With its ruling against Google yesterday, the European Court of Justice has resoundingly stated that the right of EU citizens to privacy trumps the right of corporations to conduct business.
The potentially far-reaching case, which requires the search engine to remove, on request, certain types of information that may be deemed out of date or no longer relevant, is the second major case in support of privacy rights in recent weeks.
A month ago, the ECJ made another landmark privacy ruling when it threw out Europe's data retention directive, a judgment that arose in large part from a case privacy advocates Digital Rights Ireland brought against the Irish state, which was referred to the ECJ.
Taken together, the two rulings are globally significant statements that Europe prioritises personal privacy, and the protection of citizen data, over the rights of either businesses or States to access it.
Right to be forgotten
Of greatest significance in the Google ruling is a tacit recognition that EU citizens already have a "right to be forgotten" – to have some information removed from the possibility of eternal storage on the internet.
Such a potential right has been a contentious element of a proposed data-protection regulation, intended to replace the EU’s outdated 1995 data-protection directive.
Businesses have argued the costs and administrative headaches of finding and removing information from what is now a global repository of infinitesimal detail would be formidable.
But privacy advocates have argued that if powerful algorithms can be used to mine data on behalf of corporations or security organisations, they can also be used to filter out data on behalf of people’s privacy.
The inconvenient fact that it costs money and time for businesses whose income derives from mostly unfettered access to online information, they say, is not of itself a reason why businesses should have the right to avoid that cost. Especially if they monetise personal data with no payback – beyond the provision of a free online service – to the citizens whose information feeds the database.
The ruling is also significant in that it offers the first recognition that individuals have some, albeit restricted, right to screen what appears about them on the internet. In an online world awash with social media and services that aggregate sometimes alarmingly detailed data on individuals, few people cannot have wished for a big delete button at some stage.
Strong tailwind
The judgment would seem to smooth the way for the passage of the strengthened data protection regulation by next year, and may even offer greater rights to citizens than the proposed regulation.
EU Justice Commissioner Viviane Reding, the official behind the proposed regulation, said on her Facebook page that the judgment was a "strong tailwind" behind a move towards greater privacy protections and reformed data-protection law.
"Companies can no longer hide behind their servers being based in California or anywhere else in the world," she said.
The ruling is a serious blow to Google and other internet companies, as it will force many to rethink their business, and their business models, in Europe. This is especially the case for those which operate search facilities.
Global standard
But this case isn't just about Europe. Because it is virtually impossible for a global company like Google to treat European data differently from all other data, Europe's protections will require changes that enable more finely grained management of all data, for everyone, everywhere.
In short, Europe is setting the global standard for data protection and management, simply because global companies cannot afford to ignore a market that is larger than that of the Unites States.
Will the ruling influence populations elsewhere, particularly in the US? Much will depend on how the ruling is implemented in practice – particularly, what types of information are deemed acceptable to remove and whether this emboldens privacy advocacy abroad.
This ruling has shifted the internet landscape significantly.