Ce message est également disponible en : French
Because they exact a heavy toll on the fundamental rights of citizens, and especially on the right to privacy, the processing and exchange of personal data published online are increasingly under close scrutiny by European institutions. In fact, the proposed Data Protection Regulation (cf. infra) and the latest decisions of the Court of Justice of the European Union (CJEU) 1Apart from the Google Spain case, which is the subject of this note, the CJEU has recently invalidated the 2006/24/EC directive of 15 March 2006 on the retention of data (CJUE, Gd Ch., 8 April 2014, cases C-293/12 and C-594/12, Digital Rights Ireland Ltd and al.).aim to strengthen individual rights and unify protection within the European Union (EU).
In June 2013, the PRISM scandal2The Guardian revealed, on the basis of Edward Snowden’s testimony (a former NSA computer engineer), that the American government could access, through the PRISM surveillance program, personal data processed by major internet companies, such as Google, Facebook, YouTube, Microsoft, Skype and Apple (Glenn Greenwald and Ewen MacAskill, « NSA Taps in to Systems of Google, Facebook, Apple and Others, Secret Files Reveal », The Guardian, 7 June 2013). highlighted the economic and political implications of online data processing activities carried out by major internet companies and recalled the need for a new European legal framework designed to improve the protection of European citizens in the growing context of global data flows.
European legislation on the processing of personal data dates back to 1995 3Directive 95/46/CE of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (referred to here as: the 1995 Data Protection Directive).(i.e. before the digital revolution) and has been under revision since 2012. On 12 March 2014, the European Parliament adopted – in first reading – a draft European Data Protection Regulation, which aims to strengthen national laws and covers most issues relating to personal data processing within the EU 4On the same day, the European Parliament adopted – in first reading – a draft directive on the processing of personal data in relation to police and criminal justice cooperation. . In particular, this text establishes new rights for European citizens whose personal data is transferred to non-European countries, updates the right to erasure mentioned in the 1995 Directive, creates a right to be forgotten, and increases fines imposed on infringing companies up to 100 million euros or 5% of worldwide turnover.
Just a few weeks later (and thus preceding the European legislator), on 13 May 2014, in a landmark ruling handed down in the Google Spain case, the CJEU significantly improved personal data protection by creating a new online right to be forgotten 5CJUE, Gd Ch., 13 May 2014, case C-131/12, Google Spain SL and Google Inc. / Agencia Espanola de Proteccion de Datos et Gonzalez.which enables data subjects to obtain, under certain conditions, removal from the search engine’s index, of links to web pages containing information relating to them.
Beyond the individual case, this ruling, like any CJEU decision, applies to all EU citizens (irrespective of nationality) 6But to EU citizens only. , and is binding on all the national authorities and courts of the Member States hearing similar cases. This means that the obligation imposed on Google to remove hyperlinks from the search engine’s index will undoubtedly be extended to other search engine operators in the near future.
The first consequence of this ruling for Google has been to require the company to make available to users a “removal request form”7 https://support.google.com/legal/contact/lr_eudpa?product=websearch&hl=fr.on which to submit demands to take down links. Google has reportedly already received more than 70,000 requests.
The Google Spain case started in 2010 when a Spanish citizen, Mr Mario Costeja Gonzalez, lodged a complaint with the Spanish Data Protection Agency (the Agencia Espanola de Proteccion de Datos, the AEPD 8The equivalent of the CNIL in France and the ICO in the UK. This independent agency is the first instance judge in personal data protection cases.) against La Vanguardia Ediciones SL, the publisher of a daily newspaper, and against Google Spain and Google Inc. Mr Gonzalez contended that when an internet user entered his name in the Google search engine, the list of results would display links to two pages of La Vanguardia’s newspaper dated January and March 1998. Those pages contained an announcement for a real estate auction which had been organised following attachment proceedings against Mr Gonzalez for the recovery of social security debts. Mr Gonzalez stated that these proceedings had been fully resolved for a number of years and hence the reference to them was now entirely irrelevant. As a consequence, he requested, first, that La Vanguardia be ordered to remove or alter the pages in question so that the personal data relating to him no longer appeared; and, second, that Google Spain and Google Inc. be required to remove or conceal the personal data relating to him so that it no longer appeared in the search results.
The AEPD rejected the complaint against La Vanguardia, taking the view that the information in question had been lawfully published in the newspaper as a legal notice. However, the Spanish Data Protection Agency asked Google to take the necessary steps to withdraw the data from its index. Google Spain and Google Inc. brought the case before the appellate court (the Audiencia Nacional), claiming that the AEPD’s decision should be overturned.
Therefore, before the Spanish appellate court (and consequently before the CJEU), the question is limited to the liability of the internet search engine operator, and the responsibility of the publisher of the website where the personal data appears is not discussed.
1. It is in this context that the Audiencia Nacional referred a series of questions to the CJEU for a preliminary ruling. In its judgment of 13 May 2014, the EU Court holds, first of all, that the indexing operations carried out by a search engine must be classified as “processing personal data”, and that the operator of a search engine is the “controller” in respect of that processing, within the meaning of the 1995 Data Protection Directive.
As a consequence, for the CJEU, the Directive applies to the indexing activity of a search engine and the operator of the search engine must ensure that its activity complies with the provisions of the Directive.
2. Answering another question asked by the Spanish Court on the 1995 Data Protection Directive’s territorial scope, the EU Court holds that, when the parent company processing personal data outside the EU has a branch or a subsidiary in a Member State, which promotes the selling of advertising space offered by the search engine, the Directive applies9The question of the territorial scope of the Directive was raised as Google Inc. (headquarters), where the data processing activity is carried out, is located in the US, and Google Spain (subsidiary) only promotes the selling of advertising space. .
3. Then, and most importantly, the EU Court rules on the extent of the responsibility of the operator of the search engine processing personal data. By doing so, the Court creates a digital right to be forgotten based on the right to privacy10The decision is based on Article 7 (Respect for private and family life) and Article 8 (Protection of personal data) of the EU Charter of Fundamental Rights. . Subject to certain conditions, this right entitles internet users to obtain, the deletion, from the search engine, of links to web pages containing personal information about them.
Precisely, how far does the right to be forgotten extend for the CJEU? In other words, under which conditions does the right to be forgotten apply?
The Court considers that, following a search made on the basis of a person’s name, the search engine operator is obliged to delete, from the list of results, links to web pages containing personal data about the person in question, as soon as the processing of personal data is incompatible with the 1995 Data Protection Directive. For the CJEU, “such incompatibility may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” (para. 92 of the judgment). In other words, as soon as the personal data at issue falls within one of these categories, the data subject has the right to obtain the deletion of the links from the search engine, and in this connection, “it is not necessary in order to find such a right that the inclusion of the information in question in the list of results causes prejudice to the data subject.” (para. 96).
These criteria of applicability immediately raise various questions (when is data “no longer” necessary? when is data “inadequate” or “irrelevant”? what does “excessive” mean?). Furthermore, as this threshold appears to be extremely low, it is likely to lead to deletion of hypertext links from search engines on a large scale.
It has to be noted that the CJEU refers to both initially unlawful (i.e. contrary to the Data Protection Directive) processing and processing becoming unlawful in the course of time (“kept for longer than is necessary”: cf. supra). Concerning this second category, the Court holds: “even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed. That is so in particular where they appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed.” (para. 93).
As defined, this new right is clearly a particular application (i.e. for data displayed by a search engine) of the larger online right to be forgotten, which is commonly understood as the ability for each of us to regulate our digital tracks and to control our online life – public and private11Cf. Activity Report 2013 of the CNIL, page 16..
Moreover, as to the scope of this new right, the EU Court makes it clear that the obligation to remove links exists also in a case where the personal data still appears on third party web pages, and even, as the case may be, when its publication in itself on those pages is lawful. Thus, when a data subject exercises his/her right to be forgotten, and asks Google to remove a link from the search engine’s index list, he/she does not have to submit the same request to the publisher of the website where the information is disclosed. As a consequence, personal data which have disappeared from Google may be found by using other search engines, and this could lead to a decline in the use of Google – at least as long as the other search engines are not under the same obligation of erasure as Google.
While recognising this new individual right, the Court also points out that such a right critically interferes with the right of information of the public and that “a fair balance” should be sought between this fundamental right and the rights of the data subject, in particular his/her right to privacy (para. 81). For the CJEU, as a general rule, the data subject’s rights override. However, the balance may depend, “in specific cases, […] on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.” (para. 81).
Whilst the “public person” test is a well-known limit to the right to privacy, the meaning of “in particular” is far from being clear. We are therefore left to ask how the courts and the national authorities in charge of regulating the new right to be forgotten will interpret this phrase, and thus delimit the boundaries of this exception.
4. Finally, the Court holds that data subjects may address their requests of erasure directly to the operator of the search engine. In the event that the operator does not grant the request, or does not respond to the request, the matter may be brought before the national authority or the judge. As a consequence, the search engine operator, Google, will be the first to decide whether a link should be removed or not. Paradoxically this will lead to increase its heavily criticised status as global internet regulator.
This bold ruling has encountered many critical comments, not least from Google. Wikipedia has pointed to “Internet censorship”, while Reporters sans Frontières has claimed that this judgment “violates the freedom of information”.
In conclusion, pending the definition of the right to be forgotten in the new European Regulation (cf. supra), the “fair balance” – referred to by the CJEU – between right to privacy and right to information needs to be reached in order to reconcile freedom of speech advocates and right to privacy supporters.
|↑ 1||Apart from the Google Spain case, which is the subject of this note, the CJEU has recently invalidated the 2006/24/EC directive of 15 March 2006 on the retention of data (CJUE, Gd Ch., 8 April 2014, cases C-293/12 and C-594/12, Digital Rights Ireland Ltd and al.).|
|↑ 2||The Guardian revealed, on the basis of Edward Snowden’s testimony (a former NSA computer engineer), that the American government could access, through the PRISM surveillance program, personal data processed by major internet companies, such as Google, Facebook, YouTube, Microsoft, Skype and Apple (Glenn Greenwald and Ewen MacAskill, « NSA Taps in to Systems of Google, Facebook, Apple and Others, Secret Files Reveal », The Guardian, 7 June 2013).|
|↑ 3||Directive 95/46/CE of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (referred to here as: the 1995 Data Protection Directive).|
|↑ 4||On the same day, the European Parliament adopted – in first reading – a draft directive on the processing of personal data in relation to police and criminal justice cooperation.|
|↑ 5||CJUE, Gd Ch., 13 May 2014, case C-131/12, Google Spain SL and Google Inc. / Agencia Espanola de Proteccion de Datos et Gonzalez.|
|↑ 6||But to EU citizens only.|
|↑ 8||The equivalent of the CNIL in France and the ICO in the UK. This independent agency is the first instance judge in personal data protection cases.|
|↑ 9||The question of the territorial scope of the Directive was raised as Google Inc. (headquarters), where the data processing activity is carried out, is located in the US, and Google Spain (subsidiary) only promotes the selling of advertising space.|
|↑ 10||The decision is based on Article 7 (Respect for private and family life) and Article 8 (Protection of personal data) of the EU Charter of Fundamental Rights.|
|↑ 11||Cf. Activity Report 2013 of the CNIL, page 16.|