In 1998 an article was published in a Spanish newspaper about Mario Costeja González’s house being auctioned due to debts.
In 2010, Mr González brought a case against both the newspaper and Google for linking to it, arguing that news was no longer relevant and breached his rights to privacy.
Yesterday, the European Court of Justice ruled that Google is required to remove links to this article in their search results. The newspaper was not required to withdraw or amend the article. The press release setting out the ruling can be found here.
Let’s consider what Google actually did – their servers scanned publicly available websites, saw the news article, and indexed it in their databases for search. This means that when someone searches for the man’s name, the news article appeared in the list of search results.
The Court ruled that:
A search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties
It also ruled that individuals can request the removal of personal data which is “inadequate, irrelevant or no longer relevant”.
This has big implications, not just for Google, but for anyone linking to or using third party content on the internet.
Publishing vs linking
Let’s be clear, it’s important that personal data is protected.
When you give your data to a third party service, they should protect it and only use it in ways that you consent to. A right to be forgotten when using social media or any online service could be a useful tool.
But that is not what this is about.
This is not about a user trying to take their data off Facebook or close their Twitter account – it’s about making publicly available information harder to find, and placing the liability on any platform that links to it.
As Eddie Copeland from Policy Exchange has written, this “seems to open the door for anyone to challenge almost anything that is written about them online”.
Others have powerfully made the case for why this represents a major threat to freedom of speech – take a look at Jimmy Wales’ tweets or this article in the Atlantic. Those concerns are hugely important, but my contribution to the debate is to consider the impact on startups.
The rise of tech compliance?
Startups find innovative ways to use data, whether publicly available or proprietary, to deliver benefits for consumers. This is what Google did when they came up with their search engine, and what a new generation of startups continue to do.
We should be encouraging this innovation and protecting publishers – whether it’s traditional news platforms (could Mr Gonzalez request TechCityNews take down this article?) or startups coming up with new search algorithms or data mining techniques.
Google will now be inundated by requests to remove links to a multitude of webpages which people don’t like, and then required to adjudicate whether personal data contained is “inadequate, irrelevant or no longer relevant”.
I don’t think they should have to – but Google can probably cope with the cost of setting up a new compliance unit, the legal challenges etc. But this extends far beyond Google, and it can only be a matter of time before similar requests go to other platforms and services.
Deciding such issues on a case-by-case basis will require huge teams of compliance staff in every tech company (and probably most media companies).
Startups simply can’t afford this, and won’t take the risk.
This introduces a major barrier to entry for those wanting to innovate online. Policymakers should take note, and ensure that the forthcoming EU Data Protection reforms sets a new direction.