Who remembers a name? Or a criminal conviction? The European Court of Justice upholds the “right to be forgotten”

On 13 May 2014, the European Court of Justice (ECJ) handed down the landmark decision of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, in which it held that search engines such as Google or Yahoo must delete “inadequate, irrelevant or no longer relevant data from their search results when they are asked to do so by users.  The decision has sparked fierce debate throughout the European business community and has already been utilised to date by a broad cross section of the community, ranging from criminals to those who misbehaved at the work Christmas party, to request that certain information or details be “forgotten”.


In this case a Spanish citizen, Mario Costeja González, brought an action against Google Spain, seeking the deletion of all links to an auction notice concerning the repossession of his home in 1998 on the website of a popular newspaper.  Mr González argued that given that his house had been sold and he had repaid his outstanding debts, it was no longer appropriate for the notice to remain accessible and/or to be listed whenever someone searched his name on Google.

The ECJ found that the “right to be forgotten” was already enshrined under an existing European Union (EU) data protection directive.  They also found and that the maintenance of links in Google search results to a party who has requested that they be removed “on the grounds that he wishes the information appearing on those pages relating to him personally to be ‘forgotten’ after a certain time” is incompatible with the directive.

The caveat to the ECJ’s decision was the creation of a so-called “public interest test”, by which search engines need to balance an individual’s right to be forgotten against the potential detriment to the public if the links to that information were deleted.  In particular, the ECJ noted that this test will need to be carefully applied where the individual in question “is involved in public life”.

The practical upshot of the ECJ’s decision is that it required Google to remove links to two webpages on the paper’s website from the search results that come up when someone searches Mr González’s name.

Isn’t that onerous?

The sum effect of the decision is that search engines such as Google and Yahoo are now:

  • deemed to be “data controllers” under the applicable EU data protection laws in those EU countries where they set up an office;
  • required to determine whether information the subject of a request to be forgotten is “inadequate, irrelevant or no longer relevant”;
  • responsible for the data they link individuals to; and
  • required to assist individuals who lodge a request to have their personal details removed from search listings.

Upon the initial handing down of the decision, Google made a public statement, commenting that:

This is a disappointing ruling for search engines and online publishers in general. We are very surprised that it differs so dramatically from the advocate general’s opinion and the warnings and consequences that he spelled out.

Nonetheless, Google has readily complied with the ECJ’s ruling by implementing a request mechanism on 30 May 2014 to allow users to request that their personal details be removed from any search results that arise when someone searches their name.  Notably, the option has proved very popular, with Google logging 12,000 requests to be “forgotten” on the first day the mechanism was made available to the public.

Is the age of transparency over?

Many commentators have expressed deep concern that this mechanism amounts to “censorship” of the internet and that it will allow individuals to cover up or avoid disclosure of certain untoward or arguably important details.  However, Google has announced that it will show a disclosure when certain addresses are removed under the “right to be forgotten” mechanism, along the lines of its copyright removal action notices:

In response to a complaint we have received under the US Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DCMA complaint that caused the removal(s) at Chilling Effects.org.

So, while Google will take steps to ensure that certain URLs are “forgotten” from its search results, the fact that Google was “made to forget” those URLs will be recorded. 

Do I have that right? Does my company need to bear this in mind?

At this stage in time, the right to request to “be forgotten” only extends to citizens and/or residents of the EU.  For Australians to enjoy the same kind of rights, legislation would need to be introduced to extend the same kinds of principles into the recently amended Privacy Act 1988 (Cth) (Privacy Act).  However, as part of its wide sweeping privacy law review,  the Australian Law Reform Commission is currently examining the “right to be forgotten” and its potential practical implications should it be introduced in Australia.  Whether as a result of the policies adopted by search engines or via law reform, it may not be long before this “right” is available to Australians in some capacity.

This decision will only have any bearing on your business should you have an office or branch in the EU and provide a search engine or media monitoring service.  For the most part, most Australian businesses will not be directly affected by the decision.

However, for those exposed to the decision, the cost of providing information over the internet in Europe has suddenly become very expensive.  Those entities will be required to, on a case by case basis, determine whether any information the subject of a removal request is “inadequate, irrelevant or excessive” – a test which is by no means clear cut or readily determinable.

Lavan Legal comment

The importance of privacy laws and an individual’s right to have their privacy protected is advancing as steadily as the reach and power of technology.  It is important for individuals and businesses to understand their rights and responsibilities with respect to privacy. 

If you require any assistance in determining whether your entity is acting in compliance with the newly amended Privacy Act, please contact Lavan Legal.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.