‘Right to be forgotten’ ruling creates challenges for Google, other ‘data controllers’

FTC seeks law on data broker transparency
In the U.S., guidance about online data may also change. In May 2014, The Federal Trade Commission urged Congress to pass legislation that allows consumers to understand how data brokers collect and use their data, as well as provide the ability to correct data or opt out of the collection process altogether.

After a review of information pulled by data brokers, the FTC found that these companies collect and sell billions of data points gathered through retailers, social media and other sources. This data primarily helps advertisers target specific buyers, but it could also encourage discrimination because of the way the data brokers segment consumers into racial, socio-economic and political categories.

FTC Chairwoman Edith Ramirez stated, “This is an industry that operates in the dark... The sheer magnitude of what's taking place I think is quite astonishing.”

The commission plans to work with Congress to pass legislation on brokers’ transparency, long requested by consumer advocates.
The European Union’s (EU) highest court recently ruled against Google in the case of a Spanish man’s “right to be forgotten.” As a result, Google has been ordered to delete “inadequate, irrelevant or no longer relevant” data from its search results if requested.

This ruling establishes search engines — such as Google or Bing — as “data controllers” under the data protection laws in the EU countries where these companies operate1. Now, Google is responsible for the content it links to and may be required to delete results upon request, even if the material was published legally.

“This is a disappointing ruling for search engines and online publishers in general,” Google said in a statement. “We now need to take time to analyze the implications.”

What this means for data controllers

This creates a real dilemma for any company publishing information online. The ruling may have raised more questions and created more problems than it has solved.
  • Who will define “inadequate, irrelevant or no longer relevant”? People’s desire to control their online reputations will conflict with the public’s desire to know potentially damaging information about them. The court acknowledges this potential problem and is giving some flexibility to the companies that will receive these requests. “The Court holds that a fair balance should be sought in particular between that interest and the data subject’s fundamental rights, in particular the right to privacy and the right to protection of personal data,” said the Court of Justice of the European Union in a statement. The court recognizes that the balance may depend on the sensitivity of the data and the importance of public access to that information. For example, it seems logical to retain information about the past criminal activity of a politician while deleting the same data about a private citizen. However, without clear definitions, there will be discussions and disagreements.
  • The burden of compliance is unknown, but it is likely to be great. Google has already received many requests, and they have started to create a methodology to address them. Shortly after the court’s decision, Google said in a statement: “The ruling has significant implications for how we handle takedown requests. This is logistically complicated — not least because of the many languages involved and the need for careful review. As soon as we have thought through exactly how this will work, which may take several weeks, we will let our users know.” Compliance will likely require added personnel and will generate expenses. Search engines rely on algorithms to provide relevant results; human intervention is usually not required. Manual culling of information requires time and money.
  • As businesses create country- and region-specific methodology to comply with laws, search results will become fragmented. Because Google has operations in Spain, it is subject to the EU court’s decision. So, despite being U.S.-based — where the data is held and the search results processed — it is still under the EU court’s authority. The European Commission’s Viviane Reding addressed that issue: “No matter where the physical server of a company processing data is located, non-European companies, when offering services to European consumers, must apply European rule.” Multinational companies will have to change their global operations to be compliant with local laws. This also means providing different search results depending on a user’s geography. People searching from the U.S. could potentially access information about EU citizens that is deemed private in their locations — an issue certain to raise more discussion.
Next steps
If you operate in the EU or are considering expanding operations there, be prepared for changes. Just as Google and other search engines have to find a way to effectively address the influx of takedown requests, so too will other digital media companies. The EU has been pushing heavily for a new law on data privacy, part of which is the “right to be forgotten” component; guidelines were proposed in January 2012. The EU hopes the principle will extend to social networks.

While the privacy issue is still evolving, and the full repercussions of the Google ruling have yet to be realized, it is important to prepare your company for the coming regulation changes.

1. Stay on top of developments. Even if you are U.S. based, if you have operations in any country in the European Union, you need to stay abreast of the most recent developments.
  • There may be similar laws in the early stages in other countries, and those regulators may be watching to see how the EU situation plays out. If the EU is successful, others may follow with similar privacy regulations.
  • As search engines start to comply, and the courts and the public see how the process develops, the courts may establish a timeline for compliance, as well as consequences for noncompliance.
2. Assess your compliance readiness. Even if you are a digital media company not clearly subject to the rule, it’s best to be prepared. Look at what’s being proposed by the EU, and perform a readiness assessment that maps to the areas addressed in the data rules.

3. Evaluate your internal control structure. Compliance requires a strong internal control environment. Work with your compliance and internal audit staff to determine any gaps or weaknesses and make improvements. Be mindful about how you may have to enhance your controls in order to be compliant.

While Google is disappointed in the ruling, it is preparing for compliance. The ruling addresses the growing international concern from privacy advocates about how much information is available. Clearly, there is more discussion to come. In the meantime, digital media companies will watch and wait — and should prepare.

Download the PDF version (2 pages).

1 According to the EU, persons or entities that collect and process personal data are “data controllers” and must respect EU law when handling the data entrusted to them. See data-protection-data-collection-index for more information.