The Internet has exploded on an interesting ruling by the European Union’s Court of Justice against Google Spain that affirms the court’s belief that existing EU laws do include the “right to be forgotten.” In short, users have the right to expect that requests to purge information and links on the Internet they do not wish to live in perpetuity, will be obeyed. The ramifications of the ruling are immense, to put it mildly.

There already is a growing volume of news and commentary on what happened, and I recommend the piece by The Guardian as a resource which provides not just comprehensive coverage of what the ruling says, but also reaction from various stakeholders.

Briefly, here is what has transpired:

In an advisory judgment in a test case brought by a Spanish man, Mario Costeja González, the Court ruled that Google Spain under current EU law should be considered a “data controller” because it compiles and presents links to personal information in a systematic way and sells advertising in countries where it has a branch. As such, since European law says individuals have a right of control over their private data, especially if they are not public figures, Google Spain and others (including by extension other EU countries) must consider requests to purge information users want removed.

In the test case, the information Mr. Costeja González wanted deleted related to an auction notice of his repossessed home dating from 1998 on the website of a mass circulation newspaper in Catalonia. He had argued that the matter, in which his house had been auctioned to recover his social security debts, had been resolved and should no longer be linked to him when his name was searched on Google. The judges said that under existing EU data protection laws Google had to erase links to two pages on the newspaper website from the results that are produced when González's name is searched on Google.

A clear signal sent

The European judges did not mince words. They said Google’s contention that it was not a data controller was incorrect. In addition, they explained that not only must Google consider requests for the purging of information that was abusive, inaccurate or unlawfully posted, but that even requests for lawfully posted materials should be subject to deletion after a period of time.

The context for the ruling is complex. EU privacy laws are much stricter than those in many other parts of the world including the U.S., and the battle over whether there is and/or should be a right to be forgotten has drawn lots of attention the past few years.  Internet companies have argued that the cost of them being policemen will have a chilling effect on their business and limit the value of their services to customers. Civil libertarians have said asking the likes of Google to engage in data purging by honoring what are deemed reasonable and legitimate requests smacks of censorship and leads down a very slippery slope in denying people free speech.

The argument on the other side is an appeal to common sense. If we are not public figures who are treated as fair game, we should be able to correct the record and have things we don’t want associated with us forgotten. 

As noted, the EU has been struggling with this, and there are even efforts in the EU to find a compromise by enacting new data protection directives that provide average folks with a limited right to be forgotten that Internet data controllers would have to accede to. The Court, with this ruling, sent an interesting message to policy-makers by saying that right already exits.

As with the current Net Neutrality imbroglio in the U.S. over whether there should be “fast lanes” on the Internet, there is merit in the positions of all sides of this problem. We should be able to have some control over what appears on the Internet when people search for us, but having the likes of Google actually be forced to honor such requests is onerous.

In addition, how this could be enforced is problematic. Keeping track of all of the instances that might eventually arise once something has been posted and likely downloaded and hence could reappear at any time in the future, is a daunting exercise at best and certainly not fail-safe. Who and how such purging gets paid for is also a problematic issue, especially since estimating how many such requests might be made is hard to estimate, especially as the volume of information on social media timelines grows and people evaluate what they really want out there.  There is even the question not addressed that arises because of this as to how long is there a right to be forgotten, should such a right exist?

As cited in The Guardian article, former Conservative shadow home secretary David Davis, who described the decision as “sensible” but only a first step toward people having property rights over their own information, may have said it best: "The presumption by Internet companies and others that they can use people's personal information in any way they see fit is wrong, and can only happen because the legal framework in most states is still in the last century when it comes to property rights in personal information."  

How Europe and for that matter the rest of the world threads the needle on balancing our information property rights against the Internet as an unencumbered forum with valuable information that includes warts and all, remains an open question even with this ruling. There is a lot to be said about trying to prevent everyone and anyone from rewriting history, as counter-balanced by the need to preserve the historic record.

This really does put companies like Google between a rock and a hard place, since the costs of being data controllers could be enormous without a discernible revenue stream to cover it.  All eyes will be on Europe as to how all of this actually gets executed. The ruling is an important milestone in the debate, but the policy discussion is far from over.