The EU’s data protection Directive was adopted in 1995, when the Internet was in its infancy, and most or all Internet household names did not exist. In particular, the first version of the code for Google search engines was first written the following year, and the company was officially founded in September 1998 – shortly before Member States’ deadline to implement the Directive.
Yet, pending the completion of negotiations for a controversial revision of the Directive proposed by the Commission, this legislation remains applicable to the Internet as it has developed since. Many years of controversy as to whether (and if so, how) the Directive applies to key elements of the Web, such as social networks, search engines and cookies have culminated today in the CJEU’s judgment in GoogleSpain, which concerns search engines.
The background to the case, as further explained by Lorna Woods, concerns a Spanish citizen who no longer wanted an old newspaper report on his financial history (concerning social security debts) to be available via Google. Of course, the mere fact that he has brought this legal challenge likely means that that the details of his financial history will become known even more widely – much as many thousands of EU law students have memorised the name of Mr. Stauder, who similarly brought a legal challenge with a view to keeping his financial difficulties private, resulting in the first CJEU judgment on the role of human rights in EU law.
The Court’s judgment
The CJEU addressed four key issues in its judgment:
(a) the material scope of the Directive, ie whether it applies to search engines;
(b) the territorial scope of the Directive, ie whether it applies to Google Spain, given that the parent company is based in Silicon Valley;
(c) the responsibility of search engine operators; and
(d) the concept of the ‘right to be forgotten’, ie the right of an individual to insist (in this case) that his or her history be removed from accessibility via a search engine.
The details of the Court’s ruling have been summarised by Lorna Woods, but I will repeat some key points here in order to put the following analysis into context.
Does the Directive apply to search engines? The CJEU said yes. The information at issue was undoubtedly ‘personal data’, and placing it on a website was ‘processing’. A search engine was processing personal data, even though it originated from third parties, because (using the definition in the Directive) it ‘collects’ data from the Internet, then ‘retrieves’, ‘stores’ and ‘discloses’ it. It was irrelevant that the material had been published elsewhere and not altered by Google, as the CJEU had already ruled in the Satamedia case (in the context of tax information published on CD-ROM). Moreover the definition of ‘processing’ does not require that the data be altered.
A second – and perhaps more important point – was whether Google was a ‘controller’ of the data, with the result that it has liability for the data processing. Again the key issue was Google’s use of data already published elsewhere. The Advocate-General had concluded from this that Google was not a data controller – but the CJEU reached the opposite conclusion. On this point, the Court, ruling that there must be a ‘broad definition of the concept’ of a ‘controller’, distinguished between the original publication of the data and its processing by a search engine: Google undoubtedly controlled the latter activity, by means of its control over the search process. One is unavoidably reminded of the Machiavellian search-engine billionaire who frequently appears on episodes of The Good Wife – although of course he is nothing like the executives of Google.
In particular, the Court ruled that the activities of search engines make information available to people who would not have found it on the original web page, and provides a ‘detailed profile of the data subject’, and so have a much greater impact on the right to privacy than the original website publication.
Does the Directive apply to search engine companies based in California, with a subsidiary in Spain? The national court suggested three grounds on which this might be the case: the ‘establishment’ in the territory; the ‘use of equipment’ in the territory (as regards crawlers or robots, the possible storage of data and the use of domain names); or the default application of the EU Charter of Fundamental Rights.
The Court found that Google Spain was ‘established’ in the territory, and therefore the data protection Directive, in the form implemented by Spain, applied. It was not necessary to rule on the other possibilities as regards the scope of the Directive, which are very significant in the context of the Internet, so those issues remain open. It should be noted, however, that in light of the objectives of the Directive, the rules on its scope ‘cannot be interpreted restrictively’, and that it had ‘a particularly broad territorial scope’.
Why was Google Spain established there, even though it did not carry out any search engine activities? The CJEU said that it was sufficient that the company carried out advertising activities, these being linked to the well-known business model of Google (selling advertising which was relevant to search engine results).
Responsibility of search engine operators
The CJEU ruled that search engine operators are responsible, distinct from the original web page publishers, for removing information on data subjects from search engine results, even where the publication on the original pages might be lawful. It confirmed that the right to demand rectification, erasure or blocking of data did not apply only where the data was inaccurate or inaccurate, but also where the processing was unlawful for any other reason, including non-compliance with any other ground in the Directive relating to data quality or criteria for data processing, or in the context of the right to object to data processing on ‘compelling legitimate grounds’.
This meant that data subjects could request that search engines delete personal data from their search results, and complain to the courts or data protection supervisory authorities if they refused. As for Article 7(f) of the Directive, which provides that one ground for processing data (where there was no contract, legal obligation, public interest requirement or consent by the data subject) was the ‘legitimate interests of the controller’, this was a case where (as Article 7(f) provides) those interests were ‘overridden’ by the rights of the data subject.
There has to be a balancing of rights in such cases – including the public right to freedom of expression – but in light of the ease of obtaining information on data subjects, and the ‘ubiquitous’ nature of the ‘detailed profile’ that results from search engine results, the huge impact on the right to privacy ‘cannot be justified by merely the economic interest’ of the search engine operator. The public interest in the information was only relevant where the data subject played a role in public life.
In light of the greater impact of search engine results on the right to privacy, search engines are not only subject to a separate application of the balancing test, but a more stringent application of that test – meaning that the information might remain available on the original website, even if it was blocked from the search engine results. The CJEU states that search engines cannot rely on the ‘journalistic’ exception from the Directive.
The ‘right to be forgotten’
Finally, the CJEU accepts the arguments that the Directive’s requirements that personal data must be retained for limited periods, only for as long as it is relevant, amounts to a form of ‘right to be forgotten’ (although the Court does not say that such a right exists as such). While it leaves it to the national court to apply such a right to the facts of this case, the Court clearly guides the national court to the conclusion that the data subject’s rights have been violated.
The essential problem with this judgment is that the CJEU concerns itself so much with enforcing the right to privacy, that it forgot that other rights are also applicable.
As regards the right to privacy, the Court’s analysis is convincing. Of course, information on a named person’s financial affairs is ‘personal data’, and it has long been established that prior publication is irrelevant in this regard – a particularly important point for search engines. Equally, the Court had previously ruled (convincingly) in the Lindqvist judgment that placing data online is a form of ‘data processing’.
While it is less obvious that Google is a ‘data controller’, given that it does not control the original publication of the data, the Court’s conclusion that search engines are data controllers is ultimately convincing, given the additional processing that results from the use of a search engine, along with the enormous added value that a search engine brings for anyone who seeks to find that data. In this sense, Google is a victim of its own success.
Similarly, as regards the territorial scope of the Directive, it would be remarkable if Google, having established a subsidiary and domain name in Spain and sought to sell advertising there, would not be regarded as being ‘established’ in that country. The sale of advertising in connection with free searches is, of course, the key element of Google’s business model (leaving aside the many other companies, such as YouTube and Blogger, that Google has acquired over the years), and making money is surely one of the ‘activities’ of any business that aims to make profits.
The separate liability of Google as a ‘data controller’ obviously justifies the Court’s conclusion that it might, in appropriate cases, be required to take down material from its search engine results that infringes the data protection directive. This is most obviously relevant where that data is inaccurate or libellous, but that is not the case here, where the personal data is simply embarrassing.
So, in the absence of another legitimate ground for processing (which will normally be the case as regards search engines), the case ultimately turns on the balancing of interests between the data subject, the search engine and other Internet users. And here is where the Court’s reasoning goes awry.
In its previous judgment in ASNEF, the Court ruled that Spanish law failed to apply the correct balance between data subjects and direct marketing companies, because by banning any use of personal data which was not already public, it implicitly did not give enough weight to the company’s right to carry on a business. But here the Court makes no reference to that right, even though Google’s methods are as central to its business model as the use of private personal data is for direct marketers. Indeed, Google’s highly targeted advertising (not as such an issue in this case) is itself obviously a form of direct marketing.
Also in ASNEF, the Court criticised the Spanish law for its automaticity, because it failed to weigh up the interests of companies and data subjects in individual cases. But in Google Spain, it is the Court which sets out an automatic test: the economic interest of the search engine is overridden if the individual is not a public figure.
The interests of other Internet users are only briefly mentioned, even though Article 7(f) requires only a balancing of interests between not only as between the data controller (ie, the search engine in this case) and the data subject, but also as regards third parties to whom the data are disclosed, ie the general public. Oddly, the Court does not expressly refer to the Charter right to freedom of expression (it’s in Article 11 of the Charter), and does not expressly link its statements about the balancing test to the case law of the European Court of Human Rights on the best way to balance privacy and freedom of expression.
Furthermore, unlike in ASNEF, the Court makes no mention of Article 52 of the Charter (the provision dealing with limitation of Charter rights, including in the interest of protecting other rights, which also requires consistent interpretation with the ECHR). It should also be noted that, in deciding the key freedom of expression issue itself, the Court has departed from its prior approach (in Satamedia and Lindqvist, for instance) of leaving it to the national courts to decide on this issue.
The Court’s dismissal of the journalistic exception also contradicts its willingness to agree, in Satamedia, that merely sending personal tax data by text message to nosy neighbours could constitute ‘journalism’. Here, of course, it is not Google which is the journalist; but Google is a crucial intermediary for journalists. If journalism can consist of sending out tax information by text message, it could also equally consist of commenting (for whatever reason, and in whatever forum) on an individual’s past financial problems. And there is no reason why the passage of time should count against the exercise of the right of freedom of expression – although that factor should be relevant, as the Court says, as regards the right to privacy.
Consequences of the judgment
Obviously, today’s judgment only concerns search engines, but it may have broader relevance than that. Its relevance to social networks will soon be considered in another post on this blog. For search engines, those which are less successful than Google might not have an ‘establishment’ within the meaning of this judgment, which raises the question of whether they would otherwise have an establishment, use equipment on the territory, or can be covered due to the Charter.
More broadly, any non-EU company with a subsidiary selling advertising in an EU Member State in connection with its Internet services must obviously be regarded as covered by the data protection Directive by analogy with this judgment, without prejudice to those broader possibilities.
As for those search engines which do fall within the scope of the judgment, most obviously Google, it seems that their legal obligations are considerably greater than what they had thought them to be. They must respond to individual complaints that the personal data which can be found about that individual is simply too old to be relevant any more, whether it is accurate or not, and they can be challenged before the courts or a supervisory authority if they do not comply. In fact, an individual could also take action to this end before a supervisory authority.
Could a supervisory authority act of its own motion to enforce this judgment? Probably not, because the rights at issue in this case are triggered by individual complaints. Some people assiduously search Google to see what results they can find on themselves; in this context, I should point out that I am not the same ‘Steve Peers’ from Essex who has been convicted for non-payment of council tax. But others are unaware of, or don’t care about, or couldn’t be bothered to challenge, or are positively thrilled about, the existence of old information about them which can be found by means of using Google.
So not everyone who might conceivably be embarrassed by such old information will complain to Google, but a considerable number are likely to do so. Google’s liability extends to responding to such individuals, but not to completely changing the way it processes personal data in the absence of such complaints.
Interesting questions may arise, however, as regards the interpretation of the rules set out in the judgment: what exactly is a public figure, and how long has to pass before personal data is no longer relevant? For instance, a job applicant can certainly object to Google if its search results include pictures of her dancing drunkenly on a table in 1998. But she could hardly argue that a record of last night’s debauchery must be ‘forgotten’ already – even if she cannot remember it herself.
Such disputes may well prove an opportunity to argue that the remit of this judgment is narrower than it first appears, or even to request (which any national court can do) that the Court reverse at least some aspects of its judgment. For now, however, the CJEU has established a potentially far-reaching right to be forgotten, with possible significant impacts at least on the activity of search engines. While in the Lindqvist judgment, the Court was keen to ensure that the data protection Directive was adapted to the reality of the Internet, in Google Spain it seems to demand that the Internet should rather be adapted to the Directive.
As for the initiative to amend the Directive (to be replaced by a general data protection Regulation), this judgment might speed that process up, since Internet companies now have an incentive to use the process as an opportunity to limit their liability compared to what it would otherwise be – rather than (before the judgment) an interest in slowing the process down, in order to avoid an increase in that liability. Time will tell what the result of that negotiation will be.
Steve Peers is a Professor of Law at the University of Essex.