Is it about the right to be forgotten (at all)? In an era where everything we do online leaves a footprint, where the delete button doesn’t wipe out our actions, the recent judgement by the European Court of Justice (CoJ) draws attention to our ‘right to be forgotten’. In a longer post than usual, Nevena Ruzic[i] explores the possible ramifications of this decision and discusses what it tells us.
The CoJ’s judgement in the case of Google (Spain and Inc.) v. Spanish Data Protection Authority and M.C. Gonzales was reported as introducing the ‘right to be forgotten’ in Europe at least or even as rejecting ‘long-established notions about the free flow of information on the Internet’. We could argue that these statements were just an immediate reaction to the highlight of the decision. However, was this case really about the right to be forgotten or about impeding the free flow of information? Hardly. It is far more complex and worth dedicating some time to.
What triggered the case in the first place?
Back in March 2010, the Spanish Data Protection Authority received a complaint from a natural person against an online edition of a national newspaper and a search engine. The person’s name appeared in a news item on the media’s website as well as in the search engine’s search results. The problem was that the person didn’t like the information being linked with him, however truthful it may have been. Most probably he didn’t want other people to learn about that part of his life, as the news in question dated from the last century. And it was his private history! He requested that the information be removed from the online world and sought help from the Spanish DPA to sanction his pursuit.
Quick note for readers unfamiliar with the European data protection system: Data protection is deemed one of the core values in the EU and its member states. The current Data Protection Directive (95/46/EC), as an instrument of harmonisation leaving member states to adapt it independently in their own legal frameworks and to adopt national laws, is to be substituted by a Regulation, which is an instrument of direct application in the member states leaving them no room for manoeuvre to impose different national rules. Ever since 1995, all member states have established a data protection authority, an independent body supervising data protection in their country with quasi-judicial capacity.
The Spanish DPA was quite right in rejecting the person’s request to have his name removed from the media website. After all, as noted in the CoJ judgement, it was information that was ‘legally justified as it took place upon order of the Ministry of Labour and Social Affairs and was intended to give maximum publicity to the auction in order to secure as many bidders as possible’. In other words, the information was in the public interest, and could also be viewed (as it was by the CoJ) as journalistic expression.
In July 2010, the story of this request ended. Whether the person took the issue to some other forum is irrelevant. The point is he has not been forgotten by the media.
However, when it came to the search engine, the ruling was quite different. The parties involved were Google Spain and Google Inc., the former established in Spain, the latter in the USA but operating worldwide. We all use these and other search engines to find information online; without them we would be mostly digging in a landfill.
What the Agencia Española de Protección de Datos (Spanish DPA) did
The Spanish DPA applied its national law saying Google Spain and Google Inc. both fell under its jurisdiction. They were processing personal data, and thus should remove data at the subject’s request. Google Spain and Google Inc. submitted (separate) actions against such a decision to the Spanish National High Court, which then forwarded the question to the European CoJ in February 2012. Et voilà!
Several EU member state governments were concerned with the issue and submitted their own observations on the case. In addition to the Spanish government, as well as the European Commission, Greek, Italian, Austrian, and Polish governments also gave their views. Back in July 2013, the Advocate General gave his opinion on the case. These observations did not match entirely, and the lead opinion of the Advocate General was entirely overridden by the Court.
Prior to reaching a judgement, the CoJ needed to answer several questions: (i) may the Court, i.e., member states, apply an EU directive to Google (Google Spain and Google Inc.), and if so, then (ii) under the Data Protection Directive, what is the role of Google Spain and Google Inc. in the processing of personal data – a controller, a processor, or something else? Once that was established, the question became (iii) what rights does a person, as a data subject, have with regard to the processing their personal data?
The first question – whether the Data Protection Directive may be applied – concerned whether the processing of personal data is carried out in the context of the activities of an establishment of the controller.[ii] Google Spain and Google Inc. argued that data processing was not done by Google Spain, but by Google Search operated only by Google Inc. In the said Opinion of the Advocate General, the issue was observed through the eye of the economy and the business model of Internet search engine providers, which includes advertising and generating income. The Court established that Google Spain, as a separate legal personality from Google Inc., is a subsidiary of the latter on Spanish territory.
The second question –what is the role of the Google Spain and Google Inc. under the Data Protection Directive – answers what it does with personal data. The definition of processing of personal data encompasses any activity using personal data, including collecting, retrieving, or organising data, as well as disclosing and making data available.[iii] And this is exactly what Google (Google Search, thus Google Inc., thus Google Spain) does. Once we enter a query, it goes through billions of pages, collects what we need, retrieves the collected data, and organises it nicely for us.
Another task is to define the sort of capacity Google has, as based on this we can establish duties and responsibilities. The Data Protection Directive differentiates the roles of data controller, data processor, and data recipient.[iv] The opinions varied. The Advocate General said Google is not a data controller: ‘the Internet search engine service provider merely supplying an information location tool does not exercise control over personal data included on third-party web pages.’[v] However, according to the Court (and of course the Spanish DPA), Google is a controller.[vi]
Finally, the question of what rights the person, as a data subject, has with regard to the processing of their personal data points to what Google’s duties, as a controller, are if the person seeks to have their personal data deleted.
Google’s argument was linked to the intermediary role of a search engine and that the primary duty lay with the publisher of the website where the information, i.e., the personal data, is published. It argued that imposing a duty to delete on a search engine would fail to accommodate the fundamental rights of publishers, Internet users, and the operator.[vii] The Austrian government observed that deletion of personal data may be requested only if it is unlawful or incorrect or if the data subject has successfully objected to the publisher of the information, while the rest argued that removal may be requested directly of the search engine operator.[viii] The Court agreed with the latter.
And here is an important argument: there should be a distinction between personal data appearing in a journalistic article (however broad the term journalistic may be) and that appearing in search results, which we can hardly link to being ‘solely for journalistic purposes’.[ix] The purpose of the processing for the former is entirely different to that of the latter. The Court did not see Google as part of the media, thus did not uphold arguments regarding journalistic freedom. The Spaniards were right from the very beginning.
With regard to the ‘right to be forgotten’, the Court concluded: ‘the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful’[x] [emphasis added]. This does not mean that the article would be removed from the world; neither would it disappear from the search results; it simply would not be traceable via the person’s name. Therefore, the right to be forgotten is more about the right not be searched for by name.
Though, to play devil’s advocate, does a nickname qualify as a name?
Another thing is more puzzling still, and it remains to be seen if it will be efficacious. The Court also ruled: ‘As the data subject may […] request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.’
So, in a given case, who will decide whether the request to delete data should be denied, and hence be accountable in the event of an erroneous decision and to whom would they be accountable?
[i] Nevena works with the Serbian Information Commissioner (also data protection authority) as the Head of Legislation and Practice Compliance and is a graduate of the Diplo/University of Malta Master in Contemporary Diplomacy.
The views presented here are solely in her personal capacity.
[ii] The relevant Article 4(1)(a) of the Data Protection Directive (Directive 95/46/EC) reads
1. Each member state shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;
[iii] Article 2(b)processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
[iv] Article 2: (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
(e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
(f) 'third party' shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;
(g) 'recipient' shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;
[v] Opinion of Advocate General delivered on 25 June 2013 (1) Case C‑131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, para 84.
[vi] According to the Court ‘the fact that publishers of websites have the option of indicating to operators of search engines, by means in particular of exclusion protocols such as ‘robot.txt’ or codes such as ‘noindex’ or ‘noarchive’, that they wish specific information published on their site to be wholly or partially excluded from the search engines’ automatic indexes does not mean that, if publishers of websites do not so indicate, the operator of a search engine is released from its responsibility for the processing of personal data that it carries out in the context of the engine’s activity.”, Judgment of the Court (Grand Chamber) of 13 May 2014, In Case C‑131/12, REQUEST for a preliminary ruling under Article 267 TFEU from the Audiencia Nacional (Spain), made by decision of 27 February 2012, received at the Court on 9 March 2012, in the proceedings Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, para. 39.
[vii] Judgment of the Court (Grand Chamber) of 13 May 2014, In Case C‑131/12, REQUEST for a preliminary ruling under Article 267 TFEU from the Audiencia Nacional (Spain), made by decision of 27 February 2012, received at the Court on 9 March 2012, in the proceedings Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, para. 63.
[viii] Judgment of the Court (Grand Chamber) of 13 May 2014, In Case C‑131/12, REQUEST for a preliminary ruling under Article 267 TFEU from the Audiencia Nacional (Spain), made by decision of 27 February 2012, received at the Court on 9 March 2012, in the proceedings Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, paras. 64-5.
[ix] Exception defined by Article (Processing of personal data and freedom of expression) of the Directive 95/46/EC: “Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.”
[x] Judgment of the Court (Grand Chamber) of 13 May 2014, In Case C‑131/12, REQUEST for a preliminary ruling under Article 267 TFEU from the Audiencia Nacional (Spain), made by decision of 27 February 2012, received at the Court on 9 March 2012, in the proceedings Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González