Individuals have right to request Google to delete links to webpages with their personal data from Google search results even if publication of such information on those webpages is lawful
In a startling decision of 13 May 2014, the Court of Justice of the European Union (ECJ) found that:
- search engine operators qualify as "data controller" of the personal data contained in third party webpages that they make available in the search results. They are therefore fully responsible for the content they display
- individuals have a right to request from the search engine operator that links to third party websites with personal data be deleted from its search results, when this information published is inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing by the operator. The search engine operator is obliged to do so, even if that information is still published legitimately on the internet
Spanish law applied because the data processing by Google Inc. in the US should be considered to (also) take place in the context of the activities of its Spanish sales office of advertising space for the US search engine.
The ruling was unexpected, as the ECJ's Advocate General came earlier to a different conclusion, namely that Google should not be considered as "data controller" of the processing of personal data published on third parties' webpages. Advocate General further recommended to not recognise the right of individuals to directly address a search engine operator with requests to prevent indexing of personal information published legally on third parties' webpages.
The ECJ appears to be continuing a recent trend of extending obligations of internet service providers to control third party web content. In Delfi AS v. Estonia, another European judicial body - the European Court of Human Rights (ECHR) - held that an internet service provider is strictly liable for defamatory content in user-generated content.
The decision by the ECJ is final and binding for all 28 EU Member States. Along with Google, the decision has the potential to affect not only the operations of all search engines with establishments in the EU, but of any integrator of third party data sources containing personal data. The ruling on the scope of application of the EU Directive on Data Protection (the Directive) confirms earlier opinions of the Working Party 29 and contains no surprises, though many non-EU businesses with EU sales offices may only now realise that the Directive will also apply to the their processing of data of EU citizens.
Though many commentators claim that the obligations imposed on search engine operators (and other content aggregators) will lead to an explosion of take-down requests whenever content is considered offensive by individuals, our prediction is that search engines will find ways to prevent such requests by disenabling name searches altogether, discarding certain sources or developing and implementing rules of thumb when certain (categories of) information will be considered no longer relevant or past their "shelf life". The concept of shelf life of information is not new and already applies to many categories of data, such as credit history, bankruptcy information and criminal records, a concept also known in non-EEA jurisdictions. For instance the US Fair Credit Reporting Act restricts the ability of consumer reporting agencies to report on bankruptcies and criminal proceedings that are beyond a certain number of years old.
With this ruling the ECJ may have provided a very balanced way forward in the difficult discussion of the "right to be forgotten" which is currently included in the proposed EU Regulation on Data Protection. The new article 17 provides that individuals can request erasure by the controller of any data which is inaccurate, incomplete or no longer up to date and to obtain from third parties erasure of links and copies of such data as well. The original controller will further have to take all reasonable steps to have the data erased also by third parties. This right to be forgotten is much debated based on arguments of the freedom of expression, where legitimately published content could be censored at a later time as it is no longer relevant. The task imposed on the original controller seems unduly burdensome, requiring a search of which third parties have linked to its publication and further published the data.
The ECJ provides for an alternative way forward, striking a better balance between the
issues at stake. The basis for this alternative approach is that the ECJ considers that the data processing by a search engine operator has a different processing purpose than the publisher of the initial publication. By providing a structured overview of the information relating to an individual with a more or less detailed profile of him, the activity of a search engine affects significantly, and additionally the rights of individuals to privacy and protection of personal data. This entails that if the original publisher may benefit from e.g. the exception for journalistic purposes, this does not automatically mean that the search engine may thus enjoy the same exception. This justifies the right of individuals to request deletion of links to such third party webpages based on a search on their name (it remaining possible for information to be searchable by other key words), while the content of the webpage would be left unchanged.
By ruling that publication by aggregators is not always tied in with the source publication, the ECJ strikes a balance between preserving the expression of freedom (the source publications remain in place), while at the same time mitigating the additional exposure of individuals due to the extraordinary search capacities of search engines which prove to result in an unforgiving, indestructible permanent archive. This solution more resembles the past, when life was more forgiving due to the mere fact that the collection of press and other publications became more cumbersome over time.
Specifics of the case
The ECJ was asked to decide on a Spanish dispute over the "right to be forgotten", where individuals can request web companies to delete their personal information from their servers.
The Spanish National High Court sought a preliminary ruling from the ECJ after Google challenged an order from the Spanish Data Protection Authority to remove links to a newspaper publication about a man whose house was put to auction 16 years ago in order to recover social security debts.
ECJ was asked to answer four main questions:
On 13 May 2014, the ECJ answered affirmative to all four questions: Google processes personal data, qualifies as a "data controller" in that respect, Google is subject to EU (in this case Spanish) data protection law and is in principle obliged to remove from its search results the links to the third parties' pages containing personal information of individuals.
Google processes personal data and qualifies as "data controller"
Processing of personal data
The ECJ confirmed that search engines process personal data as they retrieve, index, store and make available personal data in its search result.
This ruling confirms earlier case law of the ECJ in which it held that the operation of loading personal data on an internet page must be considered to be such ‘processing’ within the meaning of Article 2(b) of the EU Data Protection Directive (C-101/01 Lindqvist EU:C:2003:596) and that operations under Article 2(b) must also be classified as processing where they exclusively concern material that has already been published in unaltered form in the media (Case C-73/07 Satakunnan Markkinapörssi and Satamedia EU:C:2008:727).
The search engine operator further qualifies as the "controller" in respect of such processing of personal data because it is the search engine operator who determines the purposes and means of the processing of personal data.
Google reasoned that the activity of search engines cannot be regarded as processing of the data which are already published on third parties' webpages and are displayed in the list of search results; search engines also process the information available without selecting between personal data and other information.
The ECJ disagreed, reasoning that the activity of a search engine plays a decisive role in the overall dissemination of personal data by making the data accessible to any internet user, including the users who otherwise would not have found the webpage on which those data are published. By providing a structured overview of the information relating to an individual with a more or less detailed profile of him, the activity of a search engine affects significantly, and additionally the fundamental rights to privacy and to the protection of personal data.
The extent of the responsibility of the search engine operator
The ECJ decision puts an obligation on search engine operators to handle and evaluate requests from individuals who want to have links to harmful or unflattering content removed from the search results, even if the material was published lawfully or as part of a government publication, also in a case when that information is not erased beforehand or simultaneously from those webpages.
The ruling is based on Article 12(b) of the Directive that provides that Member States are to guarantee every data subject the right to obtain from the controller the rectification, erasure or blocking of data the processing of which does not comply with the provisions of the Directive. The ECJ indicates that this right exists if, at the relevant point in time, the information appears, having regard to all the circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing by
the operator of the search engine. The ECJ indicates that this right is not dependant on establishing of the fact that the inclusion of the information in question in the list of results causes prejudice to the data subject. The ECJ states that the right to be forgotten overrides, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the individual in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question.
Requests may be addressed by individuals directly to the controller who must then duly examine their merits and, possibly, end processing of the data in question. Where the controller does not grant the request, the data subject may still revert to a data protection authority or court, which can still order the controller to remove the links.
Liability trends for online content
In a recent case Delfi AS v. Estonia, the court of first instance of the ECHR held that an internet service provider is strictly liable for defamatory content in any user-generated content posted on their website. In that case Delfi, an Internet news portal, was held responsible in national courts for defamatory comments posted by a non-identifiable user in the portal's comments section. Commenting was possible through a non-moderated system; there was technology in place to filter out certain objectionable language and to remove messages on the request of third parties. Delfi took down the offensive comments as soon as it was notified, but Estonian courts held that the portal should have prevented clearly unlawful comment from being published. The Supreme Court of Estonia rejected Delfi's argument that, under EU Directive 2000/31/EC on Electronic Commerce, its role as an Internet society service provider or storage host was merely technical, passive and neutral, and held that the portal exercised control over the publication of comments. When Delfi lodged a complaint with the ECHR, the Court concluded unanimously that the domestic courts’ findings were a justified and proportionate restriction on Delfi’s right to freedom of expression, in particular, because the comments were highly offensive to the relevant individual, the portal failed to prevent them from becoming public, profited from their existence, but allowed their authors to remain anonymous, and the fine imposed by the Estonian courts was not excessive.
In January 2014, Delfi lodged an appeal with the Grand Chamber of the ECHR, supported by 70 media organisations, internet companies, human rights groups and academic institutions, including Google, Forbes, News Corp, Thomson Reuters, the New York Times, Bloomberg News. The Grand Chamber of the ECHR was apparently not impressed and in February rejected the appeal.
Spanish data protection law applies
The ECJ concluded that the data processing by Google Search operated by Google Inc. in the US should be considered to (also) take place in the context of the activities of the
Spanish establishment of Google and is therefore subject to Spanish data protection law.
Google Search is a worldwide service operated by Google Inc., which is the parent company of the Google Group and has its seat in the United States. Google Search indexes websites throughout the world, including websites located in Spain. The information indexed by Google Search is stored temporarily on servers on (for competition reasons) undisclosed locations. Google Search gives access to content hosted on the indexed websites and, most importantly for the context of this case, includes ads associated with the internet users’ search terms offering goods or services to the internet users. Google Spain, a subsidiary with separate legal personality and its seat in Spain, promotes, facilitates and effects the sale of online advertising products and services to third parties and the marketing of that advertising.
ECJ found undisputable that Google Spain engages in the effective and real exercise of activity through stable arrangements in Spain, has separate legal personality, constitutes a subsidiary of Google Inc. on Spanish territory and, therefore, is an "establishment" within the meaning of the Directive. However, for the Directive to apply, the processing of personal data by the controller should be "carried out in the context of the activities" of such establishment in the territory of the relevant Member State. Google contested that this is the case since the processing of personal data at issue is carried out exclusively by Google Inc. without any involvement or intervention on the part of Google Spain.
The ECJ ruled that the processing of data by Google Search, which is operated in the US but has an establishment in a Member State, is carried out in the context of the activities of that establishment if the establishment is "intended to promote and sell in that Member State advertising space offered by the search engine which serves to make the service offered by that engine profitable". The ECJ considered the activities of the operator of the search engine and the activities of the sales office in the Member State "inextricably linked" since the activities relating to the advertising space constitute the means of rendering the search engine economically profitable and that engine is, at the same time, the means enabling those activities to be performed, i.e. the very display of personal data on a search results page is accompanied, on the same page, by the display of advertising linked to the search terms. With this ruling Google has become subject to the laws of all Member States where it has advertising subsidiaries as well as becoming subject to their data protection authorities.
The ruling on the scope of application of the Directive confirms earlier opinions of the Working Party 29 on Search Engines and on Applicable Law, and contains no surprises, though many non-EU businesses with EU sales or other offices may only now realise that the Directive will also apply to the their processing of data of EU citizens. This will probably be different only if the activities of the EU establishment have no connection with the non- EU services, e.g. if they are involved in a different line of business having no connection at all to the non-EU services.