The item you have requested is not currently available in English and you have been redirected to the next available page. You may use your browser's back button to return to the item you were viewing.
This website is best viewed by using the latest version of your Internet browser. Please upgrade to Internet Explorer 8.0 or above in order to properly view and experience this website.
Country desks feature Dentons lawyers in one jurisdiction with a particular focus or experience in another jurisdiction.
Learn more about our Canada capabilities
Learn more about our United States capabilities
Learn more about our Latin America and the Caribbean capabilities
Learn more about our Europe capabilities
Learn more about our United Kingdom capabilities
Learn more about our Central and Eastern Europe capabilities
Learn more about our Russia, CIS and the Caucasus capabilities
Learn more about our Africa capabilities
Learn more about our Middle East capabilities
Learn more about our Central Asia capabilities
Learn more about our Asia Pacific capabilities
At Dentons, we bring together top tier talent found at the intersection of geography, industry knowledge and substantive legal expertise. Start by clicking here
Dentons secures 127 individual and 37 practice rankings in Legal 500 US 2016
Dentons was honored with 127 individual and 37 practice rankings in the 2016 edition of Legal 500 US.
Attorneys must be precise in representations to court
Government attorneys are not immune from many of the same risks all other attorneys face. A recent decision regarding the conduct of several DOJ attorneys makes that point in some harsh terms.
Issues for overseas companies relating to UK land and UK government work
Recent government proposals will affect overseas companies that own UK land and that bid for UK government contracts
Far-reaching reforms to insurance law – and what action to take
The Insurance Act 2015 (the Act) will come into force on 12 August 2016 and is set to have far-reaching effects on how businesses handle their insurance policies and renewals. The Act will affect non-consumer contracts and any amendments made to existing non-consumer contracts after 12 August 2016.
Historic contamination in Romania under sale–purchase agreements
Historic contamination receives a lot of attention in Romania, particularly in the process of privatizing formerly state owned enterprises. Some of these enterprises are taken over as ongoing businesses, while others are taken over for assets such as land.
Starting your career as a student at Dentons exposes you to a world of experience and opportunities
With 125+ locations in 50+ countries, Dentons is home to top-tier talent that is found at the intersection of geography, industry knowledge and substantive legal experience. Working with Dentons, you will have the opportunity to learn from the best lawyers in the industry at the largest law firm in the world.
Dentons named Law Firm of the Year in CEE and Russia
Dentons was named Law Firm of the Year in Central and Eastern Europe (CEE) and Russia at The American Lawyer Transatlantic Legal Awards. The awards ceremony took place in London on 7 June 2016.
Dentons is 'ALL IN' to support Edmonton community initiatives
This month, Dentons’ Edmonton office will be turning the spotlight on the power and vibrancy of Edmonton’s community by hosting ALL IN, an evening to celebrate and strengthen the “in and of the community” support networks between our city’s businesses, individuals and charitable organizations.
Dentons develops Russia's first-ever whitepaper on the legal aspects of the Internet of Things
Dentons, in cooperation with RUSSOFT NPP, has developed a document that shines a light on the main legal aspects of the Internet of Things in Russia. The initiative was timed to coincide with the IoT Summit Russia, organized by RUSSOFT NPP on the eve of this year’s St. Petersburg International Economic Forum (SPIEF).
On 13 May 2014, the Court of Justice of the EU (CJEU) ruled that an individual can ask a data controller like Google to delete his/her data in certain cases. This is the EU "right to be forgotten" and is one of the most significant cases to affect EU privacy law to date. However, the case of Google v the Spanish Data Protection Authority1 also establishes that EU data privacy law can catch a US parent company which has subsidiaries in the EU. This is a seminal and far-reaching case with the potential to impact lots of search engines, social networks and digital media companies.
On 5 March 2010, Mr Gonzalez, a Spanish national resident, lodged a complaint with the Spanish Data Protection Authority (AEPD) against a Spanish newspaper publisher (La Vanguardia Ediciones SL (La Vanguardia)) and against Google Spain and Google Inc. His complaint was in relation to the fact that, when his name was entered into the Google search engine, an internet user would be provided with links to two old announcements by La Vanguardia. These announcements, dating back to 1998, mentioned Mr Gonzalez' name in connection with a real estate auction as a result of attachment proceedings for the recovery of Mr Gonzalez' social security debts. Mr Gonzalez wanted the original content by La Vanguardia, as well as the Google search links to these announcements, to be removed. Mr Gonzalez argued that the attachment proceedings concerning him had been fully resolved a number of years ago and that reference to them was now entirely irrelevant.
After a ruling by the AEPD in favour of Mr Gonzalez (in relation to his complaint against Google), Google Spain and Google Inc. brought actions against the AEPD's decision before the Spanish National High Court (Audiencia Nacional). The Court decided to refer certain questions on the interpretation of the Data Protection Directive 95/46 (Directive) to the CJEU for a preliminary ruling.
The CJEU ruled on the following fundamental questions:
In reaching a decision on whether a search engine is a "data controller", the CJEU first considered whether any personal data is being "processed" by Google. An interesting argument was raised by Google stating that: "the activity of search engines cannot be regarded as processing of the data which appears on third parties' web pages displayed in the list of search results, given that search engines process all the information available on the internet without effecting a selection between personal data and other information".
However, the CJEU ruled that search engines collect, retrieve, organise, store and then disclose such data to its users in the form of lists of search results, and such actions are and must be classified as "processing".
By establishing that the personal data is being "processed" by the search engine, the next fundamental question is who is the data controller of such information. A "data controller" is defined by the Directive as "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data".
The CJEU held that the search engine operator determines the purposes and means by which the personal data is processed (i.e. by having the functionality of supressing certain types of data from the search results) and therefore must be regarded as a "data controller" in relation to such data.
This decision seems logical. The alternative would either be to decide that there is no data controller for the personal data being made available through the search results or that the website publisher (to which the search results are linked) is, in actual fact, the data controller (with the search engine being classed as the "data processor"). The latter alternative was the opinion set forth by the Advocate General in the case stating that individuals should direct their requests to the publisher of the content (as they are data controllers of the data), and not to Google (who are mere "intermediaries").
This ruling clearly has a major impact on search engines, but could be extended to other businesses. The same logic would catch any organisation that offers search functionality on its website which includes publicly available search results. Publishers (including media companies) will also be controllers of personal data they hold or disseminate. The large IT and digital media vendors who provide, for example, cloud-based services to individuals (e.g. any retail provider of online content, digital storage, email or SaaS services) are also likely to be caught as data controllers.
The CJEU considered the "establishment" test under Article 4(1)(a) of the Directive in order to make its ruling in relation to this question. To satisfy the test, the processing of personal data must be "carried out in the context of the activities of an establishment of the controller on the territory of the Member State".
The corporate structure of Google was examined by the CJEU. The Google search functionality is operated by Google Inc. in the US. Google Inc. does, however, have a sales subsidiary in Spain (Google Spain) that makes online advertising available to local customers. As a result of this set-up, the CJEU took a very purposive approach stating that the activities of Google Spain are inextricably linked with that of the parent company, Google Inc., "since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable". The CJEU held that Google Inc. does satisfy the "establishment" test under Article 4(1)(a) and that the processing of Google Inc. is "in the context" of its Spanish establishment.
It is clear that a policy decision was made by the CJEU in this case as it stressed that: "it cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive's effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure".
This is a huge change from the traditional position under which a US parent could, to some extent, insulate itself from EU privacy law risk by ensuring that it does not have a physical establishment on European soil or use equipment in Europe to process personal data. In some cases, the US parent could choose to establish in one jurisdiction (perhaps the UK or Ireland) but ensure it does not establish in any other jurisdiction so it is only subject to, in this example, UK or Irish data protection law. This position, upheld by the German Courts in relation to Facebook now seems in doubt.
As a result of the ruling, many large US IT vendors and digital media companies will be deemed to have an EU establishment if they have local sales and marketing subsidiaries operating in the EU. Depending on the circumstances, this could have a dramatic increase in data privacy risk. Going forward, this would impose obligations on non-EU parents to comply with the full panoply of data protection rules, including obligations to have local registrations, honour data protection access requests and ensure general privacy compliance. This extension of EU data privacy law means that one component of the extra-territorial effect of the new Data Protection Regulation has arrived early!
The CJEU's ruling on this question was yes. The CJEU held that the Directive already contains a "right to be forgotten" under Article 12(b) (a right to rectification, erasure or blocking of data where the processing does not comply with the Directive) and Article 14(a) (a right to object to the processing of personal data on compelling legitimate grounds).
The CJEU noted that Google Inc. is required to legitimise the processing of the personal data on its search engine as it is unable to rely on the journalistic exemption under the Directive. The only potential condition for processing available to Google Inc. would be that the processing of personal data is necessary for the search engine's "legitimate interests". However, in order to rely on this condition, a balancing exercise needs to be undertaken between (i) the legitimate commercial interests of the search engine and the interests of the internet users who use it (i.e. freedom of expression) and (ii) the fundamental rights and freedoms of the data subjects who are the subject of searches (these fundamental privacy rights are now contained in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter) which says that individuals are entitled to privacy and protection of personal data).
The CJEU considered that the processing by a search engine "enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that be found on the internet… and therefore establish a more or less detailed profile about" an individual.
As a result of a search engine creating a "detailed profile" of an individual, the legitimate interests of the search engine (i.e. economic gain) cannot necessarily justify such processing. Furthermore, the legitimate interests of the data subject will generally override the interests of internet users: "that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject's private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life".
The effect of this ruling is colossal. It allows individuals to ask a search engine to remove unfavourable links to them from search results. The search engine will then be required to consider the following factors in deciding whether to remove such links:
While it is difficult to argue with the technical logic of this decision, it is peculiar that a private company has been tasked with making the decision on whether data should be made public (i.e. whether the "right to know" of internet users outweighs the "right to be forgotten" of the individuals). There has been much criticism that this amounts to censorship. Perhaps the CJEU should have tasked the Courts with this balancing exercise instead of private companies. After all, it would be the Courts who would decide on questions of defamation, confidentiality, inappropriate content etc.
Since this ruling, it has been reported that there has already been over a thousand requests submitted to Google and other search engines to remove links. So what will the search engines do about this? Will they rush off to build a team to process these complaints? This ruling will not only affect the resource of search engines, social networks, media companies and publishers but also that of local data protection regulators who may become inundated with requests/complaints to take action against search engines and other controllers that do not remove links.
The consequences of this case are far reaching. There is also the potential that individuals based outside Europe may also try to enforce this ruling against a US parent operating a search engine, social network, or online aggregators (i.e. an individual based in the US asking for their information to be removed). Arguably this is less likely to succeed as such requests would not be "in the context of" the relevant EU establishment.
It was made clear in this case, that La Vanguardia (the newspaper that originally published the announcements about Mr Gonzalez) was under a legal obligation to do so and therefore had a legitimate basis for processing such information.
More generally, media companies may be able to rely on the journalistic exemption under data protection laws for the processing of personal data in this context and therefore may be less exposed to the "right to be forgotten", at least in relation to "journalistic purposes". However, the remit of the journalistic exemption is open to interpretation and it does not absolve you from complying with the UK data protection legislation if you can. So the risk of complaints based on inaccuracy and for disproportionality are likely to remain.
In the UK, the Directive is implemented by the Data Protection Act 1998 (DPA). However, the DPA is not a mirror image of the provisions of the Directive. Crucially, Articles 12 and 14 of the Directive have not been transposed into the DPA in full. Individual rights in the UK are limited to Section 10 DPA (right to require removal where processing is likely to cause substantial damage or substantial distress) or Section 14 DPA (right to require removal where processing is of inaccurate data). An individual could complain to the Information Commissioner's Office (ICO). However, it would be open to an individual to request deletion of data based on a failure to properly apply the "legitimate interests" condition so, on balance, the UK position is not materially different to that of the rest of the EU.
It is also worth noting that there is a body of case law in which it has been held that, where a European Directive is clear and unambiguous, then it will be "directly effective" under national law. Therefore, potentially, individuals could bring an action under the Directive itself in national courts without citing national legislation.
More generally, the ruling is evidence of a very "pro-privacy" approach being taken by the CJEU. It is only six weeks since the CJEU declared the Data Retention Directive invalid and illegal.
In theory, this could mean that search engines have two versions of their product: one for global users and another for EU users (the latter with edited sections pursuant to data deletion requests). But it is not clear that this would be practical or commercially realistic.
Interestingly, search engines will also be faced with a similar issue in relation to sensitive personal data which can only be processed with the explicit consent of the user. So, Mr Gonzalez could presumably ask a search engine to delete his sensitive personal data without even needing to consider a balance of interests pursuant to the "legitimate interests" test.
The ruling considers the position of Google as a search engine. However, search functionality is already being embedded in connected devices as part of the Internet of Things. Presumably, therefore, the same data deletion requests could apply to those digital service providers who run connected device search functions as well?
The UK Information Commissioners' Office (ICO) blog posted on 20 May identified four things that we have learned from the Google ruling:
The CJEU ruling is a final decision on a point of law. There is no right of appeal. So what should search engines, social networks, online aggregators and publishers do next? Here is our "hit list" of initial suggestions:
Google Spain Sl and Google Inc v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez, Case C-131/12.
You are switching to another language. Please click Confirm below to continue.
You will now be taken from the global Dentons website to the $redirectingsite website. To proceed, please click Accept.