European Court of Justice rules Internet Search Engine Operator responsible for Processing Personal Data Published by Third Parties

The Court of Justice of the European Union has ruled that an “an internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties.” The decision adds to the conundrum of maintaining a balance between freedom of expression, protecting personal data and intermediary liability.

The ruling is expected to have considerable impact on reputation and privacy related takedown requests as under the decision, data subjects may approach the operator directly seeking removal of links to web pages containing personal data. Currently, users prove whether data needs to be kept online—the new rules reverse the burden of proof, placing an obligation on companies, rather than users for content regulation.

A win for privacy?

The ECJ ruling addresses Mario Costeja González complaint filed in 2010, against Google Spain and Google Inc., requesting that personal data relating to him appearing in search results be protected and that data which was no longer relevant be removed. Referring to the Directive 95/46/EC of the European Parliament, the court said, that Google and other search engine operators should be considered ‘controllers’ of personal data. Following the decision, Google will be required to consider takedown requests of personal data, regardless of the fact that processing of such data is carried out without distinction in respect of information other than the personal data.

The decision—which cannot be appealed—raises important of questions of how this ruling will be applied in practice and its impact on the information available online in countries outside the European Union.  The decree forces search engine operators such as Google, Yahoo and Microsoft’s Bing to make judgement calls on the fairness of the information published through their services that reach over 500  million people across the twenty eight nation bloc of EU.

ECJ rules that search engines ‘as a general rule,’ should place the right to privacy above the right to information by the public. Under the verdict, links to irrelevant and out of date data need to be erased upon request, placing search engines in the role of controllers of information—beyond the role of being an arbitrator that linked to data that already existed in the public domain. The verdict is directed at highlighting the power of search engines to retrieve controversial information while limiting their capacity to do so in the future.

The ruling calls for maintaining a balance in addressing the legitimate interest of internet users in accessing personal information and upholding the data subject’s fundamental rights, but does not directly address either issues. The court also recognised, that the data subject’s rights override the interest of internet users, however, with exceptions pertaining to nature of information, its sensitivity for the data subject’s private life and the role of the data subject in public life. Acknowledging that data belongs to the individual and is not the right of the company, European Commissioner Viviane Reding, hailed the verdict, “a clear victory for the protection of personal data of Europeans”.

The Court stated that if data is deemed irrelevant at the time of the case, even if it has been lawfully processed initially, it must be removed and that the data subject has the right to approach the operator directly for the removal of such content. The liability issue is further complicated by the fact, that search engines such as Google do not publish the content rather they point to information that already exists in the public domain—raising questions of the degree of liability on account of third party content displayed on their services.

The ECJ ruling is based on the case originally filed against Google, Spain and it is important to note that, González argued that searching for his name linked to two pages originally published in 1998, on the website of the Spanish newspaper La Vanguardia. The Spanish Data Protection Agency did not require La Vanguardia to take down the pages, however, it did order Google to remove links to them. Google appealed this decision, following which the National  High Court of Spain sought advice from the European court. The definition of Google as the controller of information, raises important questions related to the distinction between liability of publishers and the liability of processors of information such as search engines.

The ‘right to be forgotten’

The decision also brings to the fore, the ongoing debate and fragmented opinions within the EU, on the right of the individual to be forgotten. The ‘right to be forgotten‘ has evolved from the European Commission’s wide-ranging plans of an overhaul of the commission’s 1995 Data Protection Directive. The plans for the law included allowing people to request removal of personal data with an obligation of compliance for service providers, unless there were ‘legitimate’ reasons to do otherwise. Technology firms rallying around issues of freedom of expression and censorship, have expressed concerns about the reach of the bill. Privacy-rights activist and European officials have upheld the notion of the right to be forgotten, highlighting the right of the individual to protect their honour and reputation.

These issues have been controversial amidst EU member states with the UK’s Ministry of Justice claiming the law ‘raises unrealistic and unfair expectations’ and  has sought to opt-out of the privacy laws. The Advocate General of the European Court Niilo Jääskinen’s opinion, that the individual’s right to seek removal of content should not be upheld if the information was published legally, contradicts the verdict of the ECJ ruling. The European Court of Justice’s move is surprising for many and as Richard Cumbley, information-management and data protection partner at the law firm Linklaters puts it, “Given that the E.U. has spent two years debating this right as part of the reform of E.U. privacy legislation, it is ironic that the E.C.J. has found it already exists in such a striking manner.”

The economic implications of enforcing a liability regime where search engine operators censor legal content in their results aside, the decision might also have a chilling effect on freedom of expression and access to information. Google called the decision “a disappointing ruling for search engines and online publishers in general,” and that the company would take time to analyze the implications. While the implications of the decision are yet to be determined, it is important to bear in mind that while decisions like these are public, the refinements that Google and other search engines will have to make to its technology and the judgement calls on the fairness of the information available online are not public.

The ECJ press release is available here and the actual judgement is available here.

NETmundial Roadmap: Defining the Roles of Stakeholders in Multistakeholderism

NETmundial, one of the most anticipated events in the Internet governance calendar, will see the global community convening at Sao Paolo, with an aim to establish ‘strategic guidelines related to the use and development of the Internet in the world.’ This post analyses the submissions at NETmundial that focused on Roadmap, towards an understanding of stakeholder roles in relation to specific governance functions and highlighting the political, technical and architectural possibilities that lie ahead.

Introduction

A technically borderless Internet, in a world defined by national boundaries, brings many challenges in its wake. The social, ethical and legal standards of all countries are affected by technical standards and procedures, created by a few global players. This disparity in capacity and opportunities to participate and shape Internet policy, fuelled by Edward Snowden’s revelations led to the development of the Global Multi-stakeholder Meeting on the Future of Internet Governance or NETmundial. Set against, an urgent need for interdisciplinary knowledge assessment towards establishing global guiding principles with respect to the technological architecture and the legal framework of the Internet–NETmundial is seen as a critical step in moving towards a global policy framework for Internet Governance (IG). As stakeholder groups from across the world come together to discuss future forms of governance, one of the most widely discussed issues will be that of Multistakeholderism (MSism).

Multistakeholderism

The governance structure of the Multistakeholder model is based on the notion, that stakeholders most impacted by decisions should be involved in the process of decision making. The collaborative multistakeholder spirit has been widely adopted within the Internet Governance fora, with proponents spread across regions and communities involved in the running, management and use of the Internet. So far, MSism has worked well in the coordination of technical networking standards and efforts to set norms and best practices in defined areas, in the realm of technical governance of the Internet.  However, the extension  of MSism beyond truly voluntary, decentralized and targeted contexts and expanding its applicability, to other substantive areas of Internet Governance is proving a challenge. Beyond defining how the process of policymaking should be undertaken, MSism does not provide any guidance on substantive policy issues of Internet governance. With the increasing impact of Internet technology on human lives and framed against the complexity of issues such as security, access and privacy, the consensus on MSism is further rendered unattainable.

The need for contextualizing the model aside, as with most policy negotiations certain open concepts and words have also prevented agreement and adoption of MSism as the best way forward for IG. One such open and perhaps, the most contentious issue with respect to the legitimacy of MSism in managing Internet functions is the role of stakeholders. A key element of MSism is that decisions will be made by and including all relevant stakeholders. Stakeholder groups are broadly classified to include governments, technical community and academia, private sector and civil society. With each stakeholder representing diverse and often conflicting interests, creating a consensus process that goes beyond a set of rules and practices promising a seat at the negotiation table and is supportive of broad public interest is a challenging task that needs urgent addressing.

This post aims to add to the discourse on defining the role and scope of stakeholders’ decision-making powers, towards a better understanding of the term “in their respective role”. Addressing the complexity of functions in managing and running the Internet and the diversity of stakeholders that are affected and hence should be included in decision making, I have limited the scope of my analysis to cover three broad internet management functions:

  1. Technical: Issues related to infrastructure and the management of critical Internet resources
  2. Policy: Issues relating to the developmental aspects, capacity building, bridging digital divide, human rights
  3. Implementation: Issues relating to the use of the Internet including jurisdictional law, legislation spam, network security and cybercrime

While this may be an oversimplification of complex and interconnected layers of management and coordination, in my opinion, broad categorisation of issues is necessary, if not an ideal starting point for the purpose of this analysis. I have considered only the submissions categorised under the theme of Roadmap, seeking commonalities  across stakeholder groups and regions on the role of stakeholders and their participation in the three broad functions of technology, policy and implementation.

Towards a definition of respective roles: Analysis NETmundial submissions on Roadmap

There were a total of 44 submissions specific to Roadmap with civil society (20) contributing more than any other group including academia (7), government (4), technical community (5), private sector (3) and other (5). MSism sees support across most stakeholder groups and many submissions highlight or agree on participation and inclusion in decision making processes.

Regionally, submissions from North (24) were dominated by USA (10) with contributions cutting across academia (4), civil society (2), technical community (2) and other (2). Brazil (5) contributed the most to submissions from South (15), followed by Argentina (3). The submissions were consistent with the gender disparity prevalent in the larger technology community with only 12 females contributing submissions. An overwhelming number of submissions (38), thought that the multistakeholder (MS) model needs further definition or improvements, however, suggestions on how best to achieve this varied widely across stakeholders and regional boundaries. Only 16 submissions referenced or suggested Internet Governance Forum (IGF) in its present capacity or with an expanded policy role as a mechanism of implementing MSism on the Internet.

Many submissions referred to issues related to the management of critical internet resources (CIRs), the role of ICANN and US oversight of IANA functions. A total of 11 submissions referred to or specified governance processes with respect to technical functions and issues related to critical resources with civil society (5) and academia (3) contributing the most. In an area that perhaps has the most direct relevance to their work, the technical community was conspicuous with just two submissions making any concrete recommendations. The European Commission was the only governmental organisation that addressed this issue, recommending an expansion of the role of IGF.  There were no specific recommendations from the private sector.

The suggestions on oversight and decision making mechanism were most conflicted for this category of Internet functions and included:

16 submissions referred to issues related to policy development and implementation including developmental aspects, capacity building, bridging digital divide and human rights. All submissions called for a reform or further definition of MSism and included recommendations from civil society (5), academia (4), technical community (2), governments (2), private sector (1) and Other (2). All stakeholder groups across regions, unanimously agreed that all stakeholders within their respective role should have a role in decision making and within public policy functions. There was however, no broad consensus on the best way to achieve this.

Specific recommendations and views captured on who should be involved in policy related decision making and what possible frameworks could be developed included:

18 submissions referred to issues related to the implementation of standards including issues relating to the use of the Internet including jurisdiction, law, legislation, spam, network security and cybercrime. All submissions called for a reform or further definition of MSism values and included recommendations from civil society (8), academia (3), technical community (3), governments (2), private sector (1) and other (1). Stakeholders from academia (5), civil society (3) and government (1) collectively called for the reform of ICANN guided by multistakeholder values, but did not specify how this reform would be achieved.

Specific recommendations on the improvements of institutional frameworks and arrangements for issues related to implementation of  standards included:

In summation,  the classification of Internet functions discussed above, presents a very broad view of complex, dynamic and often, interrelated relationships amongst stakeholder groups. However, even within these very broad categories there are various interpretations of how MSism should evolve.

To come back to the very beginning of this post,  NETmundial is an important step towards a global policy framework for Internet governance. This is the first meeting outside formal processes and it is difficult to know what to expect, partly as the expectations are not clear and range widely across stakeholders. Whatever the outcome,  NETmundial’s real contribution to Internet Governance has been sparking anew, the discourse on multistakeholderism and its application on the Internet through the creation of a spontaneous order amongst diverse actors and providing a common platform for divergent views to come together.