The EU Court Google judgement on data protection is one of those judicial decisions stating the obvious, yet still causing a stir.
The reason for that is that many people see it as yet another event in the privacy power struggle between the EU and the US. Yet the Google judgement hardly introduced anything that has not been part of the EU Data Protection Directive all along: if a search engine collects from the web personal data for storage and search results purposes, this would, absent a specific statutory exemption, constitute personal data processing.
In fact, having known Judge Ilešič, the case Rapporteur, as my former professor and degree thesis supervisor, clearly a no-nonsense man, I could hardly imagine him delivering a judgement saying one or more of the following:
- search engines are per se exempt from EU data protection rules; or
- search engines are actually an American thing so the EU data protection law does not apply; or even
- Google is too big and too important for innovation to be regulated.
Nevertheless, criticisms of the EU data protection rules are more than legitimate. But exemptions cannot go in the direction of the big global guys being able to get away with everything whilst small European firms and tech start-ups wrestle with their Member States’ data protection authorities. All online businesses should be able to benefit from legal certainty and the rule of reason.
However, the debate has already become too political to guarantee equal treatment for all the data controllers. When ‘the right to be forgotten’ was first announced by the Commissioner Reding, I wondered what such a right would actually add to the EU data protection system. I somehow believed it had been there along, as part of the Article 14 of the 1995 Data Protection Directive. A possible explanation for such a proposal could be that European authorities, failing to properly enforce the EU data protection framework against some large American firms, simply flexed muscles by threatening them with some new legislative provisions.
The reform badly needed would focus on re-inventing the ‘database’ concept in a world of inevitably interconnected ‘big data’ and re-consider the real value of individual ‘consent’ in the same complex world. Redefining personal data would be another option. Sadly, we have not seen any of that coming just yet. In an all-or-nothing data protection regime, it is more likely to be nothing for a huge number of European end-users.