Luxemburg court of Justice for European Union has delivered a very controversial verdict on internet privacy last week (13^th of May 2014). The specific verdict refers to a section of the privacy law that defines a concept of “Right to be forgotten” which allows individuals the right to remove personal information available on the internet if there is no legitimate ground to retain it. The verdict has been heavily criticized by the advocates of freedom of information and welcomed by the staunch privacy supporters.

The case in point here is related to one Mario Costeja Gonzalez, a resident of Spain who had to auction his house 16 years ago to pay for his social security debts. This information continues to appear on search results, which as per Mario have damaged his reputation. He has been fighting a case against Google for long to remove this specific information from the search results. With this verdict, the court has agreed with his reasoning and asked Google to remove this content from its search results.

The verdict has a far reaching implication on how personal information might get censored in future, particularly for individual living within European Union. Interestingly enough, the proposed legislation, which formed the basis of this verdict, is barely in its draft stage. Led be Vivian Reading, European commissioner of Justice, the commission released its 1^st draft in January 2012 and is expected to undergo further negotiations among participating countries. The verdict as a result has set a nice precedence on a relatively fledging piece of legislation.

Let us now look at what exactly the draft proposal says about “Right to be forgotten”. On page 26 point 53 of the draft it states the following

“Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed”………. “However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.”

Overall, we can summarize the concept as the following. “If individual’s right to erase his personal information is higher than that of public’s interest right to find it, data could be asked to be deleted”.

Personally I like the concept of individual data privacy. No one likes a personal mistake committed decades ago to hang around the neck and spoil his/her entire life. This is even more important for cases where unauthorized personal data such as pornographic material is distributed through the internet which ruins many lives.

However, all cases may not be that straightforward, the question therefore is who and how it is decided whether in a particular case individual’s right is bigger than the public interest?

To understand how the legislation propose to tackle the above question let’s first understand a few important concepts of the legislation.

As far as who is the responsible party that will be held accountable for removal of data from the internet, the legislation introduces a concept of an entity called “data controller”. In this “right to be forgotten” law the buck literally stops at the data controller who seems to have all the responsibility to establish and execute the law. The law defines data controller as the following:

“controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data”.

 We all know that Google data search is highly contextual; it controls the output through a very well defined process. Hence by definition it is a data controller. Interestingly enough, the privacy law does not touch upon the publishers at all as source of information and that is why some of the concepts seem confusing. For example point 53 on page 26 talks about deleting data or restricted access. Google or any other search engine may not have any jurisdiction for deleting any content except may be cashed data. All it can do is take down the links to the data.

The draft also has a concept of data processor that process data on behalf of the controller. In this case also the responsibility is with the controller. So if someone uses personal data derived through Google search and use that data, the responsibility will still be with Google.

However the most revolutionary part of this legislation comes on page 27 point 56 on burden of proof.

 “In cases where personal data might lawfully be processed to protect the vital interests of the data subject, or on grounds of public interest, official authority or the legitimate interests of a controller, any data subject should nevertheless be entitled to object to the processing of any data relating to them. The burden of proof should be on the controller to demonstrate that their legitimate interests may override the interests or the fundamental rights and freedoms of the data subject.”

On top of this burden of proof argument is the case of financial penalty. Article 79 that states supervisory authority, talks about a fine up to 500 000 EUR for individuals, or in case of an enterprise up to 1 % of its annual worldwide turnover. This fine is imposed to anyone who, intentionally or negligently does not comply with the “right to be forgotten” act.

To illustrate, if I want any of my personal content to go out of internet, I will ask Google to remove it. Google will have to decide whether my personal right is higher than public interest. If they don’t remove my data link, I can file a case against them and if they lose they will have to pay 1% of their annual turnover as fine.

Now Google specifically has very good takedown process of pirated content from the internet. Hence they may not have any problem in taking down the content if someone wants to do so. The problem is determining them on a case by case basis.

First Google will have to confirm the identity of the requestor. Secondly it has to establish that by taking down the information it is not violating anyone else’s constitional right. And thirdly, by removing the content it is not compromising any health or security issues. I suspect if Google is to perform all this actions it has to set up an equivalent of FBI and Scotland Yard in additional to employing couple of thousand lawyers in its premise. (In addition to the lawyers they already have)

In summary, while the legislation has a lot of merit, by imposing the burden of proof to the controller and creating a vague legislative structure in which the search provider has to work on, the EU has successfully passed the responsibility to Google. May be EU is hoping that by putting the ball on Goggle’s court, it could force the search giant to come up some proposed formula that could serve EU privacy cause in the long run.

In months to come we are likely to witness all kind of people ranging from financial imposters, crooks, convicted pedophiles to political criminals, who would seek refuge under this law. It would be interesting to see how Google will respond to those requests.

On a brighter side for Google, this might potentially open new business model for them. As more and more personal information is removed from Google search, people who need to run security clearance or journalistic research will probably need to approach the search engine for special closed loop search. These services would typically be business to business where Google already has an established revenue model

The irony of this entire episode is that since now Mario Costeja Gonzalez has become a public figure and could become the poster boy for the EU privacy law, chances are, his personal information will never go down from the internet. It is safe to say that his right to removal of his property auction data will be far outwitted by billion of people seeking privacy of their personal data, who will use Mario as a reference to their case.