Being in Silicon Valley during the time when the honourable Court of Justice of the European Union "cracks" its epic right to be forgotten ruling, is a very interesting social experience. Suddenly, the European part of you receives a strange lot of attention among tech folks in all the small talks. No wonder. Google Spain C-131/12 for me is both great and terrible.
It is great because the European data protection laws definitely should apply to companies that make a lot of money in Europe, and should regulate search engines. If small European companies manage, so can their American counterparts. The decision is, however, terrible for the (im)balance it strikes. And I know this is where most of the people get passionate. I think that the optimism of many people who commented on ruling is driven by the belief that the law will be changed (e.g. my friend Julia Powles in the Guardian and Wired). If this is your framework, then I do agree. Yes, the decision will definitely move things ahead.
This might be all true and great, but still, from the short term perspective, the decision with its (im)balance is just terrible. Steve Peers, Peter Lehofer and others already commented on the constitutionally striking language of the decision. Peter Lehofer eloquently characterized this reading of privacy as a "super-human-right". This blanket preference for one human right disturbs me, especially when it comes from a court that is increasingly taking the role of a constitutional court and even claiming to have the ultimate words on the content of those rights. As all European law students learn, perhaps as the first thing in their human rights classes, that there is no hierarchical relationship between the conflicting human rights. That's why we need a test of proportionality. The CJEU now seems to disagree.
So why do I think that the current decision can not serve as a right balance for the future law?
First of all, the Directive itself has very narrow exceptions for the use of personal data without the permission of the individual concerned ["solely for journalistic purposes or the purpose of artistic or literary expression"]. The fact that CJEU explicitly had no problem with giving a blessing to reading that precludes search engines and other websites from referring to a legitimate article (e.g. up-to-date news article), just because no explicit exception exists. This is deeply worrying. I think that a search engine should be able to invoke the same exception, which a source website is able to invoke (e.g. journalistic, scientific, etc.). This could potentially affect not only search engines, but anybody linking to an article with an anchor which uses personal data (or think of Tweets that encompass personal data when referring to a legitimate article). I think if we expand the notion of "data controllers" and thus data protection laws, we should also expand exceptions [yes, think here of the the old problem of the copyright laws]. Otherwise we might outlaw socially legitimate processing of personal data and artificially break the chain of speech online.
Second, and this is where most of my European friends disagree, the right to object to "no longer relevant" processing of personal data, should be made an exception and not a general rule as CJEU tell us [the word "relevant" in Art. 6(1)(3) IMHO refers not to time-relevant, but proportionate]. I can personally see many instances when we want to give a second chance to people and relieve them from their personal history. Spent convictions for rehabilitated offenders, juvenile indiscretions or personal bankruptcies all share the same justification - a need to give a second chance to people. But this not universal. Not all outdated data have such properties and can be supported by such justification. In fact, I would argue it is only a small subset of all outdated information. Many people also seem to assume that a time dimension decreases the societal value of the information that has such merit. Yes in some cases, but in others it can even increase its societal value (e.g. former radical now applying for job as a high school teacher or running for the public office, etc.). I just don't think that narrative of second chance really supports a universal right of this kind.
Implemenatition also matters
But let's look into the application. Google just published its European removal tool. The company seems to be preparing for serious examination of all the requests. From a business perspective, this is no surprise, given that if Google wants to continue to provide its service with any meaningful value, it has to comply. Other it might potentially face criminal charges. And Google is of course capable of doing it. The problem is, however, by shifting the burden completely on a search engine, we just literally "cemented" search engine market by erecting incredibly high barriers to entry. Are mini-competitors of Google like Czech Seznam.cz also capable of doing this? I doubt so. They will most likely just automate the process to save the costs.
Of course you can argue that our preference for privacy is stronger than any concern of competition in the search engine market. But the search engine market is crucial to the online flow of information and any business online. I am not saying we should not regulate search engines, but trying to outsource some of the burden, so a more competitive environment can be preserved, would be desirable. For instance, having to apply to data protection authorities prior to removal on grounds of "no longer relevant", would be a good step [mind you, this is not about right to erasure].
This way, we have a state authority to determine such conflicts of freedom of expression and privacy. The authority, which is, unlike a private company, directly bound by human rights [because its a state power]. This would also centralize such decision making into one place, so the consistency can be achieved. And we can better discuss edge cases, because its all public [though anonymized]. The handling of "no-longer-relevant" complaints and defending of potential freedom of expression issues would not be in this way left to business incentives of companies, but to publicly accountable body. Again, the search engines represent a way more critical infrastructure [at least today] than any other service, and no-longer-relevant requests are way more difficult to assess than say copyright issues. So a different treatment, I think, it justified.
This would also create more legal certainty for service providers and originators of objected speech. Because what is time-relevant for a society is determined by the state, not industry players. At the same time, it would outsource some of the decision making costs, so the barriers of entry would be lowered. Also the mental barrier for applications would be slightly increased, as filling a request to the administrative authority perhaps makes us think twice [even if its free of charge]. The examination effort of search engines would thus not be replicated many times, but be centralized to one decision-making process, with positive spill-over on less wealthy competitors.
Decision as a political statement
To conclude. I think that the Google Spain ruling is really better understood as a political act of the CJEU than as some interpretation of the laws. CJEU members probably disgusted by the difficult policy debates about a new European data protection regulation and "US overreach" revealed by Snowden, decided on this strong ruling to make a political statement. US tech companies have been blocking a new Regulation in Brussels, so the judges decided to mix up the pack of cards on the policy table from Luxemburg, to see what will happen now [thus proving that Coase’s theorem does not work in the political process as well].
Only the way this ruling will be practically carried will determine whether the history will list Google Spain as a good or bad move for the European society.
PS1: There are plenty of alternative options. In a conversation, Julia Powles, for instance, suggested that if Google was really concerned about smaller players, it would look seriously at creating an independent, industry-sponsored platform to do this job, because it could be a faster option than any DPA. I personally favour state-implemented solution, given the direct obligations to respect human rights. But I agree that fragmentation and tardiness of DPAs is something that would need to be solved.
PS2: The original article was published on my Huťko's Technology Law Blog.
The author of this blog post, Martin Husovec, is an IMPRS-CI Doctoral Research Fellow at Max Planck Institute for Innovation and Competition and currently a visiting researcher at Stanford Center for Internet and Society. He can be reached at husovec.eu.