For first time The Court of Justice of the European Union (the “CJEU”) applies the right to be forgotten to a non-EU based internet search engine entity. However, its grounds for doing so raise issues to be considered by all. The CJEU judgment (the “Judgment”) inGoogle Spain SL, Google Inc. v Agencia Española de Protección de Datos, delivered on 13 May 2014 was another headline grabbing judgment concerning personal data. A number of reports led with the angle that the CJEU had created a new ‘right to be forgotten’, whereby search engines would be forced to remove people’s personal data on request. However these reports are not quite accurate. A qualified right to have personal data erased or blocked has always existed under EU data protection law (Directive 95/46/EC or the “Directive”). The Judgment, however, is the first time that the CJEU has applied this right to an Internet search engine (which handle data in a different way to conventional websites) and, of particular note, a non-EU based entity. The grounds on which it did so are worth analysing in order to try to determine how widely this right may be applied going forward.
The facts of the case were as follows: In 2010, Mario Costeja González, a Spanish national lodged a complaint with the Spanish Data Protection Agency, Agencia Española de Protección de Datos (the “AEPD”) based on the fact that a Google Search of his name provided links to articles from La Vanguardia Newspaper in 1998, which showed an announcement for a real-estate auction regarding his social security debts. He claimed these were resolved and now irrelevant and, relying on his rights under the Directive (or, to be more accurate, Spain’s applicable implementing legislation), requested that La Vanguardia remove the pages and that Google Spain or Google Inc. remove or conceal its search results for the pages. The AEPD rejected the complaint against La Vanguardia as the information had been lawfully published. However, the complaint was upheld against Google Spain and Google Inc. Google then brought two actions before the National High Court, which referred several questions to the CJEU.
In answering the questions, the CJEU effectively ruled that Google was obliged to remove the offending links. Certain tabloid newspapers are hailing this as a blow to free speech on the grounds that any individual may now demand a search engine refrain from returning unfavourable links containing their personal data.
What did the CJEU actually say?
Irrespective of the effect of the Judgment, it is important to realise that the CJEU has not introduced a new ‘right to be forgotten’. Such a right may be introduced under the General Data Protection Regulation, but the rights relied upon in the instant case were not new. An individual (or data subject to use the Directive’s terminology) has always had the right to require a data controller to rectify, erase or block data because it is incomplete or inaccurate (Art 12(b) of the Directive). Until the Judgment, this right had rarely been considered controversial. An illustration of its necessity is where an individual is unable to get credit because a credit ratings agency holds inaccurate data about them. In these circumstances, many people would consider it reasonable to ask that such inaccurate data be corrected or deleted.
An individual has also always had the right to object to the processing of their data where there are “compelling legitimate grounds” and the data controller has only been permitted to process their data in the first place because they had a legitimate interest or there was a public interest in doing so (Art 14(a) of the Directive). Again, in the past, this has proved an uncontroversial check on data controllers’ powers, involving a balancing exercise between the interests of two parties (who may be of unequal bargaining power).
However, search engines do not fit so obviously within the Directive’s definition of a ‘data controller’ in that they are, in the words of the CJEU, “intermediaries in the information society” locating and indexing data where it is available rather than making the data available themselves.
Application of the rules to search engines and non-EU based entities
For a business to be subject to EU data protection law, it must either process data “in the context of the activities of the controller” based within the territory of an EU member state (or somewhere where that state’s law applies) or make use of equipment in that member state for the processing. Like many global companies, Google has a number of long established EU subsidiaries which clearly process data and are subject to the Directive. However, Google argued that the activities of its subsidiaries are entirely separate to its search engine operations, which are conducted by the parent company, Google Inc. As Google Inc. is based in the United States and uses equipment the location of which is undisclosed by Google (for competition reasons), it argued that its search engine operations were not subject to EU law. The CJEU, however, dismissed this argument, instead ruling that the subsidiary’s selling of advertising (which appeared next to the search results) was a related service, meaning that the ‘processing of personal data’ undertaken when a search was made was in the context of the activities of the subsidiary, making the search engine operations subject to the Directive.
The CJEU also held that the existing qualified ‘right to be forgotten’ could apply to a search engine, such that the search engine operator may (in response to a legitimate request) be required to remove from the list of results displayed following a search made on the basis of their name links to web pages, published by third parties and containing information relating to that person, even where that information has not been erased from the web pages themselves, and even, as the case may be, when its publication on those pages is lawful.
The CJEU also ruled that an Internet search engine’s operations do constitute processing of personal data, for which the search engine is the data controller, irrespective of whether the material comprising the results had already been published by a third party or not and contains non-personal data along with personal data.
What does this mean?
To deal with the easiest point first, it is perhaps unsurprising that a search engine was held to process personal data. The definitions of processing and data controller under the Directive are broad, and the CJEU has stretched the law further than this in the past to achieve what some may consider to be a policy related objective.
Turning next to the ‘right to be forgotten’ being applied to search engines, this has been the headline grabber and it is of note that search engines may find it very costly to comply with the increased number of takedown requests that will surely follow. Questions such as (a) how will they respond to requests (and in what timeframe)? (b) If they get too many requests to have each one dealt with by a living person, will the default position be to comply due to liability fears? (c) Can an individual only insist that a search for their name be censored or will search engines have to screen other search terms (nicknames, aliases, sobriquets etc.)? To answer these questions may be costly for search engine providers, but it may not be as draconian a restriction on free speech as is being made out by certain reports. The example of the miscreant politician wiping his online slate clean before running for office is unlikely to happen given that the CJEU did note that the interest of the general public in finding certain information may override the right to have it deleted.
However, perhaps the most far-reaching effect of the Judgment is that the territorial scope of the Directive may now apply to a greater number of businesses than previously thought. A very large number of global businesses are likely to have an establishment within the EU that processes personal data. Whilst that EU establishment will always have been subject to the Directive, such businesses have not previously needed to worry about EU data protection law applying to their non-EU subsidiaries even where those subsidiaries target their services to EU consumers. This is now less certain. Where an EU affiliate provides services related to data processing of non-EU affiliates that target the EU, this may bring the processing of personal data by those non-EU affiliates within the scope of EU law. As a brief aside, it is of note that this achieves a similar result as other mechanisms currently contained in the draft General Data Protection Regulation (also broadening the extra-territorial reach of EU law), which raises the question of whether the CJEU, intentionally or not, is aligning current law to future intentions. However, regardless of future developments, it is the current broadening of the law’s extra-territorial reach that may affect the broadest range of businesses in the short term and it is surely this issue over which global businesses may now require some further clarity.