Many headlines have been generated by the CJEU's recent judgment in Google -v- González1, the so-called "right to be forgotten" case.
What exactly did the CJEU decide and what are the practical results?
Background
In 2010, Mr González (a Spanish national living in Spain) complained to the Spanish data protection agency about the fact that when his name was entered into the Google search engine, the Google results would produce links to announcements concerning his bankruptcy in 1998 on the site of a national daily newspaper.
Mr González sought the removal of the links from the Google hits and the information on the newspaper's site.
While the data protection agency rejected Mr González's complaint against the newspaper, it upheld it against Google. Google duly appealed the decision to the Spanish High Court, who then referred the matter to the CJEU.
In very brief form, the questions and answers were as follows.
Three questions for the CJEU
- Is Google Inc processing and controlling personal data?
- Does EU data protection law apply to Google Inc?
- Can individuals require that their personal data be removed from the Google search engine?
1. Is Google Inc processing and controlling personal data?
In a word, yes.
Google's search engine was retrieving, collecting, recording, organising, storing and publishing publicly available personal data, all of which are processing under EU data protection law. It was irrelevant that Google did not distinguish between personal and non-personal data, that the data had already been published online and that Google did not alter the data.
In terms of controlling personal data, Google determined the purpose and means of its processing and must, as a result, be a data controller under data protection law. The Court also added that search engines played a key role in the overall dissemination of data as it renders the data accessible to any internet user on the basis of a search of the subject's data and thus Google must ensure the effective and complete protection of data subjects.
2. Does EU data protection law apply to Google Inc?
Again, in a word, yes.
The processing of personal data by Google Inc is carried out in the context of the activities of its establishments in Europe (such as Google Spain). The Court said data protection law was intended to prevent individuals being deprived of protection by Google's territorial arrangements and that there was an inextricable link between the activities of Google Inc and Google Spain.
3. Can individuals require that their personal data be removed from the Google search engine?
The CJEU again answered this question in the affirmative.
The Court said that processing of personal data by Google significantly affects the privacy of individuals, which given the pervasive nature of the internet in modern society, substantially outweighs the economic interest of Google in processing the data.
However, it is the second element of the answer to this question which has been the cause of most of the debate on the judgment. The Court said that, in general, the individual's right to their privacy and protection of their personal data outweighs the legitimate interests of internet users who wish to access the information related to the processing of the data. In theory then, in most cases, the individual will have the greater right to have their personal data removed from the Google search engine. But, the Court was keen to stress that that is a decision to be taken on a case-by-case basis and very much depends on the circumstances of the individual, the data and the information.
Consequences
The ruling has far-reaching implications, with other search engines, social media and content providers, and business in general being affected. In essence, it means the European data protection regime can be applied to entities outside its borders and that in many cases the individual's right the privacy will outweigh the right to access information online.
It is also noticeable how much the Court talked about the objectives of data protection law and protecting the individual, with the European Commission intending to ramp this up in its forthcoming reform of the law in this area.
In the aftermath of the decision, data protection authorities welcomed it as returning some control to individuals over how their data is used online. Indeed, the European Commission has said that this should cause individuals to trust the internet more and that in turn should drive digital growth.
Google, for its part, has made its feelings against the decision clear and as the largest search engine in Europe, it will bear the brunt of the fallout. For example, Google recently said it had received about 150,000 requests to remove about 500,000 links and that so far it has removed about 170,000 links from its search results. Google search results now bear a notice at the foot of the page warning that some links may have been deactivated.
The House of Lords has also passed comment on the decision and with some justification. It says it is "misguided in principle" and "unworkable in practice" and that it has left data controllers with the task of considering a request on "vague, ambiguous and unhelpful criteria". Many agree and there is particular concern for the administrative burden and cost that will be placed on companies as a result.
But what all sides of the debate do agree on, however, is that the data protection laws in Europe need updating for the internet age and that this decision has created a significant wave of publicity for, and debate about, an individual's data protection rights.
Footnote
1 Case C-131/12
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
