May 29, 2014
On 13 May 2014, the Court of Justice of the EU (CJEU) ruled that an individual can ask a data controller like Google to delete his/her data in certain cases. This is the EU "right to be forgotten" and is one of the most significant cases to affect EU privacy law to date. However, the case of Google v the Spanish Data Protection Authority1 also establishes that EU data privacy law can catch a US parent company which has subsidiaries in the EU. This is a seminal and far-reaching case with the potential to impact lots of search engines, social networks and digital media companies.
On 5 March 2010, Mr Gonzalez, a Spanish national resident, lodged a complaint with the Spanish Data Protection Authority (AEPD) against a Spanish newspaper publisher (La Vanguardia Ediciones SL (La Vanguardia)) and against Google Spain and Google Inc. His complaint was in relation to the fact that, when his name was entered into the Google search engine, an internet user would be provided with links to two old announcements by La Vanguardia. These announcements, dating back to 1998, mentioned Mr Gonzalez' name in connection with a real estate auction as a result of attachment proceedings for the recovery of Mr Gonzalez' social security debts. Mr Gonzalez wanted the original content by La Vanguardia, as well as the Google search links to these announcements, to be removed. Mr Gonzalez argued that the attachment proceedings concerning him had been fully resolved a number of years ago and that reference to them was now entirely irrelevant.
After a ruling by the AEPD in favour of Mr Gonzalez (in relation to his complaint against Google), Google Spain and Google Inc. brought actions against the AEPD's decision before the Spanish National High Court (Audiencia Nacional). The Court decided to refer certain questions on the interpretation of the Data Protection Directive 95/46 (Directive) to the CJEU for a preliminary ruling.
The CJEU ruled on the following fundamental questions:
Are search engines data controllers of personal data?
Is this "processing" of personal data?
In reaching a decision on whether a search engine is a "data controller", the CJEU first considered whether any personal data is being "processed" by Google. An interesting argument was raised by Google stating that: "the activity of search engines cannot be regarded as processing of the data which appears on third parties' web pages displayed in the list of search results, given that search engines process all the information available on the internet without effecting a selection between personal data and other information".
However, the CJEU ruled that search engines collect, retrieve, organise, store and then disclose such data to its users in the form of lists of search results, and such actions are and must be classified as "processing".
Scope of "data controller" role?
By establishing that the personal data is being "processed" by the search engine, the next fundamental question is who is the data controller of such information. A "data controller" is defined by the Directive as "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data".
The CJEU held that the search engine operator determines the purposes and means by which the personal data is processed (i.e. by having the functionality of supressing certain types of data from the search results) and therefore must be regarded as a "data controller" in relation to such data.
This decision seems logical. The alternative would either be to decide that there is no data controller for the personal data being made available through the search results or that the website publisher (to which the search results are linked) is, in actual fact, the data controller (with the search engine being classed as the "data processor"). The latter alternative was the opinion set forth by the Advocate General in the case stating that individuals should direct their requests to the publisher of the content (as they are data controllers of the data), and not to Google (who are mere "intermediaries").
"Controller" status: not just about search engines
This ruling clearly has a major impact on search engines, but could be extended to other businesses. The same logic would catch any organisation that offers search functionality on its website which includes publicly available search results. Publishers (including media companies) will also be controllers of personal data they hold or disseminate. The large IT and digital media vendors who provide, for example, cloud-based services to individuals (e.g. any retail provider of online content, digital storage, email or SaaS services) are also likely to be caught as data controllers.
Is a search engine (that is based outside Europe) subject to the European data protection rules, if it has a European sales and marketing subsidiary?
Meaning of "establishment": now includes a sales subsidiary
The CJEU considered the "establishment" test under Article 4(1)(a) of the Directive in order to make its ruling in relation to this question. To satisfy the test, the processing of personal data must be "carried out in the context of the activities of an establishment of the controller on the territory of the Member State".
The corporate structure of Google was examined by the CJEU. The Google search functionality is operated by Google Inc. in the US. Google Inc. does, however, have a sales subsidiary in Spain (Google Spain) that makes online advertising available to local customers. As a result of this set-up, the CJEU took a very purposive approach stating that the activities of Google Spain are inextricably linked with that of the parent company, Google Inc., "since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable". The CJEU held that Google Inc. does satisfy the "establishment" test under Article 4(1)(a) and that the processing of Google Inc. is "in the context" of its Spanish establishment.
It is clear that a policy decision was made by the CJEU in this case as it stressed that: "it cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive's effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure".
No more "risk insulation" for parent companies?
This is a huge change from the traditional position under which a US parent could, to some extent, insulate itself from EU privacy law risk by ensuring that it does not have a physical establishment on European soil or use equipment in Europe to process personal data. In some cases, the US parent could choose to establish in one jurisdiction (perhaps the UK or Ireland) but ensure it does not establish in any other jurisdiction so it is only subject to, in this example, UK or Irish data protection law. This position, upheld by the German Courts in relation to Facebook now seems in doubt.
As a result of the ruling, many large US IT vendors and digital media companies will be deemed to have an EU establishment if they have local sales and marketing subsidiaries operating in the EU. Depending on the circumstances, this could have a dramatic increase in data privacy risk. Going forward, this would impose obligations on non-EU parents to comply with the full panoply of data protection rules, including obligations to have local registrations, honour data protection access requests and ensure general privacy compliance. This extension of EU data privacy law means that one component of the extra-territorial effect of the new Data Protection Regulation has arrived early!
Does an individual have the right to require a search engine to remove their data from search results?
The CJEU's ruling on this question was yes. The CJEU held that the Directive already contains a "right to be forgotten" under Article 12(b) (a right to rectification, erasure or blocking of data where the processing does not comply with the Directive) and Article 14(a) (a right to object to the processing of personal data on compelling legitimate grounds).
The CJEU noted that Google Inc. is required to legitimise the processing of the personal data on its search engine as it is unable to rely on the journalistic exemption under the Directive. The only potential condition for processing available to Google Inc. would be that the processing of personal data is necessary for the search engine's "legitimate interests". However, in order to rely on this condition, a balancing exercise needs to be undertaken between (i) the legitimate commercial interests of the search engine and the interests of the internet users who use it (i.e. freedom of expression) and (ii) the fundamental rights and freedoms of the data subjects who are the subject of searches (these fundamental privacy rights are now contained in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter) which says that individuals are entitled to privacy and protection of personal data).
The CJEU considered that the processing by a search engine "enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that be found on the internet… and therefore establish a more or less detailed profile about" an individual.
As a result of a search engine creating a "detailed profile" of an individual, the legitimate interests of the search engine (i.e. economic gain) cannot necessarily justify such processing. Furthermore, the legitimate interests of the data subject will generally override the interests of internet users: "that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject's private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life".
What is the effect of the Right to be Forgotten?
The effect of this ruling is colossal. It allows individuals to ask a search engine to remove unfavourable links to them from search results. The search engine will then be required to consider the following factors in deciding whether to remove such links:
- the nature and sensitivity of the information;
- the age of the information;
- the interest in the public in having access to the information; and
- the role played by the data subject in public life.
While it is difficult to argue with the technical logic of this decision, it is peculiar that a private company has been tasked with making the decision on whether data should be made public (i.e. whether the "right to know" of internet users outweighs the "right to be forgotten" of the individuals). There has been much criticism that this amounts to censorship. Perhaps the CJEU should have tasked the Courts with this balancing exercise instead of private companies. After all, it would be the Courts who would decide on questions of defamation, confidentiality, inappropriate content etc.
Who has exercised these (new) rights so far?
Since this ruling, it has been reported that there has already been over a thousand requests submitted to Google and other search engines to remove links. So what will the search engines do about this? Will they rush off to build a team to process these complaints? This ruling will not only affect the resource of search engines, social networks, media companies and publishers but also that of local data protection regulators who may become inundated with requests/complaints to take action against search engines and other controllers that do not remove links.
The consequences of this case are far reaching. There is also the potential that individuals based outside Europe may also try to enforce this ruling against a US parent operating a search engine, social network, or online aggregators (i.e. an individual based in the US asking for their information to be removed). Arguably this is less likely to succeed as such requests would not be "in the context of" the relevant EU establishment.
What about publishers of original content?
It was made clear in this case, that La Vanguardia (the newspaper that originally published the announcements about Mr Gonzalez) was under a legal obligation to do so and therefore had a legitimate basis for processing such information.
More generally, media companies may be able to rely on the journalistic exemption under data protection laws for the processing of personal data in this context and therefore may be less exposed to the "right to be forgotten", at least in relation to "journalistic purposes". However, the remit of the journalistic exemption is open to interpretation and it does not absolve you from complying with the UK data protection legislation if you can. So the risk of complaints based on inaccuracy and for disproportionality are likely to remain.
In the UK, the Directive is implemented by the Data Protection Act 1998 (DPA). However, the DPA is not a mirror image of the provisions of the Directive. Crucially, Articles 12 and 14 of the Directive have not been transposed into the DPA in full. Individual rights in the UK are limited to Section 10 DPA (right to require removal where processing is likely to cause substantial damage or substantial distress) or Section 14 DPA (right to require removal where processing is of inaccurate data). An individual could complain to the Information Commissioner's Office (ICO). However, it would be open to an individual to request deletion of data based on a failure to properly apply the "legitimate interests" condition so, on balance, the UK position is not materially different to that of the rest of the EU.
It is also worth noting that there is a body of case law in which it has been held that, where a European Directive is clear and unambiguous, then it will be "directly effective" under national law. Therefore, potentially, individuals could bring an action under the Directive itself in national courts without citing national legislation.
More generally, the ruling is evidence of a very "pro-privacy" approach being taken by the CJEU. It is only six weeks since the CJEU declared the Data Retention Directive invalid and illegal.
In theory, this could mean that search engines have two versions of their product: one for global users and another for EU users (the latter with edited sections pursuant to data deletion requests). But it is not clear that this would be practical or commercially realistic.
Interestingly, search engines will also be faced with a similar issue in relation to sensitive personal data which can only be processed with the explicit consent of the user. So, Mr Gonzalez could presumably ask a search engine to delete his sensitive personal data without even needing to consider a balance of interests pursuant to the "legitimate interests" test.
Internet of Things
The ruling considers the position of Google as a search engine. However, search functionality is already being embedded in connected devices as part of the Internet of Things. Presumably, therefore, the same data deletion requests could apply to those digital service providers who run connected device search functions as well?
What does the UK Information Commissioner say?
The UK Information Commissioners' Office (ICO) blog posted on 20 May identified four things that we have learned from the Google ruling:
- Search engines may have to remove some search results: If the way in which search result data is being used does not fit with European data protection law (e.g. it is inadequate, irrelevant or outdated) then the user can request that the link is removed from future search results. The search provider will have to comply unless there is an overriding public interest. Users should contact the search company and, if the search provider refuses the request, he/she can contact the ICO. However, the ICO will not be ruling on any complaints until the search providers have had a reasonable time to put their systems in place and start considering requests. After that, the ICO will focus on concerns linked to "clear evidence of damage and distress to individuals".
- "There is life in data protection law yet": The ICO say that the ruling shows that existing European data protection directive can still be relevant when discussing modern data protection issues. This is an oblique criticism of the drive to overhaul the regime with the new Data Protection Regulation.
- A "right to be forgotten" will still be difficult in practice: It is important to keep the implications of the ruling in proportion and recognise that there is no absolute right to have links removed. Also, the original publication and links via the search engine are to be considered separately: the public record of a newspaper may not need to be deleted even if the link to it from a search website is removed. The ICO also confirm that the exemption for journalism, art and literature under Section 32 of the DPA can be applied by media companies, bloggers and other publishers depending on the circumstances. In context, the Google ruling is not, therefore, a full or absolute "right to be forgotten". The ICO also remains concerned about how to set reasonable expectations for the public about how such rights can operate. The ICO says that we have to be realistic about how difficult it can be to completely remove all traces of personal information online.
- "This is the beginning not the end": The ICO say they will be discussing this with their fellow European Data Protection Authorities in the Article 29 Working Party at the start of June to ensure consistent approach is taken across Europe. Once they have done that, they will be speaking to the main search providers established in the UK. In the meantime, search providers should start the process of considering what solutions are needed to deal with requests to remove links. This may involve logistical and technical challenges.
The CJEU ruling is a final decision on a point of law. There is no right of appeal. So what should search engines, social networks, online aggregators and publishers do next? Here is our "hit list" of initial suggestions:
- Do not rush off to make an immediate decision: Despite the horror stories of there being a blizzard of deletion requests, take time to read and analyse the judgment. The reality is that if an individual makes a request and fails to get a satisfactory response, they would then complain to the relevant data protection regulator. So there is some time in hand to give this proper consideration.
- Consider whether the ruling covers you? It is clear that the ruling covers search engines but the logic would also apply to social networks, online aggregators, publishers, digital media and cloud computing companies. But it may be possible to draw a distinction between your activities and those of Google in this case. Are you indexing and making available data to the public? Is it possible that another party is better characterised as the relevant data controller (for example, where you act as wholesaler not retailer)?
- Review your corporate structure against applicable data privacy laws: In particular, the traditional approach that non-EU parents are not caught by EU data privacy laws unless they have their own local establishment or use equipment to process data locally. Consider whether you have local subsidiaries acting as sales marketing or other agencies in EU territories that could mean that the relevant parent is also caught? Consider whether your subsidiaries are inextricably linked to the activities of the parent (less "nexus" may mean less risk).
- Estimate and monitor volume of deletion requests: An initial estimate of the likely volume will help plan for required resourcing. Some resource will presumably be required now to consider queries. Consider tooling up the call centre and other contact operations so you can respond to consumer queries with a consistent message.
Google Spain Sl and Google Inc v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez, Case C-131/12.