A non-binding opinion handed down earlier this month by the Luxembourg-based Court of Justice of the EU (CJEU), the European Union’s highest legal authority, is roiling the business community. While the opinion needs the approval of all 28 EU governments before it can become legally binding, there’s already a lot of online chatter about the potential blowback to businesses operating in the EU.
The case followed complaints in March 2010 from Mario Costeja Gonzalez, a Spanish lawyer, who said that when Google’s search results revealed details on an auction of his repossessed home in a local newspaper (La Vanguardia), it infringed on his privacy rights. CJEU ruled that people have the “right to be forgotten” and can ask Google to remove some sensitive information from Internet search results. Tech companies, noted the Financial Times, fear it may be “the beginning of a broader assault in which Google would be regulated like a utility.” Or to use an oft-used English idiom, it could be “the thin end of the wedge.”
No surprise then that organizations and associations from all walks of life are now weighing with their two bits/bytes. “Individuals may now have the ability to essentially go in with a virtual black marker and redact their names; it will fundamentally change the landscape not only in the field of privacy, but also in the information economy generally,” said Trevor Hughes, president/CEO of the International Association of Privacy Professionals.
And Marc Rotenberg, who heads up the Electronic Privacy Information Center in Washington, D.C., added “it’s going to create additional burdens for Google and other companies – but that’s the cost of doing business if your business involves disseminating information.”
So should the opinion become law, businesses set up in an EU country to provide a service must thus ensure that any processing of personal data for a related service targeted to that country conforms to EU data protection laws – even if that processing takes place elsewhere, noted tech law expert Luke Scanlon of Pinsent Masons, a law firm that also publishes Out-Law.com.
“As businesses look to enable their people to ignore borders and are becoming increasingly dependent on people collaborating together wherever they are located, they may now need to review the extent to which services related to personal data processed in one jurisdiction are, in the words of the court, ‘served by’ services that take place in other jurisdictions to fully understand their legal obligations,” said Scanlon.
Scanlon said the court’s interpretation also raises the issue of whether regulators and local member state courts will view the judgment as “applying simply to the activities of search engines or more broadly to other activities of global businesses occurring within EU jurisdictions that are in some way related to data processing activities taking place outside the EU.”
In the U.S. reported Reuters, California recently passed a state ‘eraser’ law that requires tech companies to remove material posted by a minor – if the user requests it. The law goes into effect next year and will probably face a court challenge. If the EU opinion is eventually implemented, it could create major headaches – both technical and financial – for Google, and other tech behemoths like Facebook.
To use an often used metaphor, it’s all a bit of a sticky wicket.
Lev Grossman, writing in Time, said the CJEU opinion has delivered a clear signal – “we don’t necessarily have to accommodate ourselves to technology; we can demand that technology adapt itself to us. The past isn’t what it used to be. But maybe it should be.”