Claims have been brought against Google Inc. and Google Spain S.L. and more than 100 formal complaints made to the Spanish data protection agency by Spanish citizens requesting their personal data to be removed from search engine results. Complaints have included a plastic surgeon with archived references to a botched operation, a domestic violence victim whose address was published online and a middle aged woman whose exploits and arrest as a student could still be found through Google.
This referral will test the extent to which the ‘right to be forgotten’ principle can be used against a data hoster and whether EU citizens can really demand the deletion of their data. It’s a principle covered under the new proposed EU Regulation on data protection, whereby individuals will have a general right to be forgotten, enabling them to force organisations to delete personal data stored about them “without delay.”
Under current data protection law, the ‘right to be forgotten’ can be found through the principles of fair and lawful processing and the obligation not to keep data longer than is necessary. In addition, individuals have the right of access to their personal data, including the right to rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes.
Google’s Global Privacy Counsel, Peter Fleischer, used his personal blog to argue that the Spanish authorities had taken the ‘right to be forgotten’ principle to an extreme, describing it as an attempt by the Spanish DPA to have links to content in a search engine deleted, despite the fact that the original content is legal and will remain on the Web. Fleischer argues that this conflicts with the principle of freedom of expression.