Though Google is a U.S. company, its American rights don’t transpose across the pond. A court case will determine whether Google has to comply with EU law, which could have far-reaching consequences for European users.
(Credit: Zack Whittaker/CNET)
How Google and other American Internet companies operate in Europe could come down to a link that, depending on what side of the Atlantic Ocean you’re on, should or should not be deleted.
A case heard Tuesday before the European Court of Justice (ECJ) hinges on a complaint submitted by a Spanish citizen who searched Google for his name and found a news article from several years earlier, saying his property would be auctioned because of failed payments to his social security contributions.
Spanish authorities argued that Google, other search engines, and other Web companies operating in Spain should remove information such as that if it is believed to be a breach of an individual’s privacy. Google, however, believes that it should not have to delete search results from its index because the company didn’t create it in the first place. Google argued that it is the publisher’s responsibility and that its search engine is merely a channel for others’ content.
The ECJ’s advocate-general will publish its opinion on the case on June 25, with a judgment expected by the end of the year. The outcome of the hearing will affect not only Spain but also all of the 27 member states of the European Union.
In principle, this fight is about freedom of speech versus privacy, with a hearty dash of allegations of censorship mixed in. In reality, this could be one of the greatest changes to EU privacy rules in decades — by either strengthening the rules or negating them altogether.
The European view is simple: If you’re at our party, you have to play by our rules. And in Europe, the “right to be forgotten” is an important one.
“Facebook and Google argue they are not subject to EU law as they are physically established outside the EU,” a European Commission spokesperson told CNET. In new draft privacy law proposals, the message is, “as long as a company offers its goods or services to consumers on the EU territory, EU law must apply.”
While Europe has some of the strongest data protection and privacy laws in the world, the U.S. doesn’t. And while the U.S. has some of the strongest free speech and expression laws in the world, enshrined by a codified constitution, most European countries do not, instead favoring “fair speech” principles.
Google is also facing another legal twist: Spanish authorities are treating it like a media organization without offering it the full legal protection of one.
Newspapers should be exempt from individual takedown requests to preserve freedom of speech, according to Spanish authorities, but Google should not enjoy the same liberties, despite having no editorial control and despite search results being determined by algorithms. Though Google is branded a “publisher” like newspapers, the search giant does not hold media-like protection from takedowns under the country’s libel laws. This does not translate across all of Europe, however. Some European member states target newspapers directly and are held accountable through press regulatory authorities in a bid to balance freedom of speech and libel laws.
One of Spain’s highest courts, the Agencia Espanola de Proteccion de Datos (AEPD), found in favor of the complainant in early 2011 and ruled that Google should delete the search result. This case is one of around 180 other ongoing cases in the country.
Google appealed the decision and the case was referred to the highest court in Europe, the ECJ, which will eventually determine if the search giant is the “controller” of the data or whether it is merely a host of the data.
The case will also decide on whether U.S.-based companies are subject to EU privacy law, which may mean EU citizens’ have to take their privacy cases to U.S. courts to determine whether Google is responsible for the damage caused by the “diffusion of personal information.”
In a blog post on Tuesday, Bill Echikson, Google’s “head of free expression,” said the search giant “declined to comply” with a request by Spanish data protection authorities, as the search listing “includes factually correct information that is still publicly available on the newspaper’s Web site.”
“There are clear societal reasons why this kind of information should be publicly available. People shouldn’t be prevented from learning that a politician was convicted of taking a bribe, or that a doctor was convicted of malpractice,” Echikson noted.
“We believe the answer to that question is ‘no’. Search engines point to information that is published online – and in this case to information that had to be made public, by law. In our view, only the original publisher can take the decision to remove such content. Once removed from the source webpage, content will disappear from a search engine’s index.”
EU’s latest privacy proposal: The ‘right to be forgotten’
Should the ECJ finds in favor of the Spanish complainant, it will see the biggest shakeup to EU privacy rules in close to two decades and would enable European citizens a “right to be forgotten.”
In January 2011, the European Commission lifted the lid on draft proposals for a single one-size-fits-all privacy regulation for its 27 member states. One of the proposals was the “right to be forgotten,” empowering every European resident the right to force Web companies as well as offline firms to delete or remove their data to preserve their privacy.
(Credit: European Parliament/Flickr)
For Europeans, privacy is a fundamental right to all residents, according to Article 8 of the European Convention of Human Rights, in which it states: “Everyone has the right to respect for his private and family life, his home and his correspondence.” It does however add a crucial exception. “There shall be no interference by a public authority with the exercise of this right except… for the protection of the rights and freedoms of others.”
Because U.S.-based technology giants like Google, Facebook, and Twitter have users and in many cases a physical presence in Europe, they must comply with local laws. The “right to be forgotten” would force Facebook and Twitter to remove any data it had on you, as well as Google removing results from its search engine. It would also extraterritorially affect users worldwide outside the European Union who would also be unable to search for those removed search terms.
Such Web companies have said (and lobbied to that effect) that the “right to be forgotten” should not allow data to be removed or manipulated at the expense of freedom of speech. This, however, does not stop with republished material and other indexed content, and most certainly does not apply to European law enforcement and intelligence agencies.
Two continents, separated by ‘free’ and ‘fair speech’
The U.S. and the EU have never seen eye-to-eye on data protection and privacy. For Americans and U.S.-based companies, the belief is that crossover between freedom of speech and privacy overlaps in “a form of censorship,” according to Google’s lawyers speaking during the Spanish court case.
In the U.S., you can freely say the most appalling words, so long as they don’t lead to a crime or violence against a person or a group of people. In European countries such as the U.K. words can lead to instant arrest. Europe’s laws allow for “fair speech” in order to prevent harassment, fear of violence, or even alarm and distress. It’s a dance between the American tradition of protecting the individual and the European tradition of protecting society.
Google is fundamentally so very American in this regard. That said, Google already filters and censors its own search results at the behest of governments and private industry, albeit openly and transparently. Google will agree to delete links that violate copyrights under the Digital Millennium Copyright Act, which seeks to remove content from Google’s search results that may facilitate copyright infringement.
Google also complies, when forced by a court, with numerous types of government requests, not limited to subpoenas, search warrants, and National Security Letters, or so-called ‘gagging orders’. It also discloses those requests and when it complies with them. And it’s a system not that dissimilar to what it’s being asked to do in Europe.
Whose jurisdiction is Google under: U.S., EU, or both?
While Europe’s privacy principles apply to the Web, it’s unclear whether they apply to data “controllers” established outside of the European Union. But several European court cases have sided with local law. A German court found that Facebook fell under Irish law because the social networking company had a physical presence in Ireland, another EU member state. In Google’s case, Spanish authorities are making a similar argument, claiming that Google is processing data in a European state and therefore EU law should apply.
Many American companies have voiced their objections to the proposed EU privacy law, including Amazon, eBay, Yahoo, according to a lobbying watchdog. It could still take a year or two for the law to be ratified.
“Exempting non-EU companies from our data protection regulation is not on the table. It would mean applying double standards,” said Europe’s Justice Commissioner Viviane Reding, the top politician in Europe on data protection and privacy rules in the region, in an interview with the Financial Times of London.
The new EU Data Protection Regulation, proposed by the European Commission and currently being debated in the European Parliament, will likely be voted on by June.
But this fight isn’t as much about censorship as one might think. It’s about a cultural difference between two continents and perspectives on what freedom of speech can and should be. It’s also about privacy, and whether privacy or free speech is more important.