How Europe Became Ground Zero in the Battle for the ‘Right to be Forgotten’

How Europe Became Ground Zero in the Battle for the ‘Right to be Forgotten’

In his 2013 novel, The Circle, Dave Eggers articulates a dystopian vision of a world without privacy. In the book, a Google-esque tech giant consolidates the personal information of the world’s Internet users, using search history and video technology to record every keystroke, every concept, every breathing moment in the Digital Age. This Orwellian commitment to transparency is epitomized in the company’s credo: "ALL THAT HAPPENS MUST BE KNOWN."

While Egger’s tyrannical alternative future is a bit hyperbolic, Europe isn’t taking any chances. On Tuesday, the Court of Justice of the European Union (ECJ) ruled that Internet companies must remove certain personal information from searches upon the request of an individual. The decision upheld the complaint of a Spanish man who objected to the Google search results for his name, which revealed a newspaper story about the foreclosure of his home in 1998.

In ruling that Google and other Internet companies can be required to remove data that are "irrelevant" to a given user, the court handed a major victory for privacy activists who argue that people should have the right to be "forgotten" online, or remove traces of their online identity. But how companies will determine what is and is not relevant remains to be seen.

Some experts question whether the ECJ decision hands Internet companies inappropriate power to determine the difference between appropriate erasure and censorship. "Having search engines conduct a public interest test is problematic, not least because they will be challenged to carry out the kind of thorough assessments that can done by courts and other public authorities," said Orla Lynskey, a lecturer in law at the London School of Economics. "I expect the default action by search engines will be to take down information in response to complaints," she said.

The organization Index on Censorship criticized the decision, saying it "violates the fundamental principles of freedom of expression." The ruling, the group said, "allows individuals to complain to search engines about information they do not like with no legal oversight."

But for privacy activists, the decision is momentous, as it provides a significant check against wanton data retention. ‘’This sounds like a landmark judgment,” said Peter Hustinx, a top European Union official for data protection. "The court is saying that Google isn’t just selling adverts in Europe, but is providing content along with those services. If you are a regular citizen, it gives you a remedy anywhere in Europe for you to ask companies to take down content connected to you.”

While the court’s ruling reverses a preliminary 2013 recommendation that backed Google in the case, it’s not without precedent. "The European Union, and its member states, have already taken a much harder line with Google," says Darren Hayes, a professor at Pace University’s Seidenberg School of Computer Science and Information Systems. "A number of recent ECJ decisions are limiting the company’s ability to collect less information about their consumers."

While Edward Snowden’s revelations about NSA data collection injected newfound urgency into the movement to ensure online privacy, EU courts and lawmakers have long been on the vanguard of protecting individuals against digital behemoths. Taken together, European policymakers have shown themselves far more willing to support consumer privacy than their counterparts in Washington. In 2009, the EU passed legislation requiring Internet companies to gain consent before installing most cookies on users’ browsers, limiting the user data sites can retain and share. In May 2013, a German federal court ruled that Google must prevent certain defamatory autocompletes on their search engine. If the company is notified that libelous words are included next a searched name, Google is compelled to block them.

A few months later, a data protection office in Hamburg, Germany, fined Google for hoovering up data from unsecured wireless networks while taking photographs for the company’s Street View service. The company was handed a 145,000 euro fine — a pittance for the company but nearly the maximum allowed under German laws. In a similar case in Italy, authorities handed Google a 1 million euro fine for after Street View cars photographed people without their knowledge. According to Hayes, the European Union and its member states "have meted out millions in fines" against the company.

Europe’s strong stance on privacy is not limited to Google. Last month, the ECJ struck down an EU directive mandating telecom operators to store customer data for up to two years. The directive, which was introduced in 2006 after the train bombings in Madrid two years earlier, was aimed at helping security forces combat terrorists. The court ruled that "by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data."

Last month, the European Parliament updated the initial regulatory framework for online data protection in Europe, which was drafted in 1995, with a law intended to strengthen and streamline the privacy provisions across the continent. (To become law, the regulation must be adopted by the European Council.) The March legislation would codify many key reforms at the EU level, including increasing authorities’ ability to issue fines in antitrust cases and limiting data transfers to non-EU countries. Tuesday’s "right to be forgotten" ruling is part of this broader move toward data protection and privacy in Europe.

All in all, Google has had a hard go of it in Europe — even when it comes to the Internet giant’s latest digital innovation, Google Glass. Last year, the Wall Street Journal reported that Glass was "years away from hitting the European market." And while European lawmakers are surely concerned about the privacy implications of the wearable computer, the reason for its delay have little to do with the data storage: The device’s voice-recognition software, according to the Journal, just can’t understand foreign accents.