In a recent client alert, Hogan Lovells partners from the firm’s European and Washington, D.C. offices highlighted key takeaways for businesses from last week’s landmark ruling in which the European Court of Justice (ECJ) held that search engines can be forced to remove certain search results if they link to Web pages that contain information infringing the privacy of EU citizens. In effect, this creates a judicially sanctioned “right to be forgotten” that will allow data subjects to scrub their names from the public record.
The ECJ also extended jurisdiction under European data protection law to include non-EU companies that have a branch or subsidiary in the European Union and that collect data in the context of business activities in the European Union. The effect of this jurisdictional ruling on web-based business activity is potentially sweeping. Under the ruling, non-EU businesses potentially need to conform their websites to comply with EU privacy laws — including adopting cookie consent mechanisms and revamping their privacy policies — just because they have a physical presence in Europe.
The case started when a Spanish individual, invoking his “right to be forgotten,” lodged a complaint with the Spanish Data Protection Authority (the AEPD) against both a newspaper that published an article about him on its website and Google, which indexed the article in its search results. The AEPD upheld the complaint against Google Spain and Google Inc., requiring them to delete the data from their index and to render future access to the newspaper articles impossible.
Google appealed the AEPD’s decision to a Spanish court, which referred a number of important questions to the ECJ.
Click here for a detailed analysis of the ECJ decision and its impact on companies outside the EU.