By Dan Cooper, Mark Young and Kristof van Quathem
On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12). The decision has wide-ranging consequences regarding the application of EU data protection laws and the rights individuals are afforded under those laws.
In brief, the Court was asked to answer several questions about Google’s responsibility under EU data protection laws in relation to its online search engine. The Court interpreted the applicable law rules under the EU Data Protection Directive 95/46/EC (the “Directive”) very broadly, holding that Google Inc. is directly subject to Spanish data protection law. The Court also decided that Google is obliged, in certain circumstances – e.g., where information about an individual is inaccurate – to delete web search results that link to web pages containing information relating to that person. Further, where an individual requests it, Google must delete search results that link to information about an individual where the information – even truthful information – is prejudicial to the individual or that he or she wishes to be “forgotten” due to the passage of time. The Court appears to accept that providing access to such information for longer periods of time may be appropriate for high-profile individuals, such as celebrities.
The Court’s landmark decision has dominated headlines and is bound to spark a deluge of analysis and criticism, particularly in relation to issues concerning access to information and censorship. For many international companies that process personal data and have affiliates in Europe, the most significant element of the judgement may prove to be the Court’s finding on applicable law rules, which undoubtedly presents a compliance challenge.