The CJEU has handed down a highly controversial judgment which supports an existing right to be forgotten online and has a number of other critical implications.
What's the issue?
One of the most controversial new rights in the draft EC data protection Regulation is the right to be forgotten online. A man in Spain has tried to pre-empt this by applying current data protection law in relation to lawfully published personal information which he says creates a negative impression of him. His grievance was directed at Google as search engine provider because the article to which he objected came up against Google searches of his name. Google argued it was not subject to EU data protection law in relation to its search engine operation, that it was acting as intermediary not data controller in relation to third party web pages, and that it could not be required to monitor and/or erase such data under current law. A number of references were made by the Spanish Court to the Court of Justice of the European Union (CJEU) in relation to this case which is widely seen as a test for the workability of the right to be forgotten. In fact, the case is interesting on a number of levels as it also covers other highly significant issues.
Advocate General Jääskinen (AG) published a non-binding Opinion on questions referred to the CJEU in this case. While the AG opined that Google was subject to EU data protection law in relation to its search engine data, the AG agreed with Google that it was not a data controller of personal data on third party web pages and that it was acting as an intermediary. While Google was a data controller in respect of the data generated in search results, it could rely on the "legitimate interests" exception to process the data. He also found that there is nothing in current EU data protection law which gives an individual the right to be forgotten in respect of lawfully published data.
What's the development?
The Court of Justice of the European Union (CJEU) has handed down judgment in this case which differs from the Opinion in a number of critical respects. While the CJEU broadly agrees with the AG on the jurisdiction point and on whether or when Google can be said to be a data processor or a data controller, the CJEU holds that the rights of the individual are likely to trump the legitimate interests of the search engine as data controller. In addition, unless there is a particular interest in the public having access to certain information, the individual can rely on his right to privacy and data protection taking precedence over the rights of internet users and the search engines to freedom of expression, freedom of information and the right to carry out a business, in order to have search result links removed and disabled – thereby creating an effective 'right to be forgotten'.
What does this mean for you?
This is a judgment with far-reaching consequences, not only for search engines but also, potentially, for non-EU companies which process the personal data of EU citizens outside the EU but which have a European subsidiary. In addition, it takes an unexpected view on the balance between the fundamental rights to privacy and to freedom of expression. It potentially means:
- search engines and, by implication, non-EU companies with sales and marketing subsidiaries in the EU are subject to European data protection law with respect to data processed relating to EU citizens wherever that data is processed;
- search engines are data controllers of the personal data which appears in their results and cannot rely on the exception of legitimate interests to justify that processing where it conflicts with the rights of an individual; and
- individuals can (subject to limited exceptions) effectively rely on their rights to privacy and to data protection to request that search engines disable links to third party pages, whether or not it is prejudicial, if they can show the data is no longer processed lawfully and that their rights to privacy and data protection take precedence over the rights of internet users and search engines. This potentially confirms an existing, 'right to be forgotten' online.
The reference essentially asks for a decision on whether Google can be considered to be subject to EU data protection law in relation to its search engine operation; whether it processes personal data in relation to its search engine and, if yes, whether it is a data controller of such data i.e. whether it is a data controller or an intermediary in this situation. It also, in effect, asks for a decision on whether a 'right to be forgotten' can be extrapolated from various rights under the Data Protection Directive 1995 (Directive) viewed in the wider context of the Charter of Fundamental Rights of the European Union.
In answering the questions raised, the CJEU looked at:
- the scope of EU data protection law and under what circumstances a search engine provider will be held to be processing personal data in the context of the activities of an establishment of the controller;
- whether a search engine processes personal data in relation to its search results and, if yes, in what circumstances it can be considered to be a controller of such data; and
- the nature of the search engine's obligations as data controller and whether a 'right to be forgotten' can be founded on rights under the Directive to erase and block data and object to its processing.
The Spanish Data Protection Authority, the AEPD, received a complaint from an individual who argued that Googling his name took users to a newspaper article about the auction of his house and his failure to pay social security contributions and, therefore, a negative impression was created about him. The AEPD ordered Google to de-list the link to the article. Google argued that it is not subject to EU data protection law in this case because although it has a Spanish subsidiary, the subsidiary is only responsible for selling advertising. Its search engine business is based in the US and so should not be subject to EU data protection law. The AEPD argued that Google indexes Spanish websites using crawlers and robots and uses a Spanish domain name so it does have a Spanish nexus.
Google also declined to comply with the order on the grounds that it was not the data controller but was acting as an intermediary; it was linking to factually correct information and it was up to the newspaper as data controller to remove the link.
The Commission argued in hearings that Google has a nexus within the EU and that it should, therefore, be required to comply with the AEPD's direction to remove the link and ensure it was deleted worldwide. It also said that in the process of compiling and organising information, Google should be considered to be a data controller.
Google argued that it would be impossible to comply with the AEPD's request without removing the link to the entire web page in question and that even if it were technically possible to do so, it would be disproportionate to place such a burden on Google. In a blog, Google said that the CJEU had to consider whether search engines should be required to remove links to valid legal material which still exists online, distinguishing such material from information which is incorrect, defamatory or otherwise illegal.
During the hearings, the panel of 15 judges voiced concerns with the Commission's approach which is contrary to a 2009 Article 29 Working Party Opinion on the responsibilities of search engines. Concern centred around the idea that defining a search engine as a data controller might be "excessive" and that a broad interpretation of legislation would give the EU "universal jurisdiction" which would be a dangerous precedent to set, opening the door for other countries to assert jurisdiction in the EU.
In his non-binding Opinion, the AG opined as follows:
A search engine provider will be processing personal data carried out in the context of the activities of an establishment of the controller where an entity such as an office or subsidiary is set up in a member state for the purposes of promoting and selling advertising space on the search engine and it orientates its activity towards the inhabitants of that Member State. In that case, national data protection law will apply.
A search engine provider processes personal data (in relation to data on third party web pages) but cannot be said to be a controller of that data. Where the search engine provider is a data controller (for example in relation to a search engine index) the processing can be justified on the grounds of legitimate interests.
Right to be forgotten?
There is currently no right to be forgotten. The rights to erasure and blocking of data and the right to object to processing of personal data, do not apply to personal data published lawfully on third party web pages.
The CJEU took the following view:
Google argued that any personal data processed by its Spanish subsidiary had no connection with its search engine activities operated from the US. The CJEU's view, however, is that the Directive does not require the processing of the personal data in question to be carried out by the establishment concerned, but only in the context of the activities of that establishment. Google Spain, it says, is an establishment of Google Inc. within the meaning of Article 4(1)(a) of the Directive. Its activities are "inextricably linked" with those of Google Inc. since they relate to the advertising space used by Google Inc. to enhance its profitability and they would not exist without the search engine. The CJEU concludes that: "Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State".
The CJEU agrees with the conclusions of the AG up to a point on this issue. It holds that not only is Google clearly processing personal data by indexing it automatically, storing it temporarily and making it available to third parties in a particular order, it is also the data controller of that data as it determines the purposes and means of that activity.
Distinguishing the personal data processed by a search engine from that published by a third party on a web page, the CJEU emphasises the "decisive role in the overall dissemination of those data", both in terms of the users' access to it but also in creating "a structured overview of the information relating to that individual that can be found on the internet enabling them to establish a more or less detailed profile of the data subject". As such, the activities of a search engine are likely to "affect significantly and additionally, compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data" and it must consequently comply in full with the Directive. The CJEU goes on to say: "furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in a modern society, which renders the information contained in such a list of results ubiquitous".
The AG opined that, while a search engine was a data controller in respect of the index of the search engine, its activities in providing search engine services were in pursuit of legitimate interests (Article 7(f) of the Directive). These purposes related to the fundamental rights of freedom of information and freedom of expression as well as freedom to conduct a business. The AG also took a very different view of the nature of the data produced by search results, arguing that they revealed a limited set of information which was in line with the requirements under Article 6 of the Directive that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected. He also argued that the interests of the individual had to be weighed against those of the data controller or third parties in whose interest the processing is exercised.
The final CJEU judgment finds a very different balance. Not only does it take a much more robust view of the risk to an individual's privacy and data protection created by a set of search results, it also fails to give weight to the legitimate interests of the search engine or the fundamental rights of the business and its users in terms of the processing (although it does consider them in relation to the right to be forgotten). In fact, it stresses that "in the light of the potential seriousness of that interference, it is clear that [the processing] cannot be justified by merely the economic interest which that operator of such an engine has in that processing".
Right to be forgotten?
The final issue is the extent of the responsibility of the search engine as data controller and whether this can culminate in it being obliged to remove from the list of results made against a person's name, links to web pages published by third parties, even where that publication is lawful. In other words, whether or not existing law creates a 'right to be forgotten' which can be enforced against search engines.
Google argued that it would not be proportionate to ask them to take responsibility for removing information and that it would be more appropriate to go direct to the publisher of the web pages in question. In addition, they argued that requiring a search engine to withdraw information about the internet from its search results would infringe on the fundamental rights of publishers of websites, internet users and the search engine operators. It was also argued that publication of the search results was justified by the legitimate interests of the search engine provider under Article 7(f) of the Directive.
The CJEU says that Article 7(f) does not apply where overridden by the interests or fundamental rights and freedoms of the data subject. The CJEU argues that a set of search results can give greater importance to particular data than the article in which it was originally published and is, consequently, potentially more intrusive, so it is even more important to give weight to the rights of the individual.
The data subject is entitled to rely on its rights under the Directive to rectification, blocking and erasure where the data is being processed in breach of the requirement to do so fairly and lawfully. This might include where consent has been withdrawn if there are no other legitimate grounds for the processing. It can also apply where data has been kept for longer than is arguably relevant. Initially lawful processing may, therefore, become unlawful over time. While publishers may well have the benefit of the journalism exemption, this does not apply to search engines and the CJEU uses this point to make the argument that it is precisely because of this that it is important for data subjects to have recourse directly against the search engines. Where the data controller does not comply with such a request, the data subject is entitled to take the matter to the relevant supervisory authority.
In terms of the right to be forgotten, the CJEU holds that there is no need for the data subject to show that the data in question is inaccurate or causes prejudice to the data subject. The data subject's rights to privacy and to data protection will override the economic interest of the search engine operator but also the interest of the general public in finding that information unless the public interest in doing so outweighs the rights of the individual, for example, if the individual plays a role in public life.
Like the AG, the CEJU considers the balance between the fundamental rights of the data subject to privacy and data protection on the one hand, and the rights to freedom of expression, freedom of information and freedom to conduct a business on the other. The AG argued that a subjective preference alone does not amount to a compelling legitimate ground for objection and the Directive does not entitle a person to restrict or terminate dissemination of personal data which they consider to be harmful or contrary to their interests. The AG held that the rights to a private life and to protection of personal data could not take precedence over other rights. The CJEU has taken almost an opposing view, and the ruling suggests that only in unusual circumstances can the rights of the individual be trumped in this context.
This ruling, while welcomed by the architects of the proposed European data protection legislation, is likely to cause considerable difficulty for Google and other search engines. The European Union has been trending towards the view that any organisation which processes the personal data of EU citizens should be subject to European data protection law in relation to that processing for some time now and the draft EC data protection Regulation aims to enshrine the view in law. Nevertheless, this judgment will be a disappointment for companies which have historically successfully argued that they are not subject to European data protection law on the grounds that the data they process is not processed inside European borders.
The judgment places search engines like Google in the extremely difficult (and many would argue unfair) position of having to balance fundamental rights of the parties in each case at issue and having to determine the ongoing lawfulness of processing data, even when it was clearly originally lawfully processed and may still be lawfully processed on the third party web pages to which their search results link. It also opens the floodgates to an overwhelming barrage of complaints which both search engines and the data protection regulators will struggle to deal with.
It remains to be seen how they and the various Member States deal with the fall-out but the ruling does show a worrying tendency to prioritise the rights of the individual over freedom of expression and freedom of information.