By Orla Lynskey
Data protection policy, in particular the right to protection of personal data in Article 8 of the EU Charter, has remained firmly within the EU law limelight in recent years. This right played a key role in seminal judgments of the CJEU such as Schecke and Eifert, where for the first time a provision of secondary legislation was annulled for incompatibility with the Charter, and in Digital Rights Ireland (discussed earlier on this blog), where for the first time an entire Directive was annulled on the same grounds. Furthermore, in Google Spain (considered here) this fledgling right was ostensibly given precedence over the more established right to freedom of expression in certain circumstances, leading to a media furore on both sides of the Atlantic. 2015 was no different in this regard as much attention focused on the Court’s judgment in Schrems (discussed here), which invalidated the 15 year old Safe Harbor data sharing agreement between the EU and the US, and on the culmination of four years of negotiation on the new Proposed General Data Protection Regulation in December.
For good or for bad, the EU data protection juggernaut appears unstoppable, leaving in its wake legal instruments that do not meet its strict standards. Yet, in the shadows of these well-documented events, other noteworthy developments occurred. 2015 also saw the Dutch referring court withdraw its preliminary reference in Rease and Wullems, thereby regrettably removing the opportunity for the CJEU to pronounce upon the margin of discretion of national Data Protection Authorities (DPAs) when adopting a de minimis approach to their enforcement strategy to the detriment of individual or small group complainants. The Court did, however, deliver a number of largely overlooked yet significant data protection judgments in 2015. This contribution will focus on two significant cases which the CJEU delivered in the first week of October, immediately prior to the Schrems judgment, in Bara and Weltimmo. These preliminary references allowed the Court to clarify the interpretation of obligations and exemptions under the Data Protection Directive, as well as the Directive’s enforcement in online situations. Continue reading
By Orla Lynskey
Judgment of the Court (Grand Chamber) in C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez
When Advocate General Jääskinen delivered his Opinion in the Google Spain case in June of last year (as commented upon on this blog here), it seemed to many (myself included) that it was the last nail in the coffin of the controversial ‘right to be forgotten’ provided for in the EU’s Proposed Data Protection Regulation. The judgment of the Grand Chamber of the Court of Justice delivered this morning in this case would however indicate otherwise. Indeed, it seems to follow from the judgment, which comes down decisively in favour of data protection and privacy when balanced with freedom of expression, that a ‘right to be forgotten’ already exists in the EU data protection regime in all but name only. For an assessment of the implications of this case, skip right to the bottom of this lengthy post!
What obligations does EU data protection law impose on search engines such as Google vis-à-vis individuals who wish to suppress information about them which is lawfully available online? None according to the Advocate General as Google does not fall within the material scope of data protection law in the context of its role as a provider of free search engine services. In any event, according to the Advocate General, individuals cannot derive a ‘Right to be Forgotten’ from the current data protection rules. These were only some of the issues on which the Court was asked to adjudicate in a preliminary reference from the Spanish Audencia Nacional. Given that only a handful of cases concerning the interpretation of EU data protection rules have appeared on the Court’s docket to date, the Opinion of Advocate General Jääskinen – delivered on 25 June 2013 – was eagerly anticipated.
The facts of this case are as follows. In 1998, a newspaper published an article containing details of insolvency proceedings relating to social security debts. The relevant article was later made available online. An individual implicated in these insolvency proceedings asked the newspaper to erase this piece arguing that the proceedings had been concluded and were therefore no longer of relevance. The publisher refused to erase the data on the basis that the Ministry of Labour and Social Affairs had ordered its publication. The individual then redirected his request for erasure to Google Spain asking it to no longer show links to the newspaper in its search results when his name was entered as a search term in the search engine. The individual also addressed a complaint to the Spanish Data Protection Authority (DPA). The DPA rejected the complaint against the newspaper on the grounds that the publication of such data in the press was legally justified. However, the DPA upheld the complaint against Google Spain and Google Inc, requesting that the contested search results be removed from Google’s index of search results. Google sought the annulment of this decision before the Audencia Nacional which stayed the proceedings in order to refer a number of questions to the Court of Justice. The referred questions deal with three primary issues: the territorial application of the EU Data Protection Directive (Directive 95/46 EC), the notion of ‘data controller’ in the context of search engines and the controversial ‘right to be forgotten’.