The item you have requested is not currently available in English and you have been redirected to the next available page. You may use your browser's back button to return to the item you were viewing.
This website is best viewed by using the latest version of your Internet browser. Please upgrade to Internet Explorer 8.0 or above in order to properly view and experience this website.
Country desks feature Dentons lawyers in one jurisdiction with a particular focus or experience in another jurisdiction.
Learn more about our Canada capabilities
Learn more about our United States capabilities
Learn more about our Latin America and the Caribbean capabilities
Learn more about our Europe capabilities
Learn more about our United Kingdom capabilities
Learn more about our Central and Eastern Europe capabilities
Learn more about our Russia, CIS and the Caucasus capabilities
Learn more about our Africa capabilities
Learn more about our Middle East capabilities
Learn more about our Central Asia capabilities
Learn more about our Asia Pacific capabilities
At Dentons, we bring together top tier talent found at the intersection of geography, industry knowledge and substantive legal expertise. Start by clicking here
Dentons' Singapore CEO Philip Jeyaretnam, SC, named "Managing Partner of the Year"
Dentons Global Vice-Chair and Singapore Chief Executive Officer Philip Jeyaretnam, SC, was named "Managing Partner of the Year" at the Asian Legal Business Southeast Asia Awards on May 20, 2016.
Judge rules HHS can't pay cost-sharing subsidies to QHPs, but allows funding to continue
In a May 12, 2016, decision, a US district court judge granted summary judgment to the US House of Representatives on the question of whether funds had been appropriated to pay qualified health plans (QHPs) for reduced cost-sharing subsidies under Section 1402 of the ACA. The court answered in the negative and enjoined "any further reimbursements under Section 1402 until a valid appropriation is in place." However, it stayed the injunction pending any appeal, which the Obama Administration has already indicated it intends to file.
Mortgagees take note: the Law Commission thinks you might be special
The Law Commission recently published its consultation paper on updating the Land Registration Act 2002 (the Paper). Among the numerous proposals is one that will be of particular interest to mortgagees: views are invited on limiting the circumstances in which a mortgagee can claim against the Land Registry's indemnity. The effect would be to treat mortgagees as a special category of applicant but not necessarily to their advantage.
Businesses reap the benefits of Environmental Health and Safety improvements
A strong focus on Environmental Health and Safety (EHS) in the UAE is driving positive change on construction projects shaping the Emirates' evolving skyline. While risk is an inevitable part of any building project, effective management of EHS issues is delivering strong benefits for businesses across the industry.
Digital Single Market update – revised cross-border portability of online content services proposal leaked
A revision of the European Commission's proposal and draft Regulation on ensuring the cross-border portability of online content services in the EU has recently been leaked. The proposal provides a useful insight into where things are heading prior to the Regulation being finalised. This update looks at what has changed since the original draft Regulation was released in December 2015, and the implications for media companies.
Starting your career as a student at Dentons exposes you to a world of experience and opportunities
With 125+ locations in 50+ countries, Dentons is home to top-tier talent that is found at the intersection of geography, industry knowledge and substantive legal experience. Working with Dentons, you will have the opportunity to learn from the best lawyers in the industry at the largest law firm in the world.
Dentons wins four Turnaround Atlas Awards for excellence in international restructuring
On May 17, 2016, at a celebratory gala held in association with the Restructuring and Distressed Intelligence Forum, the Global M&A Network honoured Dentons with four Turnaround Atlas Awards, honouring excellence in international restructuring, special situations M&A, judicial and out-of-court reorganizations.
Dentons to expand in Germany with new Munich office
Global law firm Dentons will open a new office in Munich on July 1, 2016, with the hire of three partners. This will be Dentons’ third office in Germany, adding to its significant presence in Berlin and Frankfurt. The team joins from Norton Rose Fulbright.
Dentons launches global shared services strategy with new EMEA business services center
Global law firm Dentons continues its momentum by today launching its shared services strategy with the announcement that it will be opening a new business services center in Poland later this year.
On 13 May 2014, the Court of Justice of the EU (CJEU) ruled that an individual can ask a data controller like Google to delete his/her data in certain cases. This is the EU "right to be forgotten" and is one of the most significant cases to affect EU privacy law to date. However, the case of Google v the Spanish Data Protection Authority1 also establishes that EU data privacy law can catch a US parent company which has subsidiaries in the EU. This is a seminal and far-reaching case with the potential to impact lots of search engines, social networks and digital media companies.
On 5 March 2010, Mr Gonzalez, a Spanish national resident, lodged a complaint with the Spanish Data Protection Authority (AEPD) against a Spanish newspaper publisher (La Vanguardia Ediciones SL (La Vanguardia)) and against Google Spain and Google Inc. His complaint was in relation to the fact that, when his name was entered into the Google search engine, an internet user would be provided with links to two old announcements by La Vanguardia. These announcements, dating back to 1998, mentioned Mr Gonzalez' name in connection with a real estate auction as a result of attachment proceedings for the recovery of Mr Gonzalez' social security debts. Mr Gonzalez wanted the original content by La Vanguardia, as well as the Google search links to these announcements, to be removed. Mr Gonzalez argued that the attachment proceedings concerning him had been fully resolved a number of years ago and that reference to them was now entirely irrelevant.
After a ruling by the AEPD in favour of Mr Gonzalez (in relation to his complaint against Google), Google Spain and Google Inc. brought actions against the AEPD's decision before the Spanish National High Court (Audiencia Nacional). The Court decided to refer certain questions on the interpretation of the Data Protection Directive 95/46 (Directive) to the CJEU for a preliminary ruling.
The CJEU ruled on the following fundamental questions:
In reaching a decision on whether a search engine is a "data controller", the CJEU first considered whether any personal data is being "processed" by Google. An interesting argument was raised by Google stating that: "the activity of search engines cannot be regarded as processing of the data which appears on third parties' web pages displayed in the list of search results, given that search engines process all the information available on the internet without effecting a selection between personal data and other information".
However, the CJEU ruled that search engines collect, retrieve, organise, store and then disclose such data to its users in the form of lists of search results, and such actions are and must be classified as "processing".
By establishing that the personal data is being "processed" by the search engine, the next fundamental question is who is the data controller of such information. A "data controller" is defined by the Directive as "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data".
The CJEU held that the search engine operator determines the purposes and means by which the personal data is processed (i.e. by having the functionality of supressing certain types of data from the search results) and therefore must be regarded as a "data controller" in relation to such data.
This decision seems logical. The alternative would either be to decide that there is no data controller for the personal data being made available through the search results or that the website publisher (to which the search results are linked) is, in actual fact, the data controller (with the search engine being classed as the "data processor"). The latter alternative was the opinion set forth by the Advocate General in the case stating that individuals should direct their requests to the publisher of the content (as they are data controllers of the data), and not to Google (who are mere "intermediaries").
This ruling clearly has a major impact on search engines, but could be extended to other businesses. The same logic would catch any organisation that offers search functionality on its website which includes publicly available search results. Publishers (including media companies) will also be controllers of personal data they hold or disseminate. The large IT and digital media vendors who provide, for example, cloud-based services to individuals (e.g. any retail provider of online content, digital storage, email or SaaS services) are also likely to be caught as data controllers.
The CJEU considered the "establishment" test under Article 4(1)(a) of the Directive in order to make its ruling in relation to this question. To satisfy the test, the processing of personal data must be "carried out in the context of the activities of an establishment of the controller on the territory of the Member State".
The corporate structure of Google was examined by the CJEU. The Google search functionality is operated by Google Inc. in the US. Google Inc. does, however, have a sales subsidiary in Spain (Google Spain) that makes online advertising available to local customers. As a result of this set-up, the CJEU took a very purposive approach stating that the activities of Google Spain are inextricably linked with that of the parent company, Google Inc., "since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable". The CJEU held that Google Inc. does satisfy the "establishment" test under Article 4(1)(a) and that the processing of Google Inc. is "in the context" of its Spanish establishment.
It is clear that a policy decision was made by the CJEU in this case as it stressed that: "it cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive's effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure".
This is a huge change from the traditional position under which a US parent could, to some extent, insulate itself from EU privacy law risk by ensuring that it does not have a physical establishment on European soil or use equipment in Europe to process personal data. In some cases, the US parent could choose to establish in one jurisdiction (perhaps the UK or Ireland) but ensure it does not establish in any other jurisdiction so it is only subject to, in this example, UK or Irish data protection law. This position, upheld by the German Courts in relation to Facebook now seems in doubt.
As a result of the ruling, many large US IT vendors and digital media companies will be deemed to have an EU establishment if they have local sales and marketing subsidiaries operating in the EU. Depending on the circumstances, this could have a dramatic increase in data privacy risk. Going forward, this would impose obligations on non-EU parents to comply with the full panoply of data protection rules, including obligations to have local registrations, honour data protection access requests and ensure general privacy compliance. This extension of EU data privacy law means that one component of the extra-territorial effect of the new Data Protection Regulation has arrived early!
The CJEU's ruling on this question was yes. The CJEU held that the Directive already contains a "right to be forgotten" under Article 12(b) (a right to rectification, erasure or blocking of data where the processing does not comply with the Directive) and Article 14(a) (a right to object to the processing of personal data on compelling legitimate grounds).
The CJEU noted that Google Inc. is required to legitimise the processing of the personal data on its search engine as it is unable to rely on the journalistic exemption under the Directive. The only potential condition for processing available to Google Inc. would be that the processing of personal data is necessary for the search engine's "legitimate interests". However, in order to rely on this condition, a balancing exercise needs to be undertaken between (i) the legitimate commercial interests of the search engine and the interests of the internet users who use it (i.e. freedom of expression) and (ii) the fundamental rights and freedoms of the data subjects who are the subject of searches (these fundamental privacy rights are now contained in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter) which says that individuals are entitled to privacy and protection of personal data).
The CJEU considered that the processing by a search engine "enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that be found on the internet… and therefore establish a more or less detailed profile about" an individual.
As a result of a search engine creating a "detailed profile" of an individual, the legitimate interests of the search engine (i.e. economic gain) cannot necessarily justify such processing. Furthermore, the legitimate interests of the data subject will generally override the interests of internet users: "that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject's private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life".
The effect of this ruling is colossal. It allows individuals to ask a search engine to remove unfavourable links to them from search results. The search engine will then be required to consider the following factors in deciding whether to remove such links:
While it is difficult to argue with the technical logic of this decision, it is peculiar that a private company has been tasked with making the decision on whether data should be made public (i.e. whether the "right to know" of internet users outweighs the "right to be forgotten" of the individuals). There has been much criticism that this amounts to censorship. Perhaps the CJEU should have tasked the Courts with this balancing exercise instead of private companies. After all, it would be the Courts who would decide on questions of defamation, confidentiality, inappropriate content etc.
Since this ruling, it has been reported that there has already been over a thousand requests submitted to Google and other search engines to remove links. So what will the search engines do about this? Will they rush off to build a team to process these complaints? This ruling will not only affect the resource of search engines, social networks, media companies and publishers but also that of local data protection regulators who may become inundated with requests/complaints to take action against search engines and other controllers that do not remove links.
The consequences of this case are far reaching. There is also the potential that individuals based outside Europe may also try to enforce this ruling against a US parent operating a search engine, social network, or online aggregators (i.e. an individual based in the US asking for their information to be removed). Arguably this is less likely to succeed as such requests would not be "in the context of" the relevant EU establishment.
It was made clear in this case, that La Vanguardia (the newspaper that originally published the announcements about Mr Gonzalez) was under a legal obligation to do so and therefore had a legitimate basis for processing such information.
More generally, media companies may be able to rely on the journalistic exemption under data protection laws for the processing of personal data in this context and therefore may be less exposed to the "right to be forgotten", at least in relation to "journalistic purposes". However, the remit of the journalistic exemption is open to interpretation and it does not absolve you from complying with the UK data protection legislation if you can. So the risk of complaints based on inaccuracy and for disproportionality are likely to remain.
In the UK, the Directive is implemented by the Data Protection Act 1998 (DPA). However, the DPA is not a mirror image of the provisions of the Directive. Crucially, Articles 12 and 14 of the Directive have not been transposed into the DPA in full. Individual rights in the UK are limited to Section 10 DPA (right to require removal where processing is likely to cause substantial damage or substantial distress) or Section 14 DPA (right to require removal where processing is of inaccurate data). An individual could complain to the Information Commissioner's Office (ICO). However, it would be open to an individual to request deletion of data based on a failure to properly apply the "legitimate interests" condition so, on balance, the UK position is not materially different to that of the rest of the EU.
It is also worth noting that there is a body of case law in which it has been held that, where a European Directive is clear and unambiguous, then it will be "directly effective" under national law. Therefore, potentially, individuals could bring an action under the Directive itself in national courts without citing national legislation.
More generally, the ruling is evidence of a very "pro-privacy" approach being taken by the CJEU. It is only six weeks since the CJEU declared the Data Retention Directive invalid and illegal.
In theory, this could mean that search engines have two versions of their product: one for global users and another for EU users (the latter with edited sections pursuant to data deletion requests). But it is not clear that this would be practical or commercially realistic.
Interestingly, search engines will also be faced with a similar issue in relation to sensitive personal data which can only be processed with the explicit consent of the user. So, Mr Gonzalez could presumably ask a search engine to delete his sensitive personal data without even needing to consider a balance of interests pursuant to the "legitimate interests" test.
The ruling considers the position of Google as a search engine. However, search functionality is already being embedded in connected devices as part of the Internet of Things. Presumably, therefore, the same data deletion requests could apply to those digital service providers who run connected device search functions as well?
The UK Information Commissioners' Office (ICO) blog posted on 20 May identified four things that we have learned from the Google ruling:
The CJEU ruling is a final decision on a point of law. There is no right of appeal. So what should search engines, social networks, online aggregators and publishers do next? Here is our "hit list" of initial suggestions:
Google Spain Sl and Google Inc v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez, Case C-131/12.
You are switching to another language. Please click Confirm below to continue.
You will now be taken from the global Dentons website to the $redirectingsite website. To proceed, please click Accept.