The European Court of Justice (ECJ) issued a quite surprising decision against Google which has significant implications for global companies.
On May 13, 2014 the ECJ issued a ruling which did not follow the rationale or the conclusions of its Advocate General, but instead sided with the Spanish data protection authority (DPA) and found that:
individuals have a right to request from the search engine provider that content that was legitimately published on websites should not be searchable by name if the personal information published is inadequate, irrelevant or no longer relevant;
Google’s search function resulted in Google acting as a data controller within the meaning of the Data Protection Directive 95/46, despite the fact that Google did not control the data appearing on webpages of third party publishers;
Spanish law applied because Google Inc. processed data that was closely related to Google Spain’s selling of advertising space, even where Google Spain did not process any of the data. In doing so, it derogated from earlier decisions, arguing the services were targeted at the Spanish market, and such broad application was required for the effectiveness of the Directive.
The ruling will have significant implications for search engines, social media operators and businesses with operations in Europe generally. While the much debated “right to be forgotten” is strengthened, the decision may open the floodgates for people living in the 28 countries in the EU to demand that Google and other search engine operators remove links from search results. The problem is that the ECJ mentions a broad range of data that may be erased. Not only should incorrect or unlawful data be erased, but also all those data which are “inadequate, irrelevant, or no longer relevant”, as well as those which are “excessive or not kept up to date” in relation to the purposes for which they were processed. It is left to the companies to decide when data falls into these categories.
In that context, the ruling will likely create new costs for companies and possibly thousands of individual complaints. What is more, companies operating search engines for users in the EU will have the difficult task of assessing each complaint they process and whether the rights of the individuals prevail over the rights of the public. Internet search engines with operations in the EU will have to handle requests from individuals who want the deletion of search results that link to pages containing their personal data.
That said, the scope of the ruling is limited to name searches. While search engines will have to de-activate the name search, the data can still be available in relation to other keyword searches. The ECJ did not impose new requirements relating to the content of webpages, in an effort to maintain the freedom of expression, and more particularly, press freedom. But this will still result in a great deal of information legally published to be available only to a limited audience.
Below we set out the facts of the case and the most significant implications of the decision, and address its possible consequences on all companies operating search engines.
FACTS OF THE CASE
In 2010, a Spanish national lodged a complaint before the Spanish DPA against the publisher of a daily newspaper with a wide audience in Spain, La Vanguardia, and against Google Spain and Google Inc. for their refusal to remove web links to the newspaper. The web pages contained the claimant’s personal details in an announcement concerning an auction of real estate connected with a procedure prompted by Social Security debts.
The Spanish DPA did not require the newspaper to take down the pages, but it ordered Google Spain and Google Inc. to remove the data from their search results and to render future access to them impossible. Google appealed to the Spanish National High Court, seeking an annulment of the DPA decision.
QUESTIONS REFERRED TO THE COURT
The Spanish National High Court referred the following questions to the ECJ for a preliminary ruling:
Is Google a data controller with respect to its search engine activity?
Does the Directive apply even though Google Spain does not carry out any activity related to the search engine?
Can individuals require the erasure of their personal data by Google in a search engine, regardless of whether third- party content is legitimate?
The ECJ is the highest court which decides on the interpretation and application of EU law. Decisions of the ECJ are legally binding on the courts in all EU countries which apply EU law. When a case is referred for a preliminary ruling, the answers of the ECJ must be applied by national courts, which then issue their own ruling on the specific facts of a case. There is no appeal following a preliminary ruling.
In this specific case, the case will go back to the Spanish National High Court, which will have to decide on the specific facts while taking into account the principles highlighted by the ECJ.
OPINION OF THE ADVOCATE GENERAL
On June 25, 2013 the Advocate General at the ECJ Niilo Jääskinen issued an Opinion recommending that Google should not be required to remove links to legitimate third-party content based on data protection principles. In his Opinion, Jääskinen emphasized the importance of freedom of speech and the reservation of historic newspaper reports.
The Advocate General agreed that sales offices in EU countries suffice to trigger the application of that country’s data protection law. In his view, the processing of personal data takes place within the context of an ‘establishment’ if that establishment is linked to a service selling targeted advertising in the Member State, even if the technical data processing operations are situated in third countries.
However, the Advocate General stated that Google cannot be considered the data controller of data available on third party websites as it does not control the content of these sites. Also, he made it clear that in his opinion, there was no such thing as a general “right to be forgotten” under the current Data Protection Directive.
The ECJ ultimately took a very different view. It is an uncommon occurrence that the ECJ disagrees with the opinion of an Advocate General as it has done here.
GOOGLE IS A DATA CONTROLLER
In its decision, the ECJ explained that Google’s search engine activity consists of retrieving, recording and organizing personal data which it stores on its servers and, as the case may be, discloses the data to its users in the form of lists of results. In the ECJ’s view, this indexing activity is a processing of personal data, regardless of the fact that the search engine does not distinguish between personal data and other types of data.
The ECJ further regarded Google as a data controller in relation to the processing of the data by the search engine. According to the ECJ, Google determines the purposes and means of data processing and its activity is “liable to significantly affect” individuals’ fundamental rights to privacy. The ECJ highlighted that the definition of a data controller in the Directive is broad.
The ruling is a surprising result as this means that Google is the data controller of search results even though it cannot control the webpages from which the data are pulled. In fact, third party publishers are the data controllers when it comes to the content of the webpages. This fact however, was not relevant to the ECJ and finding may have broader implications regarding the definition of a data controller in other contexts.
APPLICATION OF EU DATA PROTECTION LAW WHERE PROCESSING RELATES TO ACTIVITIES OF LOCAL SALES AGENTS
The ECJ held that the Google’s search engine is subject to EU data protection laws even if Google Spain does not carry out any activity directly linked to the indexing or storing data.
In fact, the ECJ said that a broad interpretation of the territorial scope of EU laws was required to ensure the effectiveness of Art. 4.1 (a) of the Directive which states that local EU data protection law applies where “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable.”
The ECJ determined Google Spain constitutes a stable establishment of Google Inc. within the meaning of the Directive, and Google Inc.’s processing is closely related to Google Spain’s activity because it is intended to promote and sell advertising space in Spain in order to make the service offered by the engine more profitable. In doing so, the Court considered whether Spanish users were targeted for marketing and for advertising, a consideration provided in the draft EU Regulation and discussed in literature, but not currently provided in the Directive. Thus, this finding is new and quite unexpected.
The ECJ ruling follows the same line as its General Advocate and a common position in the Member States with respect to the meaning of an “establishment”. It held the “establishment” in not just in terms of control over personal data, but also in the economic function of the EU subsidiaries of the foreign companies. The interpretation of the “establishment” has been continuously broadened by the EU DPAs. This may, in the end, be the finding that has the broadest implications for companies. Essentially if an EU subsidiary is intertwined with the goals and purposes of a foreign parent company and if the service is aimed at the local EU Member State market, EU law may be found to apply to the non-EU entity.
RECOGNITION OF THE MUCH DEBATED “RIGHT TO BE FORGOTTEN”
According to the ECJ opinion, a website operator should remove links to web pages that are published by third parties each time the inclusion of the link is or has become incompatible with the Directive. Opposing the Advocate General’s reasoning, the ECJ stated that a link is incompatible with the Directive not only when the data are false or unlawful (which is the current position in many Member States), but also when the data are inadequate, irrelevant, or no longer relevant, or where the data are excessive or not kept up to date in relation to the purposes for which they were processed. This is a significant expansion of the definition of the correction rights as currently implemented and interpreted in many Member States.
The ECJ did make an exception for individuals who are public figures or where the public interest in the information would outweigh the privacy rights of the individuals.
In the specific case at hand, the ECJ found that the web pages contained true information that had been lawfully published, but they stated, “having regard to the sensitivity of the information contained on the webpage, and to the fact that its initial publication had taken place 16 years earlier, the data subject establishes a right that that information should no longer be linked to his name.” Thus, the ECJ found that even where the data are lawfully published and the underlying website will not be altered, the individual still has the right to request that the “aggregator” of such information remove the data. The ECJ, however, did not impose specific requirement as to how much time must pass for a request to be considered valid, leaving that question to search engine operators, data protection authorities and national courts to answer on a case-by-case basis.
As a result, while the information was legitimately published, and may remain available off-line and on the Internet, the information should no longer be searchable via the name of the individual. That said, it would still be permissible for the search engine platform to allow the information to be searchable by date, location, or any other keyword.
A NEW SOURCE OF CONTENTIONS BEFORE THE DPAs
The ECJ justified the new constraint it imposes on technology companies by the “seriousness of the interference in the private life of the individuals” that may be caused by a name search. In fact, any Internet user, when he or she searches an individual’s name, may obtain a structured overview of the information relating to that individual, the ECJ said. This information potentially concerns a vast number of aspects of an individual’s private life which, without the search engine, could not have been interconnected.
What this likely means in practice is that an individual may make a request to a company to have the links based on name be removed. If the company does not agree, then the individual will have the right to go to the Data Protection Authority or the local courts to try to force the company to remove the links. This will thus create quite a bit of additional work for the DPAs and the courts.
A DIFFICULT BALANCE TO STRIKE BETWEEN THE INTERESTS OF THE INDIVIDUALS AND THOSE OF THE INTERNET COMMUNITY
The ECJ ruling creates a new requirement that search engine operators and other aggregators of information must seek a fair balance between the interests of the individuals and those of the public. The ECJ stated that the following factors need to be taken into account by the search engine provider in deciding whether to make information available via name search.
The balance will depend on (i) the nature of the information, (ii) the sensitivity of the information for the individual’s private life and (iii) the interests of the general public in having that information. Such interest may vary according to the role played by each individual in public life. Again, it is for the companies to assess in which case such role may justify the indexation of the data. This will likely be a costly and uncomfortable position for many companies.
PRESS FREEDOM AND FREE SPEECH PRESERVED BUT POTENTIALLY LIMITED
The ECJ affirmed that publishers of websites are still allowed to publish contested personal data for journalistic purposes. These rights do not, however, extend to search engines. Therefore, while an individual may require the erasure of his or her data by a search engine’s operator, the content of the webpage would be left unchanged.
However, it is likely that the decision will affect the activity of journalists and more generally, freedom of expression. The removal of contested links will lower the number of times a webpage is visited, thus adversely affecting freedom of expression. The ECJ did not uphold the Advocate General’s opinion that the erasure of legitimate and legal information would amount to a form of “censorship” by a private party.
CURRENT STATE OF PLAY AT EU LEVEL
The introduction of a right to be forgotten has been proposed by the EU commission in the proposed General Data Protection Regulation. In a first reading of March 2014, the Parliament adopted a new article 6, which set out that any data which is inaccurate, incomplete or no longer up to date should not be disclosed. The proposed Regulation also sets out that the right to erase incorrect data extends to third parties. However, the Parliament did not retain the Rapporteur’s proposition for a reference to clear time limits. For the proposed Regulation to become law, the Council must agree on a common position with the Parliament. It is not certain that these developments will be upheld by the Council which has stated that it wants to remove administrative burdens from companies. While Parliament has expressed the need to adopt a reform by the end of the year, the Council has not yet formed official positions or started official negotiations to reach a common position. In view of the coming European elections and the appointment of a new Commission, solid legislative work may not restart until next year.
In this context, it is still unclear whether the ECJ’s ruling at hand will be integrated in the new Regulation. What is sure is that the decision will be debated at the EU level, whereas it already has implications in the jurisdictions of the 28 Member States.
In addition to putting data protection authorities in a rather uncomfortable position of deciding on the question of what legitimate content should be easily searchable and accessible, this decision will have wide-ranging ramifications for organizations, not just for search engine providers.
First, there is a very broad interpretation of the jurisdictional reach of EU Member State law to cover organizations outside the EU whenever users in the EU are targeted.
Second, search engine providers, social media and other content providers may have obligations to comply with the data protection laws even where they are not involved in making decisions about the online content provided.
Third, the way in which organizations search for data will likely change due to the fact that certain information will now no longer be available by name.