Today the highest court in the European Union decided that Google must grant EU-based users of its search engine a right to delete links about themselves in some cases, including links to legal records. The decision has broad implications for US companies offering web-based services worldwide, as the EU has much stricter privacy laws than the US. In particular, US companies might need to devote resources to addressing complaints from EU consumers regarding online information about them.
The EU court ruled that Google must allow online users to be “forgotten” after a certain period of time, “unless there are particular reasons, such as the role played by the data subject in public life, justifying a preponderant interest of the public.” In this particular case, a Spanish lawyer had complained about finding information about personal debts dating back to 1998 when doing a Google search on his name. He argued that the debts had been resolved years ago and were no longer relevant. This situation and the ruling may have implications for other companies like Facebook and Twitter, where ill-advised postings can haunt users for years to come, and in some cases might prevent them from getting jobs.
Interestingly, the decision was based on a 1995 data protection law that provided limited rights to object to the processing of personal information and to demand its erasure in certain situations. New legislation that will provide even greater protection is currently pending in the EU. The new legislation will clarify that the right to erase information is available to EU users whose data is carried by non-European companies, even if those companies have no physical presence (such as a server) in Europe. The legislation would also shift the obligation from users to companies, to prove whether the data must still be kept available online.
This ruling is a reminder to US web companies that serve European customers, that EU privacy laws may require a higher level of protection for such customers. Even if the companies have no offices or other physical presence in the EU, the privacy laws may apply. These companies should consider how to implement two sets of privacy standards, one for US customers and one for EU customers. US companies also will need to develop a mechanism for responding to privacy complaints originating in the EU.
Follow me on Twitter @PaulHSpitz