and here. Notably absent from this list is a request to reflect upon the implication on the freedom of expression.
Europe is already working on an update to its data protection framework, which will soon make this ruling less impactful. In 2012, the European Commission proposed a General Data Protection Regulation, which would be binding on all 28 member states, and which was passed by the Parliament in March of this year. While the European Parliament version is not perfect, it has adopted amendments on article 17, the right to be forgotten, which provides more safeguards to clarify that intermediaries, such as search engines, would not be held liable for content over which they have no control, like a lawfully published article in a Spanish newspaper.
When the Regulation comes into place, Tuesday’s CJEU ruling will become outdated as its interpretation is based on the 1995 Directive. While a similar lawsuit arising after the DPR passes might still reference Tuesday’s ruling, the Court would likely produce a new interpretation based on the DPR.
A silver lining?
Tuesday’s ruling made explicit the issue of material and territorial scope of EU data protection rules. It explicitly states that US companies with subsidiaries in Europe are bound to uphold the laws of the land, which in this case, is the EU Data Protection Directive. Once the DPR, with its significantly greater protections comes into effect, it will likewise be binding on companies with European subsidiaries.
Moreover, Tuesday’s ruling will likely strengthen the hand of several groups who are currently pressing lawsuits against Facebook, Yahoo!, Google, and Microsoft for their involvement in the NSA’s PRISM program. With this new precedent, it will be difficult to claim that these companies operate exclusively under US jurisdiction, essentially opening the door to remedy for affected EU citizens whose data these companies have handed over to the NSA seemingly in violation of EU law.
The proposal for a Data Protection Regulation is still in the hands of the Council of the EU, the representatives of each member state. So far, progress has been slow and some member states, such as Germany, have been actively blocking progress on the negotiations. It has become clear that what’s stopping a swift conclusion of this dossier is not the content of the Regulation, but a lack of political will. Hopefully this CJEU ruling will jump start the conversation.