In May 2014, the European Court of Justice ruled that Google (and other general search engines) is a controller, and that the European rules of personal data also apply to search engines. Google must therefore comply with European personal data law.
INDIVIDUALS ARE (IN SOME SITUATIONS) ENTITLED TO HAVE LINKS TO PERSONAL DATA DELETED
The Court then stated that individuals may ask the search engine to remove links to personal data about them when the data seems insufficient, irrelevant or too informative compared to the purpose of the processing.
This does not mean that individuals may always have data about themselves deleted, and the "Right to be forgotten" is therefore not without exemptions. For instance, data should not be deleted on the website to which there is a link. In order to have links referring to personal data removed, a weighing of the protection of privacy and personal data should be made against the public interest in having access to the information, and the consideration for the private individual will normally have priority.
The EU expert committee (the article 29 group) has adopted general guidelines for the implementation of the Court's ruling on the right to be forgotten. The group has prepared 13 main criteria acting as a tool for the handling of complaints. The weighing includes, i.a., whether the person is a "public" figure such as a politician, whether he is a minor, or whether the data is sensitive e.g. religious opinions or the like.
SEARCH ENGINES MUST MAKE A SPECIFIC WEIGHING IN EACH SITUATION
As controller, the search engine must make a specific weighing in each situation whether to remove a link. In this connection, Google must - as a private company - make a weighing of the most important considerations compared to the public's interest in the information and the consideration for the individual.