In general, web site managers and bloggers are keen to maximize their exposure on the internet. However, there are others who would prefer that search engines do not provide links to certain information relating to them or their activities. This latter group will therefore welcome the recent judgement of the Court of Justice of the EU, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Case C-131/12. In this the European court examined the Directive on the protection of personal data, Directive 95/46/EC, in the context of what is generally known as “the right to be forgotten”.
The issues raised lie at the interface between “law and religion” and “human rights”, but in view the extent to which search engines are used to access data on this and other web sites, we felt it important to explore the implications of this important case.
The case concerned a Spanish man, Mr Costeja González, and the newspaper La Vanguardia which named him in two announcements relating to a real-estate auction associated with the recovery of social security debts. As a consequence, when an internet user entered his name in the search engine of the Google group, it would produce links to the two pages in La Vanguardia, which appeared on 19 January and 9 March 1998.
He therefore lodged a complaint with Agencia Española de Protección de Datos (AEPD), requesting that: La Vanguardia be required either to remove or alter those pages so that the personal data relating to him no longer appeared, or to use certain tools made available by search engines in order to protect the data; and Google Spain or Google Inc. be required to remove or conceal the personal data relating to him so that they ceased to be included in the search results and no longer appeared in the links to La Vanguardia.
On 30 July 2010, the AEPD rejected the complaint in so far as it related to La Vanguardia, taking the view that its publication of the information was legally justified; it took place upon the order of the Ministry of Labour and Social Affairs and was intended to give maximum publicity to the auction so as to secure as many bidders as possible. However, the complaint against Google Spain and Google Inc. was upheld, on the grounds that operators of search engines are subject to data protection legislation since they carry out data processing for which they are responsible and act as intermediaries in the information society.
Google Spain and Google Inc. brought separate actions against that decision before the Audiencia Nacional (National High Court). The Audiencia Nacional joined the actions and stayed proceedings pending a preliminary ruling from the CJEU on three issues:
- The applicability of the EU data protection provisions to the search provisions operated by Google Inc, an US company;
- The extent to which Google is regarded as a “data controller” in its processing of personal data on third party web pages; and
- Whether individuals have the right to require Google to remove links to material concerning them that is inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed.
Advocate General’s Opinion and the Court’s Judgement
Advocate General Niilo Jääskinen delivered his Opinion on 25 June 2013, which essentially found in favour of Google in relation to the issues of: the applicablility of EU legislation; Goggle’s classification as a data controller; and the rights to erasure and blocking of data. However, almost a year later the CJEU came to the opposite point of view and ruled:
- the activity of a search engine [consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference] must be classified as “processing of personal data” . . . when that information contains personal data and . . . the operator of the search engine must be regarded as the “controller” in respect of that processing, [Articles 2(b) and (d), Directive 95/46/EC];
- processing of personal data is carried out . . . when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State, [Article 4(1)(a), Directive 95/46/EC];
- the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful, [Article 12(b) and subparagraph (a) of the first paragraph of Article 14, Directive 95/46/EC] ;
- when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject;
- As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the [Charter of Fundamental Rights of the European Union], request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. [However, that would not be the case if it appeared . . . that the interference with his fundamental rights is justified by the preponderant interest of the general public in having . . . access to the information in question.
The immediate issue arising from the judgement lies with the operators of search engines and how they respond to the expected requests for the removal of links to information. It is reported that such requests were made to Google hours after the ruling was handed down, and it is thought that there are a further ~180 similar cases in Spain alone. It is likely, therefore that the practicalities of implementing the CJEU’ s judgement are being studied in detail by the legal advisers of the organizations likely to be affected, and possible lacunae investigated. It has been observed that since any claim needs to be pursued by an individual, many will be discouraged by the financial implications.
In the longer term however, further clarification may result from the EU’s on-going programme of work on data protection legislation. In 2012, the Commission proposed a major reform of the EU legal framework on the protection of personal data including: a Regulation setting out a general EU framework for data protection; and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
The explanatory note to the draft Regulation states:
“Article 17 of the Regulation provides the data subject's “right to be forgotten” and to erasure. It further elaborates and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the obligation of the controller which has made the personal data public to inform third parties on the data subject's request to erase any links to, or copy or replication of that personal data. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology ‘blocking’”.
On14 March 2014, the European Parliament voted in plenary with 621 votes in favour, 10 against and 22 abstentions for the Regulation, and 371 votes in favour, 276 against and 30 abstentions for the Directive. To become law the proposed Regulation must now be adopted by the Council of Ministers under the “ordinary legislative procedure”, Article 294 TFEU, (formerly known as the “Co-decision procedure”).
 Article 4(1) of the draft Regulation states: “’data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.