Tech Law Blog

Google and the “Right to be Forgotten” - What the Court Said and Why it Matters

15 May 2014

Mason Hayes & Curran Technology Law Blog

This is a remarkable case, with a very inconspicuous beginning. 

In January and March 1998, a Spanish newspaper published formal notices stating that certain assets connected to Mr Costeja González were to be auctioned to pay off outstanding social security debts. These notices were true and accurate, and were published on foot of an order from the Spanish Ministry of Labour and Social Affairs.

At some point, this newspaper made these notices accessible via its website, which was crawled and indexed by the Google search engine.

Data protectionMr González objected to the fact that a Google search against his name returned these articles and, in 2010, filed a complaint with the Spanish Data Protection Authority (the Angencia Espanola de Protección de Datos or “AEPD”) demanding that Google remove the links to the 1998 newspaper articles on the grounds that linking to these public notices violated his data protection rights. The AEPD agreed and directed Google to remove the articles. Mr González also demanded that the newspaper be required to either remove or alter the pages in question so that the personal data relating to him no longer appeared. However, in contrast to the finding against Google, the AEPD rejected this request, taking the view that the relevant information had been lawfully published by the newspaper. On 13 May 2014, the Court of Justice of the European Union (“CJEU”) approved the AEPD’s decision, essentially finding that Google must remove links to the articles. In doing so, the CJEU greatly expanded the scope and application of European data protection law, and, by extension, used this newly expanded right to data protection to materially reduce the protection afforded to free speech within the EU.

The CJEU’s ruling is quite technical but it can be broken down into a number of specific findings:

First, the CJEU found that Google’s Spanish office triggered the application of Spanish data protection law to Google search.

Google search is operated by Google, Inc., a US company. Google’s Spanish office is involved in promoting, in Spain, the sale of Google advertising. It does not appear, from the judgment, that the Spanish office had any other involvement in, or control over, Google search. Notwithstanding this fact, and the fact that Google Spain and Google, Inc. were separate legal entities, the Court found that Google Spain was an “establishment” of Google Inc., and that Google search data was processed “in the context of” this Spanish establishment (apparently due to the economic connection between the ads promoted by Google Spain and the Google search engine).  This was considered sufficient to ground Spanish jurisdiction.

Second, the CJEU found that a search engine “processes” “personal data” and acts as a “data controller”.

This section of the Court’s judgment turned on technical definitions in data protection rules, but its effect is clear – Google was regarded as responsible, under data protection law, for the results which it returned. The fact that Google’s processing is conducted entirely by algorithms and that it does not know, or in any real sense “control”, the data returned in search results was disregarded by the Court. It is notable that the Court’s finding on this point is directly opposite the position adopted by the Advocate General in his Opinion on this case.

Third, a search engine can be required to remove links to lawful information published on another website.