Google ECJ case: No commish, it means we don't need right-to-be-forgotten rewrite

Comment Brussels' Justice Commissioner Viviane Reding claimed that today's EU Court of Justice's landmark search engine case, which stunned Google, served as a "strong tailwind" for her draft rewrite of the 28-member state bloc's 19-year-old data protection rules.

But is she being a little optimistic?

As I noted earlier today, the judges reached their conclusion that Google and other search engines can be held responsible - in certain circumstances - for the type of personal data that appears on their results pages based on existing laws in the 1995 Data Protection Directive.

One might therefore wonder how necessary it is for Reding's campaign for the "right to be forgotten" online to be written into EU legislation.

The European Commission's vice-president took to her Facebook page to celebrate the ECJ judgment by rightly noting that it was "a clear victory for the protection of personal data of Europeans".

Reding reiterated the opinion she expressed to me back in 2011, by saying that "companies can no longer hide behind their servers being based in California or anywhere else in the world."

Google is indeed licking its wounds, having apparently been caught by surprise with the ruling, which unusually went against an Advocate General viewpoint submitted to the top EU court in June last year.

But Reding's insistence that the "judgement is [a] strong tailwind for the data protection reform", first tabled in January 2012, is a bit of a fudge of the facts as they are now laid before us.

Despite best efforts to push her draft Data Protection bill through this Parliament, Reding failed. Instead, her proposals underwent thousands of amendments before MEPs threw their support behind the DP directive overhaul.

But, significantly, the bill is actually only about two-thirds of the way there. Crucially, the EU's main decision-making and legislative body, the Council of Ministers, is yet to submit its views on Reding's Data Protection Directive plans.

A separate one-stop shop measure written in the draft law was attacked late last year by the European Council's legal service chief, who questioned whether it was lawful, opining that it might breach European citizens' human rights.

The European Council has no powers to pass laws, but it does influence the political agenda in the EU.

Reding argued, following the judgment:

The data belongs to the individual, not to the company. And unless there is a good reason to retain this data, an individual should be empowered by law to request erasure of this data.

The ruling confirms the need to bring today's data protection rules from the "digital stone age" into today's modern computing world where data is no longer stored on "a server", or once launched online disappears in cyber-space.

This is exactly what the data protection reform is about: making sure those who do business in Europe, respect European laws and empowering citizens to take the necessary actions to manage their data.

Today's ruling against Google - some EU nation states might conclude - proves that measures that help tighten privacy rights for citizens already exist, so why bother with a rewrite? In which case, did Reding's campaign for the "right to be forgotten" just suffer a major blow?

Back at the start of 2012, when the commissioner first tabled her draft bill, the UK's then Under-Secretary of State at the Ministry of Justice, Crispin Blunt, said: "We should look to better understand each other and our respective laws rather than unpicking enduring principles and introducing an entirely new, and quite possibly impractical regulatory framework."

That note of caution resonates even more strongly now. ®