Google cannot be forced to remove "damaging" material from its search engine that was legally posted elsewhere, according to an adviser to the top court in Europe.
The senior adviser to the European Court of Justice (ECJ), whose job it is to present a public and impartial opinion on cases the court receives, also said there is no general "right to be forgotten" under existing EU data and privacy laws.
In an opinion published on Tuesday, advocate-general Niilo Jaaskinen said that Google cannot be considered the "controller" of personal data from other Web sites and therefore should not be responsible for what appears on sites it links to. Under existing laws, established nearly two decades ago, member state data protection authorities "cannot require" a search engine like Google to remove specific sites from its search results.
"A national data protection authority cannot require an internet search engine service provider to withdraw information from its index," said Jaaskinen in the three-page opinion [PDF].
Tuesday's opinion follows the case of a Spanish man, whose property was to be auctioned off because of failed payments to his social security contributions. He discovered that the information was online when he searched for his own name a decade later.
The citizen in question filed a complaint with Spain's data protection authority, Agencia Espanola de Proteccion de Datos (AEPD), which upheld the claim. Google appealed the decision to one of Spain's highest court. The case was later referred to the ECJ.
Close to 200 complaints in Spain await the decision of the top European court.
The opinion also stated that companies with a presence in the EU remain under the laws of the member state they are based in -- even if the data is handled outside the EU. Jaaskinen said a company could still be forced to block access to illegal content, such pages with copyright-infringing or libelous material.
Bill Echikson, Google's "head of free expression," said on Tuesday: "This is a good opinion for free expression. We're glad to see it supports our long-held view that requiring search engines to suppress 'legitimate and legal information' would amount to censorship."
The opinion of the advocate-general is not legally binding, but often gives a good indication of how the ECJ will sway in its final decision.
The case is expected to set clearer boundaries between the data protection responsibilities of companies while balancing free speech in the region.
'Right to be forgotten'
However, it could be a blow to the European Commission, which for years has been in charge of data protection and privacy rules in the 27 member state bloc of Europe. The opinion comes at a time when new laws have been tabled by the Commission in order to bring existing rules into a modern age.
One of the proposals outlined by EU Justice Commissioner Viviane Reding is a specific "right to be forgotten," which would allow EU citizens to compel a company to delete all data it has on them. The "right to be forgotten" would force Facebook and Twitter to remove any data it had on you, as well as force Google to remove results from its search engine. It would also extraterritorially affect users worldwide outside the European Union who would be unable to search for those removed search terms.
However, the Commission has not outlined in what circumstances such rights could be invoked, or logistically how the process would work. The U.K. has expressed its concern about such proposals and seeks to opt out of them.
Web companies such as Google have said -- and lobbied to that effect -- that the "right to be forgotten" should not allow data to be removed or manipulated at the expense of freedom of speech.
The advocate-general confirmed a right to be forgotten does not exist in current legislation.
"The Directive does not establish a general 'right to be forgotten.' Such a right cannot therefore be invoked against search engine service providers on the basis of the Directive, even when it is interpreted in accordance with the Charter of Fundamental Rights of the European Union," said Jaaskinen.
Under the existing 1995 EU Data Protection Directive, a person has to the right to "object at any time...the processing of data relating to him." The directive allows the correction of data held by a company as well as the ability to request a copy of their data. But it "does not entitle a person to restrict or terminate dissemination of personal data that he considers to be harmful or contrary to his interests," says the opinion.
The new EU Data Protection Regulation, proposed by the European Commission and currently being debated in the European Parliament, will likely be voted on in the coming months after a series of delays.