This article first appeared in the January 2015 issue of E-Commerce Law & Policy.
In May 2014 the Court of Justice of the European Union (“CJEU”) rendered its now-famous decision in Google v. Costeja(“Ruling”), enshrining the so-called “right to be forgotten” and confirming the application of EU data protection laws to search engine operators established outside the EU. The CJEU specifically recognized individuals’ right to request under certain conditions the removal, from a search engine’s results, of links to web pages infringing EU data protection laws. In practice the Ruling requires search engine operators to assess case-by-case the merits of each request for removal, and de-list from search results links to web pages containing data that is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine.”
Notwithstanding the vagueness of the Ruling, and the absence of any immediate regulator guidance, within days search engine operators implemented online removal procedures, and set policies for when to remove results, whether to notify webmasters, whether to remove results in other countries, and when to note on the results list that results have been removed.
EU regulators have now had their first word on the application and interpretation of the Ruling. On 26 November 2014, the EU data protection authorities (“DPAs”), assembled in the Article 29 Working Party (“WP29”), adopted guidelines containing the DPAs’ common interpretation of the Ruling as well as 13 criteria to be used by DPAs when addressing complaints lodged by individuals following de-listing refusals by search engine operators.
There is no doubt that these Guidelines will help not only DPAs but also search engine operators refine their de-listing decision processes. The Guidelines are for the most part balanced and thoughtful, provide useful reminders of key aspects of the Ruling, and set the course for navigating between the right to be forgotten and the right of freedom of expression. They also confront the territorial reach of the right to be forgotten. Metaphorically speaking, the W29 has provided a map charting dangerous waters without plotting any specific course for what promises to be a long voyage.
Right to be Forgotten v. Freedom of Expression
The WP29 recalls the Ruling’s pronouncement that “the rights of the data subject prevail, as a general rule, over the economic interest of the search engine and that of internet users to have access to the personal information through the search engine”. Nonetheless, the Ruling opined that the right to be forgotten concerns only results obtained from searches on the basis of a person’s name, and therefore the W29 considers that the impact of right to be forgotten on freedom of expression “will prove to be very limited”. The Guidelines assert that the DPAs “will systematically take into account the interest of the public in having access to the information”, and specify that the fundamental right of freedom of expression is to be understood as “the freedom to receive and impart information and ideas” as expressed in Article 11 of the European Charter of Fundamental Rights. The Guidelines go on to discuss in some detail what constitutes “a role in public life” that would justify the public’s access to information.
But of perhaps more import, the WP29 has not circumvented potentially perilous territorial issues. In particular, the WP29 has clearly stated that a de-listing decision must be given effect on all domains, and not just on EU domains such as .de or .co.uk: “limiting the de-listing to EU domains (…) cannot be considered a sufficient mean to satisfactorily guarantee the rights of data subjects according to [Google v.Costeja]. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com“.
Although this expansion of the right to be forgotten has the advantage of more effectively protecting individuals’ rights, which could be too easily avoided otherwise, it raises serious concerns about the liability faced by EU establishments of non-EU search engine operators, as well as conflicts of laws issues.
Liability for EU establishments
In the immediate aftermath of the Ruling, Google decided to remove from search results links in searches from all 28 EU country code top level domains, as well as from the Google domains in Iceland, Liechtenstein, Norway and Switzerland, but not from google.com. The Guidelines, however, imply that an EU establishment is responsible for removing contentious links not only in its own jurisdiction, but also on the .com and other domains, regardless of whether the EU establishment operates the corresponding search engines. In fact, .com domains are often operated by a US parent company and consequently, an EU establishment may face sanctions under applicable local data protection laws if its parent company refuses to remove a link on its .com domain.
As if to underscore the issues facing EU establishments, the Guidelines’ position on the territorial application of the Ruling has already been approved by national courts. For example, on 16 September 2014, the Paris Civil Court ruling in an injunctive proceeding found Google’s French subsidiary liable for the processing of personal data carried out by Google, Inc., the US parent company that operates the search engine, and ordered Google France to pay a daily fine of €1,000 unless certain links were removed from the French domain and from searches run on google.com. Google eventually complied with the court order and removed the contentious links from its main domain.
Conflicts of laws
Arguably, the French delisting decision should have been easy since the complained-of web pages had already been judged libellous by a French court. But in other cases, adopting the position of the Guidelines may contradict solutions espoused by courts in other parts of the world.
Jurisdictions such as the US, which is home to some of the world’s largest search engines (Google, Bing, Yahoo!, Ask.com, and AOL), fiercely protect freedom of speech. Courts and regulatory bodies in the US have generally agreed that search engine operators’ search results are considered free speech. This consensus was upheld as recently as 13 November 2014 by Judge Ernest J. Goldsmith (San Francisco Superior Court of California) who ruled in favor of Google’s First Amendment right to order its search results as it sees fit. In that case, plaintiff, a website owner, had asserted that Google violated antitrust laws notably by wrongfully failing to list the website at the top of its search results; Google in turn filed an “anti-SLAPP” motion. SLAAPs (Strategic Lawsuit Against Public Participation) are lawsuits brought primarily to discourage speech about issues of public significance or public participation in government proceedings. California’s anti-SLAPP statute allows a defendant to file a special motion to strike a complaint based on an “act in furtherance of person’s right of petition or free speech under the United States or California Constitution in connection with a public issue.” In short, it may seem like a long shot to expect US search engines to systematically comply with the Ruling and the Guidelines.
** ** **
The Guidelines application will certainly evolve. But for now, search engine operators may choose between listing different results depending on the location of the person making the request, which may prove to be difficult and costly, or applying a worldwide approach to removal requests, which will exacerbate tensions between the right to be forgotten and the freedoms of speech and expression. Running the safest course between competing fundamental rights will remain a navigational challenge for some time to come.