On June 25, 2013, Advocate-General Jääskinen of the Court of Justice of the European Union (“CJEU”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).
The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.
Background to the Case
Google v AEPD concerns information including the name of an individual which had been published in a Spanish newspaper. The information related to sales of property arising from social security debts and was lawfully published by order of the relevant Ministry. An electronic version of the paper was made available by the newspaper. Searches against the name of the individual made over a decade later continued to deliver this information about the individual. The individual sought to have the material erased by the newspaper, however, he was unsuccessful as the Spanish data protection authority (Agencia Española de Protección de Datos or “AEPD”) held that the material was lawfully published and declined to order removal. The newspaper also refused to restrict the indexing of the page, so it continued to be available to search engines. However, the AEPD ordered Google Spain S.L. and Google Inc. (“Google”) to withdraw links to the information from the search engine index so it could not be accessed on a search.
Google appealed on the basis that: (1) Google Inc., as the provider of the search engine, was not within the scope of the EU Data Protection Directive (Directive 95/46/EC, the “Directive”); and, Google Spain, its local subsidiary, was not responsible for the search engine (although it promoted advertising on the service); (2) there was no processing of personal data in the search function; (3) even if there was processing, neither Google entity could be regarded as a data controller; and, (4) in any event, the data subject had no general right to the removal of lawfully published material.
Referral to the CJEU
The Spanish national court referred three main questions to the CJEU:
- whether the activities of the Google Inc. and the Spanish subsidiary brought the search engine within the territorial scope of the Directive;
- if so, whether the activity of the search engine in collecting, caching , indexing and retrieving data constituted “processing” under the Directive, for which the search engine would be the data controller; and,
- if so, whether the individual could invoke rights under the Directive to seek erasure or object to processing to have the data removed.
The answers were yes to the first question; yes, but only in part, to the second; and a resounding no to the final question.
Opinion of the Advocate-General
In terms of the application of the Directive and national law, the answers to the first two questions are both instructive and interesting. In terms of the current proposals from the EU (in particular, the Proposed Regulation), the answer to the final question indicates a deep unease with the concept of the right to be forgotten.
On the question of establishment, the Advocate-General rejected any notion that an organization could fall under the Directive on the basis that it targets users or customers in the EU, and emphasized that there must be grounds to bring the activities within Article 4 of the Directive (on establishment). Interestingly, the Advocate-General refused to accept the division of responsibility for provision of the different aspects of the business as a basis for determining establishment under the Directive, stating that “an economic operator must be considered a single unit…[and] not be dissected on the basis of its individual activities related to processing of personal data…”
The Advocate-General held that Google’s search activities involve the processing of personal data, as they include carrying out activities that fall within the definition of “processing,” such as collecting, retrieving and manipulating. However, Google does not thereby become a data controller for the content of delivered search results. The Advocate-General held that Google is not a data controller with respect to the source material on third-party websites, nor cached copies of those source materials held by Google. In the view of the Advocate-General, a data controller must be aware of a defined category of data and process with some degree of intent in respect of that data in order to be a controller.
However, Advocate-General Jääskinen did regard Google as controlling the index of connections between keywords and URLs, Google’s processing of which is legitimate as long as the index is accurate and complete. As such, a data protection authority cannot require Google to remove material from its index unless the authority can show that there is some other breach of the data protection rules with respect to the index.
The Advocate-General also considered the broader rights that could apply under the Charter of Fundamental Rights of the European Union, and emphasized the important question of how the rights of the individual to respect for private life and the rights of others are to be balanced. Here the Opinion strongly favors the importance of freedom of expression and militates against any imposition of a right to be forgotten. stating: “This would entail sacrificing pivotal rights such as freedom of expression and information.”
The role of the Advocate-General is to write a reasoned and impartial opinion on cases which involve new law before the CJEU. While not the judgment of the CJEU, opinions of Advocates-General are, however, influential papers. The final judgment of the CJEU will therefore be eagerly awaited on all aspects.