EU Court of Justice Paves Way For "Right To Be Forgotten" Online

Mark.JUK (1222360) writes "The European Court of Justice (ECJ) has today ruled that Google, Bing and others, acting as internet search engine operators, are responsible for the processing that they carry out of personal data which appears on web pages published by third parties. As a result any searches made on the basis of a person's name that returns links/descriptions for web pages containing information on the person in question can, upon request by the related individual, be removed. The decision supports calls for a so-called 'right to be forgotten' by Internet privacy advocates, which ironically the European Commission are already working to implement via new legislation. Google failed to argue that such a decision would be unfair because the information was already legally in the public domain."

Re:Definitely good, but there are two sides

[Xest]

There's been a lot of FUD and confusion about this particular law on Slashdot, some people seem to think you can just somehow use your bat signal to say "I want to be forgotten on everything online ever!" but it's more simplistic than that.

What it does, is gives you the right to go to a company, that is storing information on you, and ask that they remove it. Nothing more, nothing less. That means if Google has indexed search results and their index includes information on you they simply have to remove that from their index - they do not have to go to the sites they indexed and asked them to remove the information too or any such thing, it's up to you to contact each specific company and the company must oblige.

This isn't really as big a deal as often made out, there was an argument you already had this right to an extent in many jurisdictions such as under the data protection act in the UK, which states that companies may not be passed information on you without your consent, so unless you gave it to them in the first place or consented to someone else giving it to them then they shouldn't be holding it regardless.

This law just formalises that and makes it clear that that remains true even in the age of user generated content, it simply makes it clear that companies can't shirk their data protection rules by saying "but a user gave us that content!" or "but a machine gathered that information!".

I don't believe this creates the hardship that it's claimed it creates, if companies were adhering to the likes of the UK's data protection act in the first place (which stems back to 1998) then they should've had procedures in place for over a decade and a half now to delete personal details that they had no legal right to hold.

If there are concerns about other content being deleted at the same time then that's not a problem with the law, but entirely a problem with how companies choose to go about eliminating data that should no longer be held.

If I have entered no agreement with a company, if a company is not acting as a data processor for a data controller I do have an agreement, and if I have not myself passed personal data to a company, then they never had a legal right (apart from under a handful of very specific exceptions) to hold it in the first place. The only extension this adds is that it makes it clear that you can also retroactively have information removed even if they did have the right to hold it in the past - even this existed in the likes of the DPA though, that companies shouldn't hold it for longer than necessary for the agreed purpose or when a data subject has ceased their relationship with the firm. The problem with that part it was never explicit as to exactly how long a company could hold data on you after that point so it was down to a fairly arbitrary decision by a court.

Honestly, I don't see the problem, if a company doesn't have control of the data it owns to be able to delete data it shouldn't hold on request then it's not fit to be holding any kind of data in the first place.