On 13 May 2014, the European Court of Justice (ECJ) issued its preliminary ruling (the Ruling) in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González. The Ruling establishes that the Data Protection Directive 95/46 (the Directive) affords individuals a “right to be forgotten” in certain circumstances that applies regardless of whether any undue prejudice can be shown. Preliminary rulings of the ECJ are legally binding and cannot be appealed. The Ruling must now be applied by the Spanish national court in the underlying proceedings.
Google is reportedly developing a software tool to enable it to remove links from searches to respect the right to be forgotten, but the fact-specific balancing of interests mandated by the Ruling, as discussed below, can be expected to generate many disputes leading to further legal proceedings in the months and years to come. The recognition of a right to be forgotten under EU law may also create pressure for this right to be recognized in other legal systems.
In the EU, the Ruling is likely to have far-reaching effects on the business of search engines and other businesses that provide information to the public in connection with an advertising activity, such as social media. The Ruling is less significant for publishers of the underlying websites. The Ruling would not appear to have significant implications for other businesses that process personal data for their own internal purposes without making such information available to the public.
Facts of the Case
In March 2010, Mr Costeja González, a Spanish national, brought a complaint to the AEPD, the Spanish national data protection authority, against La Vanguardia Ediciones SL, a Spanish online newspaper, Google Spain and Google Inc. (based in the USA). The complaint was based on the fact that a Google search of Mr Costeja’s name returned links to announcements published in 1998 mentioning a real estate auction connected with proceedings for the recovery of social security debts owed by Mr Costeja. Mr Costeja stated that these proceedings had been fully resolved for a number of years and that reference to them was now entirely irrelevant and potentially damaging to his reputation.
The AEPD rejected the claim against La Vanguardia on the grounds that the information was lawfully published by the newspaper, but the AEPD upheld the complaint against both Google Spain and Google Inc., finding that search engine operators carry out data processing activities and are thus subject to the Directive. In subsequent appeals by Google Inc. and Google Spain, the National High Court of Spain referred a series of questions to the ECJ for a preliminary ruling.
Search engine operators are independent data controllers
The ECJ found that the activities of a search engine operator fall within the scope of “processing personal data.” A search engine operator explores the internet automatically, constantly and systematically in search of published information and “collects” such data, which it “retrieves,” “records” and “organises” within the framework of its indexing programmes, “stores” on its servers and “disseminates” and “makes available” to its users. The search engine operator is the “controller” of this processing, which can be distinguished from and is additional to the activity carried out by website publishers. As a separate controller processing information, the search engine operator could therefore be challenged independently of the original website publisher.
Territorial scope of the Directive
The ECJ noted that, although the search element was operated entirely by Google Inc., its subsidiary, Google Spain, promoted and sold the advertising space that appeared beside the search results and without which the search would not be profitable. Google Spain was located in an EU member state and therefore “an establishment” in the EU. The ECJ considered that there was an “inextricable link” between the search and advertising elements and therefore all such activities could be classified as being “in the context of the establishment”. It considered that Google Inc. was the controller of the search activities.
A right to be forgotten?
In relation to the “right to be forgotten,” the ECJ considered that under the Directive a data subject may require a data controller to remove information that is incompatible with the Directive. The ECJ noted that incompatibility is not limited to information that is inaccurate or prejudicial; data that is inadequate, irrelevant or excessive, not kept up to date, or kept for longer than is necessary, can be incompatible with the Directive, unless it is required to be kept for historical, statistical or scientific purposes. It is not necessary for information to be prejudicial to the data subject for it to be incompatible with the Directive.
The ECJ considered that the application of the right to be forgotten must be decided on a case-by-case basis. Essentially, a court must conduct a balancing act. As a general rule, an individual’s right to a private life would override not only the economic interest of a search engine operator, but also the general public’s interest in finding information on a search engine based on a search of the data subject’s name that is incompatible with the requirements of the Directive, including where the information is out of date or has subsequently become irrelevant. However, the right of the data subject must be balanced against the public interest. If the data subject played a role in public life, for example, an argument could be made that making the data available is in the public’s general interest, and therefore the public should have access to it through internet searches.
On the facts of this case, concerning links to newspaper archives containing announcements relating to a real estate auction connected with attachment proceedings, it was decided that the information should no longer be linked to a results list based on a search of the data subject’s name, having regard to the sensitivity of the data subject’s private life and the fact that the initial publication had taken place 16 years earlier. The public did not appear to have any preponderant interest in having access to such search results, so the data subject’s right to private life prevailed. Mr Costeja could require Google to remove the links from the list of search results generated by a search of his name.
The Ruling is expected to have far-reaching effects for companies doing business in the EU, although the effect will vary significantly depending on the nature of their business.
Territorial scope of EU data protection law
The ECJ combined the search function undertaken in the US with the advertising sales function undertaken in Spain - the activity that makes the search function economically viable - as one “inextricably linked” set of activities to find that Google Inc. were processing individuals’ personal data in the “context of an establishment” in an EU member state. This approach confirms that courts will look through attempts to structure personal data processing operations to avoid the application of EU data protection laws. Businesses based outside the EU, particularly with sales agencies in the EU, that collect personal information about EU residents should therefore review any prior determination that their processing activities fall outside the EU jurisdiction.
Another costly data subject right to consider when designing IT systems and processes that store or use personal data
Businesses potentially caught by the “right to be forgotten” need to be prepared to educate individuals who might make such requests as to the parameters of such a right, so that they can meet legitimate requests and repel requests outside of its scope in a diplomatic, systematic and cost-effective way. Considerable thought and resources will be required for such companies to implement systems allowing subsets of personal data to be located, filtered and deleted, together with the decision-making parameters to meet data subject rights such as the data subject's right to access his/her data as well as any “right to be forgotten”.
Impact on search engines and similar businesses
The Ruling applies to online search engines, and the weighing of interests required by the Ruling is based on specific characteristics of that process. However, other businesses that provide links to personal information in connection with an advertising business, such as social media, are also likely to be directly affected by the Ruling. The fact that the ECJ held that information that is no longer relevant to the purpose for which it is processed can be incompatible with the Directive, without a need to show that the processing causes prejudice to the data subject, could encourage a flurry of requests from individuals to wipe all links to themselves from the indices of search engines, social media sites and similar businesses.
Impact on other businesses
The Ruling affords published information sources who can fall within the journalism and free speech exceptions greater ability to resist such a request. However, these exceptions may not apply to many internet services such as blogs, and their publishers or platform operators are likely to receive requests that test the scope of the Ruling.
Where the continued public availability of the primary source of the information about the individual (the web publisher) remains compliant, a key question is how long information about an average citizen can be kept before it becomes “irrelevant”, if he/she seeks to have it removed.
Individuals may seek to extend the principles in the Ruling to unpublished information, such as marketing databases, credit and insurance claims histories, etc, through the making of subject access requests followed by demands for a subset of the personal data to be deleted. However, it may be harder in these circumstances to conclude that data has become irrelevant to the purpose for which it was collected (as such purpose may be easier to articulate than for search engines and social media service providers).
The influence of the proposed EU General Data Protection Regulation
The EU institutions are currently debating a new EU General Data Protection Regulation (the Regulation) that will replace the Directive. The reforms include proposals to extend the territorial reach of EU data protection laws (such that there would be no doubt of their application where EU residents' personal data is collected) and to codify the “right to be forgotten”. Although it is not clear when the Regulation will be adopted, the debate seems to be encouraging litigants (and regulators and judges) to interpret existing laws in more expansive ways. All businesses operating in the EU should be aware of the data protection concepts being negotiated in the proposed Regulation due to their influence on current litigant, regulatory and judicial thinking and the impact they will have on business models that rely on the collection and use of personal data.