This is a remarkable case, with a very inconspicuous beginning.
In January and March 1998, a Spanish newspaper published formal notices stating that certain assets connected to Mr Costeja González were to be auctioned to pay off outstanding social security debts. These notices were true and accurate, and were published on foot of an order from the Spanish Ministry of Labour and Social Affairs.
At some point, this newspaper made these notices accessible via its website, which was crawled and indexed by the Google search engine.
Mr González objected to the fact that a Google search against his name returned these articles and, in 2010, filed a complaint with the Spanish Data Protection Authority (the Angencia Espanola de Protección de Datos or AEPD) demanding that Google remove the links to the 1998 newspaper articles on the grounds that linking to these public notices violated his data protection rights. The AEPD agreed and directed Google to remove the articles. Mr González also demanded that the newspaper be required to either remove or alter the pages in question so that the personal data relating to him no longer appeared. However, in contrast to the finding against Google, the AEPD rejected this request, taking the view that the relevant information had been lawfully published by the newspaper. On 13 May 2014, the Court of Justice of the European Union (CJEU) approved the AEPD’s decision, essentially finding that Google must remove links to the articles. In doing so, the CJEU greatly expanded the scope and application of European data protection law, and, by extension, used this newly expanded right to data protection to materially reduce the protection afforded to free speech within the EU.
The CJEU’s ruling is quite technical but it can be broken down into a number of specific findings:
First, the CJEU found that Google’s Spanish office triggered the application of Spanish data protection law to Google search.
Google search is operated by Google, Inc., a US company. Google’s Spanish office is involved in promoting, in Spain, the sale of Google advertising. It does not appear, from the judgment, that the Spanish office had any other involvement in, or control over, Google search. Notwithstanding this fact, and the fact that Google Spain and Google, Inc. were separate legal entities, the Court found that Google Spain was an “establishment” of Google Inc., and that Google search data was processed “in the context of” this Spanish establishment (apparently due to the economic connection between the ads promoted by Google Spain and the Google search engine). This was considered sufficient to ground Spanish jurisdiction.
Second, the CJEU found that a search engine “processes” “personal data” and acts as a “data controller”.
This section of the Court’s judgment turned on technical definitions in data protection rules, but its effect is clear – Google was regarded as responsible, under data protection law, for the results which it returned. The fact that Google’s processing is conducted entirely by algorithms and that it does not know, or in any real sense “control”, the data returned in search results was disregarded by the Court. It is notable that the Court’s finding on this point is directly opposite the position adopted by the Advocate General in his Opinion on this case.
Third, a search engine can be required to remove links to lawful information published on another website.
Having found that a search engine is a “data controller” and therefore liable under data protection law for the results that it returns, the Court proceeded to find that any non-compliance with data protection law by the search engine gives rise to a right, on the part of the individual named in a search result, to have the link removed from search results. This conclusion was based on the existing right to deletion and rectification found in the Data Protection Directive.
Fourth, the CJEU inferred a right to be forgotten.
Drawing on the fact that data protection is a fundamental right under European law, and the fact that the individual mentioned in search results (the “data subject”) will not have consented to the processing of their information, the Court inferred a “right to be forgotten”. This right appears to kick in where returning the search results is deemed to be excessive or where an unclear balancing exercise suggests that the content should be removed. Crucially, the Court found:
that a data subject does not need to show any prejudice to invoke this right to be forgotten;
the right to be forgotten generally takes precedence over other rights, including the right to free expression; and
content which could lawfully be returned on one day may need to later be removed due to the passage of time.
It appears that this right to be forgotten will favour the removal of content, and that such information can only be maintained “if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by a preponderant interest of the general public in having, on account of its inclusion in the results, access to the information in question.” In other words, the presumption falls in favour of deletion, and the rights of access to information and free expression appear only to be relevant as an exemption that may arise in certain cases.
This is a seminal decision, and it will take some time before its full impact is felt. However, at this early stage a number of preliminary observations can be made:
• The manner in which the Court found that Spanish law applies is somewhat difficult to sustain as a matter of logic, and is inconsistent with the approach traditionally adopted in assessments of data protection jurisdiction by Data Protection Authorities and the Article 29 Working Party. In a number of places in the judgment, the Court specifically notes the importance of ensuring that European data protection law applies to the internet. On this basis, there seems to be scope to limit this decision to only cover cases where there is no clear European established data controller. On a literal reading of the Court’s findings, a German data controller, with all relevant data processing operations based in Germany, could find itself subject to French data protection law simply because it had a subsidiary engaged in promotional activities in France. It is difficult to believe that the Court intended this outcome, which would make life much more complicated for pan-EU data controllers and which seems to be inconsistent with the concept of a digital single market or the free movement of data (which is the reason the Directive was adopted in the first place).
• The Court’s conclusions with respect to the right to be forgotten are open to criticism. Traditionally, lawsuits where individuals seek to restrict access to information tend to arise where the information was held under a duty of confidence or where the information was “private” in the sense that it pertained to one’s personal (usually, sexual) life. In contrast, here the Court has found that an individual has a right to seek to restrain access to public information, simply because that information could constitute that individual’s personal data.
• In addition, having adopted this expansive view, the Court proceeded to find that this right to privacy and data protection takes precedence “as a rule” over the public’s right to access and communicate true information about an individual. Surprisingly, the Court came to this conclusion without considering Article 11 of the EU’s Charter of Fundamental Rights, which expressly protects the freedom “to receive and impart information and ideas without interference by public authority”. The Court also failed to have any regard to the extensive freedom of expression case law developed by the European Court of Human Rights on foot of Article 10 of the European Convention on Human Rights (which forms part of EU law). Consequently, it is very difficult to see how the Court came to the far-reaching conclusion that the right to data protection takes precedence “as a rule” over the right to freely receive and impart information.
• This finding is particularly remarkable when one notes that the “right to data protection” (as distinct from a right to privacy protecting the personal sphere) is a relatively new fundamental right. While there are some precedents in the laws of other EU Member States (such as the right to “informational self-determination” in German constitutional law), data protection only became a fundamental right across Europe as a result of the adoption of the Lisbon Treaty. In contrast, free speech and the right to freely receive and impart information are core and well established human rights, well recognised in the legal orders of most EU states. Notwithstanding this, the Court appears to have found that the new right to data protection takes precedence over, and as a result erodes, the traditional protection of free expression.
• More broadly, the Court appears to have placed national data protection authorities (“DPAs”), such as Ireland’s Data Protection Commissioner, in a somewhat difficult position. The Court’s decision appears to envisage that individuals who are unhappy with how an internet company has responded to their “right to be forgotten” request can file a complaint with the relevant DPA. However, this DPA, in turn, will be required to seek to balance fundamental rights and assess, on a case by case basis, whether the public interest in access to information exceeds the data subject’s privacy interest in having people “forget” that information. This essentially involves DPAs making decisions about what true and public information people are entitled to access online. One must seriously question whether such a regime, which could be construed as a form of censorship, was the intended purpose of the Data Protection Directive when it was adopted in 1995.
• Finally, this case is likely to have extensive political ramifications. On an international level, the divergence between the US and EU approaches to data protection already constitutes something of a trade barrier between the two jurisdictions, and recent efforts to find a common ground have met resistance, largely from Europeans who are concerned about a watering down of EU privacy standards. Following this decision, it is difficult to envisage the US making moves to embrace a set of European norms that could be interpreted as restricting the free flow of public information. On a European level, there had been extensive debate over the proposed “right to be forgotten” contained in the proposed General Data Protection Regulation, which is making its way through the European legislature. This decision seems to somewhat short-circuit much of that debate.
For more information, contact a membr of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.