Europe’s highest court stunned the U.S. tech industry Tuesday by recognizing an expansive right to privacy that allows citizens to demand that Google delete links to embarrassing personal information - even if it’s true.
The ruling has potentially wide-ranging consequences for an industry that reaps billions of dollars in profit by collecting, sorting and redistributing data touching on the lives of people worldwide. That includes more than 500 million people in the European Union who now could unleash a flood of deletion requests that Google would have little choice but to fulfill, no matter how cumbersome.
The impact on American users was not immediately clear, though companies sometimes seek to adopt uniform policies around the world to simplify compliance. Other U.S.-based tech companies, including Facebook, Twitter, Microsoft and Yahoo, have services that feature information about private citizens and may have to alter their practices in Europe to comply with the precedent set by the Google ruling, legal experts said. The ruling may also inspire similar legal challenges elsewhere in the world.
“It’s a very important decision. It is far-reaching, and it will have a big impact on the Internet industry,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a nonprofit group based in Washington. “The European Court of Justice is making it extremely clear that privacy is a fundamental right.”
The case, which grew from the frustrations of a Spanish man unhappy that searches of his name featured links to a tax problem from 1998, hinged on whether the public’s right to know outweighed a private citizen’s desire to leave behind unpleasant personal history - an idea crystallized by the increasingly popular European phrase “the right to be forgotten.”
The EU’s Court of Justice, based in Luxembourg and roughly equivalent to the U.S. Supreme Court, embraced the concept in part; it ruled that even though a Spanish newspaper had the right to publish information online about the man’s tax problems, Google had no right to provide links to it if the man objected.
The distinction drew on the different missions and reaches of the institutions. The Spanish newspaper La Vanguardia was fulfilling “journalistic purposes,” the court said, while Google was merely “processing personal data” in a way that, because of the massive distribution power of the Internet, threatened “fundamental rights to privacy.”
The ruling does recognize a different standard for public figures and for data that has scientific or historic value, but when it comes to information about ordinary private citizens, Internet companies often will have to remove links to personal information upon request - something that could prove expensive and time-consuming.
“It definitely makes Europe a less favorable place for these companies to do business. . . . But that’s a balance these countries are allowed to make,” said Tim Wu, a Columbia University professor who specializes in Internet-related legal issues. “Even though the Internet started in America, I don’t think we get a veto on other countries’ laws.”
Google said Tuesday that it was uncertain on its next move. “This is a disappointing ruling for search engines and online publishers in general,” the company said in a statement. “. . . We now need to take time to analyze the implications.”
Andrew McLaughlin, a former Google policy official who later worked in the Obama White House, called the European decision “a travesty.”
“This strikes me as a typical European-elite ruling that is dressed up as a privacy ruling when it’s really censorship,” he said.
European attitudes toward privacy and data protection are markedly different from those in the United States, where openness is the presumption and courts are reluctant to bar factual information from the public record.
Many Europeans say that their fears are guided by memories of invasive dictatorship - whether Francisco Franco in Spain, the Communist regime in East Germany or Nazi rule over much of the continent. The worries shape personal habits - in Germany, for example, many Internet users still choose email addresses that have nothing to do with their names.
Last year’s revelations about widespread monitoring of electronic communications by the U.S. National Security Agency sparked a furious response in Brussels, where E.U. lawmakers made regulating data a major focus of their legislative agenda. European leaders vowed to take steps to protect their citizens’ online privacy. In Germany, some officials even suggested constructing a German-only network where users could be assured that German laws on privacy and data protection would be obeyed.
“Today’s Court Judgement is a clear victory for the protection of personal data of Europeans!” Viviane Reding, the European Commission member who spearheaded the drive for a data policy overhaul, wrote on her Facebook page Tuesday. “Companies can no longer hide behind their servers being based in California or anywhere else in the world.”
In the E.U.’s 28 nations, the ruling allows citizens to directly petition Google to delete links from search results associated with their names. Should the company balk at any request, citizens could seek help from their nation’s data-protection commission, which already has broad authority to enforce privacy laws. The same information often would remain on individual websites - such as those operated by newspapers - and may also be stored on other sites. Finding it, however, would be far more difficult.
The development marks a strikingly difficult turn for Google, which had been cited in the past for privacy lapses and allegedly monopolistic behavior in the United States and Europe but had escaped with only modest penalties. Tuesday’s ruling, by contrast, may require Google - and probably other tech companies - to establish extensive new systems to receive, evaluate and carry out requests to delete material, a labor-intensive operation that offers no obvious source of new revenue.
The case involving Mario Costeja Gonzalez, which led to the ruling Tuesday, grew from one of hundreds of such deletion requests already submitted in Europe.
Some legal scholars see the push for the “right to be forgotten” as threatening freedom of speech and freedom of the press, especially when information published concerns adults and is true. European data-privacy laws require that information be “up to date” and “relevant” - standards that could be hard to maintain for Internet services that collect vast amounts of information and make it available with little or no human action.
Unflattering search results also have caused unease for people and businesses in the United States, with complaints particularly intense when youthful indiscretions - pictures of somebody drinking too much at a party or a newspaper article of an arrest - linger on the Internet for years.
Those embarrassed by Google links in the United States have little legal recourse, though some companies offer services that purport to improve search results for a fee. A lawsuit attempting to block or remove links to online information would probably conflict with the First Amendment, which confers far broader protections than provided in most other countries.
“If you are a 16-year-old and you do something dumb, there is no way to hit the reset button,” said David Vladeck, a Georgetown University law professor and former head of consumer protection for the Federal Trade Commission. But, he added, “privacy rights shouldn’t be a tool to rewrite history. . . . Who gets to decide whether all these links get deleted?”
Austrian privacy activist Max Schrems, founder of Europe-v-Facebook.org, applauded Tuesday’s court ruling but worried that it may have gone too far in potentially limiting freedom of speech.
“This might be a little too off-balance,” he said, “even from the European perspective.”