European Court of Justice rules right to be forgotten principle applicable to search engines

by DLA Piper

In a landmark ruling the European Court of Justice has ruled that search engines, as a principle, need to remove the link between search results and a webpage if it contains information the individual deems should be “forgotten”.

In short, the Court decided that:

  1. Indexing information by a search engine is “processing of personal data”.
  2. Google is a “controller” of personal data.
  3. Spanish data protection law is applicable, even if indexing happens in the US.
  4. Google should remove links to webpages containing personal data, even if the webpages themselves are lawful.
  5. A fair balance should be sought between the legitimate interests of search engine users and the privacy rights of individuals.
  6. The right to be forgotten is recognised by the Court of Justice.

The Facts
The facts of the case are the following. In 1998, a major Spanish newspaper published two short announcements about a real estate auction due to social security debts of a Spanish citizen. In 2009, this person contacted the newspaper, complaining that the announcements appeared in Google searches of his name. He argued that the search results were damaging his reputation and that the attachment proceedings relating to his social security debts had been resolved many years ago. He asked the newspaper to block the pages with the announcements from being indexed by search engines. The newspaper declined to remove the offending content, stating that publication had been ordered by the Spanish government. The publication is intended to give maximum publicity to the auction in order to attract as many bidders as possible.

The citizen then contacted Google in 2010 and filed a complaint with the Spanish data protection authority (the “AEPD”). The AEPD agreed to take on the case and sued Google. The AEPD took the view that it has the power to require the withdrawal of data and the prohibition of access to certain data by the operators of search engines when it considers that the locating and dissemination of the data are liable to compromise the fundamental right to data protection and the dignity of persons in the broad sense, and this would also encompass the mere wish of the person concerned that such data not be known to third parties. The Audienca Nacional (the National High Court of Spain) submitted several questions to the European Court of Justice regarding the application of the European Data Protection Directive.

The questions stem from the uncertainty regarding the interpretation of the Data Protection Directive of 1995 in the sphere of Internet communications. The questions relate to, as summarised by the Court “what obligations are owed by operators of search engines to protect personal data of persons concerned who do not wish that certain information, which is published on third parties’ websites and contains personal data relating to them that enable that information to be linked to them, be located, indexed and made available to internet users indefinitely”. A broad interpretation of the Data Protection Directive could constrain the operation of search engines, for instance if, as noted by the Advocate General, they were considered as controllers of personal data on third party web pages.

The Court Decision
The European Court of Justice today ruled against the advice of the Advocate General, which is rather uncommon. The Advocate General was of the opinion that the citizen should direct their request to the publisher, as they are the controllers of the data, and not to Google who would be a mere processor.

Google is a “controller” of personal data
The Court ruled that Google is not a mere processor but also a controller of personal data on third party web pages, because it is Google decides upon the purposes and the means of the indexing activity.

Indexing is processing of personal data
The Court ruled that indexing information by a search engine is “processing of personal data”. Indexing information (including personal data) is a “processing activity” in the sense of the European Data Protection Directive.

National data protection law is applicable
The Court ruled that Spanish data protection law is applicable, even if indexing happens in the US. As Google Spain is established in Spain and is a subsidiary of Google Inc, the Court ruled that the promotion and selling, in Spain, of advertising space offered by the search engine makes Spanish data protection law applicable.
The Court held that the activities of search engines (such as providing a search service) and those of its subsidiaries in a Member State (such as selling advertising) are “inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed”.

Data subjects may request the removal of links from Google.
Google is obliged to remove the links to webpages containing personal data, even if the publication of those personal data on the webpages itself is lawful. The Court stated that the potential interference of a person’s rights “cannot be justified by merely the economic interest which the operator of such an engine has in that processing”. This removal of the links may be necessary because the search results “are liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page.” The Court states regarding search results “this information potentially concerns a vast number of aspects of his private life and that, without the search engine, the information could not have been interconnected or could have been only with great difficulty. Internet users may thereby establish a more or less detailed profile of the person searched against.”

Fair balance between privacy and other interests
A fair balance should be found between on the one hand the legitimate interests of internet users who may be interested in having access to information and, on the other hand the privacy rights of the citizen. This balance may be different from case to case, and may vary in particular according the role the citizen plays in public life. The Court stated that this “balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.”

Right to be forgotten
Today’s ruling endorses a right to be forgotten by the Court of Justice under the current Data Protection Directive. A citizen may require Google to remove him or herself from search results, and hence, make use of his or her “right to be forgotten”, if the personal data have become today inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.

Broad implications
This ruling increases the rights of private individuals to remove themselves from search results. It also will make search results less reliable, as certain webpages will be omitted from search results. The ruling could impact the day-to-day operation of certain Internet companies, for instance by providing automated tools for people to remove themselves from search results. It could also potentially have broad implications for any service that uses third party data sources containing personal data.

In the upcoming new Data Protection Regulation, the right to erasure is defined even more broadly. As a result, the present case will be of considerable interest to Internet companies and publishers regarding how the privacy rights of citizens are to be balanced against other rights, including the right to access information, to conduct a business but also the freedom of expression. Indeed, although the information is still available on the original websites and can be consulted, it will become more difficult to find this information if the search engine had to remove some search results from the list of results displayed following a search made.

It is now up to the Spanish National High Court to decide whether or not the earlier decision of the Spanish Data Protection Authority should be annulled or not. The High Court will probably soon confirm the decision of the Data Protection Authority, obliging Google to “take the necessary measures to withdraw the data from their index and to render access to the data impossible in the future.”

This European Court decision will have an impact throughout the European Union, as the decision is similarly binding on any other EU national courts or tribunals before which a similar issue is raised.

Court decision details: Judgment in Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Written by:

DLA Piper

DLA Piper on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.