In May 2014 the Court of Justice of the European Union (the ECJ) ruled that Google must remove from its search results links to websites containing inaccurate, inadequate and/or out of date personal information on its subjects, even where that information has been lawfully published by a third party (such as a newspaper). This has been widely publicised as a landmark application of a so- called “right to be forgotten”.
The Judgment covers a range of interlinking points arising under the Data Protection Directive 95/46/EC and has a significance which goes beyond the Google case itself. In this QuickStudy, we summarise the ruling in the case and then go on to comment on the findings of the Court as to what constitutes the “processing” of personal data and who is a “controller.” Although the Judgment related to a case brought under Spanish national law, it will be equally applicable to the Data Protection Act 1998 which implements the Directive in the UK.
Summary of the Case
The case involved a complaint by Mr. Gonzalez, a Spanish national, that when his name was entered into the search engine of Google, links to articles in La Vanguardia newspaper from 1998 were generated, detailing the home repossession proceedings brought against him at that time. Mr. Gonzalez requested that the Spanish Data Protection Agency require Google to remove these search results, arguing that the information was entirely irrelevant as the proceedings had been fully resolved for a number of years.
The ECJ held that an individual has the right to request search engines not to include links to personal data which, having regard to all the circumstances, appears inadequate, irrelevant or no longer relevant, or excessive. The Court ruling expressly referred to searches made on the basis of the name of the individual and gives little indication as to whether it will apply also to searches made on some other basis.
In response to the decision, Google has already launched an online request form allowing individuals within the EU to ask for personal data to be removed from online search results. Google explains in the form how they will assess each individual’s request: “When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials.”
In the UK, the Data Protection Act 1998 refers to a data controller as someone who “determines the purposes for which and the manner in which any personal data are …. processed.” This is the equivalent of “controller” in the Directive.
Google and other search engines access potentially all information available on the internet and present search results listings with links to websites where the information is held. It is well understood that each website will have one or more controllers but a question which the ECJ considered was whether a search engine operator carries out the processing of personal data
additional to the processing carried out by the operators of each web page listed. If a search engine operator does process personal data then the further question arises as to whether such operator is a controller in respect of that processing.
The ECJ identified that a search engine operator searches the internet for information; records and organises it within the framework of its indexing programmes; stores it on its servers (if only temporarily) and discloses this data to its users. To the extent that the information relates to identified or identifiable individuals, the Court held that the search engine operator will be processing “personal data.”
The ECJ also noted that it is the search engine operator which determines the purposes and the means of this processing activity. Consequently the operator must be the “controller” in respect of this processing.
This ruling by the ECJ is potentially of application in a wide range of circumstances. It needs to be considered in any situation where personal data is being stored or otherwise processed under the control of one controller for its own purposes but it is also accessed and processed by another operator for a different purpose.