What’s the difference between Google and an elephant? An elephant never forgets.
Last month, in a bombshell decision, the European Union’s Court of Justice (“CJEU”) demanded that Google “forget” certain items. The demand resulted from a CJEU decision that individuals have a right to request that a search engine remove certain webpage links from the search results of a search including the individual’s name. The ruling is, for all intents and purposes, final.
In short, the CJEU decided that Google Inc. is subject to the EU Data Protection Directive 94/46 (“Direction”), even though its servers were located outside the EU. As a result, Google was a data processor and data controller within the ambit of the Directive and was obliged to de-index links to personal information if requested to do so.
The case arose from the complaint of a Spanish national, who objected to having previous bankruptcy proceedings (now discharged) appear when his name was searched. There were two complaints – one against a newspaper, which had reported the bankruptcy, and a second against Google Spain and Google Inc., which search engine displayed in its results the newspaper reports of the bankruptcy.
The CJEU was asked to decide three main issues: 1. the territorial scope of the Directive; 2. the legal position of a search engine service provider; and 3. whether data subjects have a right to request that certain search results related to them be de-indexed.
On the first point, Google had taken care to locate its servers elsewhere but continued to sell advertising in Spain and directed its services toward Spanish nationals. This, the CJEU found, was sufficient to be an “establishment” within the meaning of the Directive and it rejected Google’s argument that the processing of personal data was not carried out in the context of the activities of that establishment. To the extent that “the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State”, the processing falls within the territorial scope of the Directive.
As regards the second point, by searching automatically, constantly, and systematically for information published on the internet”, the operator of the search engine “collects” data within the meaning of the Directive. By storing the data on its servers and making available the data to users in the form of a list of results, the search engine is thereby a “processor” of such data.
The search engine is also a “controller” of such data by virtue of the fact that it is the operator which determines the purposes and means of the processing. The Court also specified that search engines’ activities can be distinguished from those carried out by the original publisher(s). Hence, they should be considered controllers.
Finally, as regards the “right to be forgotten”, the Court held that a “fair balance” be struck between the right of an individual to privacy and the economic interest of the search engine operator and the legitimate interests of internet users potentially interested in having access to the information. This even applies in cases where the links are to publications that present lawful and accurate information.
The court notes, though, that in specific cases, the “balance” may depend on the nature of the information in question, sensitivity for the data subject’s private life, and the interest of the public in having that information. The public interest may vary, in particular, according to the role played by the data subject in public life.
There is some nuanced language in the decision. Search engines, for instance, are not obliged to delete, only to fairly balance the interests of competing parties.
Arguably, the scope of the judgment is also limited, in the sense that in this case the specific request at issue was the link between the individual’s name and the search result indicating the bankruptcy. Presumably, even if the request to de-index this request were granted, users could still reach the same web page through other search terms (provided requests had not also been made to de-index those as well).
More alarming from the perspective of a data controller, data processor or search engine service provider is the Court’s presumption (at para. 81) that “data subjects’ rights […] override, as a general rule, the interest of internet users” as well as the interests of the search engine operator. While the decision seems to nuance this in respect of the sensitivity of the information, the role of the individual in public life, and so on, this language does not provide a great deal of legal certainty and may lead to starkly different results among various search engine service providers.
The business implications for Google (and other similarly situated search engines) should not be underestimated. Google has already created a form for removal requests (a form which it admitted was an “initial effort”). It has been reported that Google received over 12,000 requests to be “forgotten” in the first day.
On the heels of this decision, other internet businesses will want to review their data collection and processing policies. Those which have safely operated outside of the EU may want to examine what business they do carry on within the EU lest they suddenly find themselves bound by the Directive.
consumer protection data European Union personal information privacy