A recent judgment of the highest court in the European Union announced that search engines within the court’s jurisdiction must respond to “right to be forgotten” requests. This authoritative interpretation of the existing data protection laws may create significant issues for Internet intermediaries and exacerbate the differences between the European privacy-based “right to be forgotten” and the United States’ free-speech based “right to remember.” This judgment will have a significant impact not only on search engine companies and publishers, but also on many other industries, including financial services and life sciences, that need to maintain data on individuals for legitimate business reasons, often for lengthy periods.
The case arose in 2012, when the Audiencia Nacional (the Spanish National High Court) referred a series of questions to the Court of Justice of the European Union (the “CJEU”) on the interpretation of articles of the Data Protection Directive 95/46/EC (the “Directive”) – specifically, on its material and territorial scope, data subject rights, and Articles 7 and 8 of the EU Charter of Fundamental Rights (the “Charter”).
This request was made in the context of a case initiated by a Spanish citizen against Google Inc. and Google Spain SL, relating to his request for deletion of information about him displayed in Google results. The information at issue was an announcement of the Spanish citizen’s name in connection with a real-estate auction of a property seized for non-payment of social security contributions that was published in a Spanish newspaper in 1998. The complaint made was that the information should now be removed from the Google search result links because the debts had been satisfied and reference to them was no longer relevant.
The CJEU issued its judgment on May 13, 2014.
In a judgment welcomed by EU Justice Commissioner Viviane Reding, the court found that:
- The activity of a search engine is the processing of personal data within the meaning of the Directive. To be specific, the CJEU found that search engines automatically, constantly and systematically search for information published on the internet by third parties, index it automatically, save it temporarily and make it available in a specific order. It then held that these actions are “processing personal data” within the meaning of the Directive when that information contains personal data.
- The operator of a search engine is a “controller” of that data within the meaning of the Directive regarding such processing of personal data.
- Processing personal data “in the context of the activities of an establishment” of a data controller on the territory of an EU Member State subjects it to EU jurisdiction under the Directive. That is, the search engine’s operation of a branch or subsidiary intended to promote and sell advertising space offered by that engine, with activity oriented towards the inhabitants of that Member State results in the processing of personal data by the search engine operator acting as a controller in the context of the activities of an establishment in a Member State. Such processing should therefore fall under the scope of the Directive.
- The Directive must not be “interpreted restrictively” in light of its objective to ensure effective and complete protection of the fundamental rights of persons, in particular their right to privacy.
Individuals have a right “to be forgotten.” It found this right on the basis of the rights of individuals under the Directive to obtain, as appropriate, the rectification, erasure or blocking of data which do not comply with the provisions of the Data Protection Directive, in particular because of the incomplete or inaccurate nature of the data,1 and the right to object to the processing of their personal data.2
Given this reasoning, the CJEU ruled that search engine operators are obliged to remove from the list of results displayed following a search made on the basis of a person’s name, links to web pages even if the publication itself on those web pages is lawful.
In its judgment, the CJEU also referred to the right of individuals to respect his or her private and family life, home and communications3 and a right to the protection of personal data concerning him or her4 under the Charter and observed that in light of these rights, individuals may request that information about them to no longer be made available. The CJEU however held that a “fair balance” should be sought between the legitimate interest of internet users potentially interested in having access to that information, and the data subject’s fundamental rights. The court held, “the data subject’s rights…override, as a general rule, that interest of internet users [to access information].”
In addition, the CJEU noted that there could be a preponderant interest of the public in having access to the information that could justify the retention of that link, such as if the data subject is a public figure.
Freedom of Expression Mentioned Only Once
Interestingly, the judgment does not discuss the fundamental right to freedom of expression under Article 11 of the Charter and Article 9 of the Directive under which Member States shall provide for “exemptions or derogations” from the Directive “for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.” This provision is cited only once in the decision and is the sole reference to the right to freedom of expression.
Sharp Contrast to United States Approach
This is a significant contrast to the U.S. approach where freedom of speech, including corporate communications, would be weighed much more heavily against privacy concerns, as national legislation and precedent at the Supreme Court demonstrates. For example, Congress insulated internet operators from responsibility for the content others posted on their web pages in the Communications Decency Act Section 230. The Act, one of the most seminal protections for the Internet, was passed to enhance Internet service providers’ ability to delete or otherwise monitor online content without themselves becoming publishers and thereby subjecting themselves to heightened liability. This law reflects the significant weight accorded to free speech in the United States, and the importance of intermediary immunity to the development of the Internet.
Similarly, the Supreme Court held in Sorrell v. IMS Health (131 S. Ct. 2653) in 2011 that a Vermont statute that restricted the sale, disclosure and use of records that revealed the prescribing practices of individual doctors violated the First Amendment. The Supreme Court held that companies’ First Amendment right to speech trumped Vermont’s claim that the law was necessary to protect medical privacy.
Consistency with European Proposals
This CJEU decision has been widely seen within the EU as predictable and in line with the will of the EU Commission and Parliament to strengthen protection of personal data of Europeans; indeed, it was declared a “victory” by Viviane Reding.
Although an interpretation of the existing Directive, the decision is also consistent with at least some versions of the proposed EU Data Protection Regulation. The proposed Regulation would purport to protect the personal data of EU citizens whether processed in or outside the EU – giving it a massive extra-territorial application to businesses established in the EU but also to businesses outside the EU that offer goods or services to European customers.
Although the CJEU found an implied right to be forgotten, the proposed Regulation includes a similar express right for individuals to have personal data erased where no longer necessary or where they withdraw consent. The proposed Regulation, however, does not expressly contemplate such a stark intermediary liability provision, as results from the CJEU judgment.
Significance of the Decision
The decision is arguably the starkest conflict yet between privacy efforts in the United States and the European Union, and will likely have a deep impact on search, advertising, credit and Internet intermediary industries as well as many other industries such as financial services and life sciences. The decision may constitute the high-water mark of EU data protection efforts, and it remains to be seen whether the decision will change how Google and its competitors operate in the U.S. and globally. Whatever the impact on business, this decision will present significant difficulties for the global presentation of online information by international Internet companies.
In terms of European law, it certainly marks a significant derogation of the fundamental right of freedom of expression, including the fundamental right of Internet users to receive a free flow of information (Article 11). While the court indicated that some balancing of individual privacy and the rights of Internet users was appropriate, it provided precious little guidance on how or when to strike that balance. The court was also entirely dismissive of Google’s economic interests, notwithstanding the fundamental rights expressed in Articles 16 (right to conduct a business) and 17 (protection of property). Moreover, because the court expressly found that the original publication of the relevant information by the Spanish newspaper was proper, and need not be taken down, the “right to be forgotten” obligations were imposed only on search engines. This decision also creates a host of conflicts of laws issues, including complicating the proposed “one stop shop” for the European Data Protection Regulation, given that it recognized Spanish authority to proceed with a complaint against a company whose servers are located outside of Spain.
More generally, it may prove difficult to reconcile this decision with general expectations in the Information Age, and it may result in less consensus on the proposed Regulation. It will be interesting to see whether this decision will be accepted by technology companies and citizens in Europe. In effect, the court’s judgment can be argued as allowing and even encouraging pervasive censorship of the Internet by self-interested individuals who would prefer that truthful, public information be edited out of the historical record. Given that the case related to the non-payment of apparently justly-owed debts, it could also impact the ability of companies to “remember” customers in their records such as where a particular customer failed to pay them previously or to share such information with other companies through credit reports.
In sum, the decision signifies that the most striking point of departure yet between the U.S. and EU over data protection – with the decision raising not only fundamental privacy issues but also concerns as to freedom of expression, the right to communicate, and the right to remember historical facts. The transatlantic divide on these issues may be in the process of expanding, rather than narrowing, with the prospect of global commerce being caught in the chasm.