Rising like a Phoenix: The ‘Right to be Forgotten’ before the ECJ

By Orla Lynskey

Judgment of the Court (Grand Chamber) in C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez

 When Advocate General Jääskinen delivered his Opinion in the Google Spain case in June of last year (as commented upon on this blog here), it seemed to many (myself included) that it was the last nail in the coffin of the controversial ‘right to be forgotten’ provided for in the EU’s Proposed Data Protection Regulation. The judgment of the Grand Chamber of the Court of Justice delivered this morning in this case would however indicate otherwise. Indeed, it seems to follow from the judgment, which comes down decisively in favour of data protection and privacy when balanced with freedom of expression, that a ‘right to be forgotten’ already exists in the EU data protection regime in all but name only. For an assessment of the implications of this case, skip right to the bottom of this lengthy post!

The facts of the case are as follows. Mr Costeja Gonzalez was involved in insolvency proceedings relating to social security debts in the late 1990’s. These proceedings were reported in a regional newspaper in Spain and the article was later made available online. Mr Costeja Gonzalez, who was named in the report, asked the newspaper to delete the piece arguing that the proceedings were concluded and it was no longer of any relevance. The newspaper refused this request and Mr Costeja Gonzalez then asked Google Spain to remove links to the article in its search results when his name was entered into the Google search engine. The Spanish Data Protection Authority, which had refused to order the newspaper to remove the original article, asked Google Spain and Google Inc to remove the article from Google’s index of search results. Google contested this decision of the Authority before a national court which stayed the proceedings to make a preliminary reference to the Court of Justice. The questions referred to the Court can be grouped into three sets of issues:

  • the material scope of application of the Data Protection Directive (Directive 95/46 EC),
  • the territorial scope of application of the Directive and,
  • the existence of a right akin to a ‘right to be forgotten’ under existing data protection rules.

Material Scope of the Directive – The Notions of ‘Data Controller’ and ‘Processing

 The Court considered the material scope of the Directive before considering its territorial scope. The Spanish court had asked whether the activities of a search engine constitute ‘processing of personal data’ for the purposes of Article 2(b) of the Directive and, if so, whether a search engine operator is a ‘data controller’ within the meaning of Article 2(d) of the Directive.

 Article 2(b) of the Directive defines ‘processing of personal data’ as ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means’. It then goes on to give a non-exhaustive list of such operations. The Court noted that the activities of a search engine – which ‘collects’, ‘retrieves’, ‘records’, ‘organises’, ‘discloses’ and ‘makes available’ personal data – must be classified as ‘processing’ [28]. The Court held that this finding was not altered by the fact that the search engine does not distinguish between personal data and other non personal data when carrying out such activities [28]. Nor according to the Court was it relevant to this finding that the data concerned were already published online and had not been altered by the search engine [29] as to exclude such data from the scope of the Directive would deprive it of its effect [30]. Alteration of data can constitute processing but the Directive equally applies to operations which do not alter data [31]. By adopting a literal interpretation of Article 2(b) the Court therefore (thankfully) rejected Google assertion that knowledge of the data (ie. whether particular data are personal or not) was required for operations to be classified as ‘processing’ [22]. This distinction had been supported by the Advocate General in his Opinion (AG Opinion, [82]).

 The Court then considered whether Google, as a legal person, ‘alone or jointly with others determines the purposes and means of the processing of personal data’ and could therefore be classified as a ‘data controller’ under Article 2(d). Resorting to both a literal and teleological interpretation of the Directive the Court held that a search engine should not be excluded from the definition of controller [34]. The Court acknowledged that the processing conducted by a search engine operator is distinct from that of a website publisher [35] and highlighted the ‘decisive role’ played by search engines in disseminating data [36]. However, the Court also emphasised that the capability of search engines to make data accessible to any internet user conducting a search on the basis of a data subject’s name [36] and to organise and aggregate information into detailed profiles of the data subject [37] may affect the fundamental rights of the data subject significantly [38]. The Court noted that, in this manner, search engines impact on data protection and privacy in a way which is additional to and distinct from publishers of websites [38]. According to the Court, the fact that website publishers might indicate to a search engine operator that specific data they publish should be wholly or partly excluded from search engine indexes does not alter this finding [39].

Territorial Scope of Application of the Data Protection Directive

 Having found that Google Spain fell within the material scope of the Directive as a data controller, the Court then went on to consider whether it fell within the territorial scope of the Directive pursuant to Article 4(1). To fall within the territorial scope, the processing needs to be carried out by a data controller established in the relevant Member State or the controller needs to be making use of equipment on the territory of that Member State for the purposes of processing.

The Court then examined whether it was sufficient for these purposes that Google Inc’s subsidiary in Spain promoted and sold advertising space on Google and orientated its activities towards Spanish inhabitants. The Court rejected Google’s argument that it was not conducting its search activities in Spain and that Google Spain was merely a commercial representative for its advertising activities and instead endorsed a more functional approach to this assessment. The Court noted that, pursuant to recital 19 of the Directive, ‘establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements’ [48]. It held that Google Spain engages in such activity and, as a subsidiary of Google Inc, constitutes an ‘establishment’ [49]. The Court then assessed whether the relevant personal data processing was ‘carried out in the context of the activities’ of an establishment of the controller. It distinguished between processing carried out ‘by’ the establishment concerned itself (which Google Spain was not doing) and processing carried out ‘in the context of the activities’ of the establishment [52]. It stated that, in order to ensure the effective and complete protection of fundamental rights, the wording of Article 4(1)(b) could not be interpreted restrictively [53] and that the legislature clearly sought to prevent individuals from being deprived of the protection guaranteed by the directive by prescribing a particularly broad territorial scope [54]. The Court therefore held that Google Spain’s activity of promoting and selling advertising space offered by the search engine which made it economically profitable was processing carried out in the context of the activities of the establishment [56]. A finding to the contrary would compromise the effectiveness of the Directive [58].  The Court therefore implicitly endorsed the Advocate General’s conclusion that a functional approach is needed to determine the territorial scope of the Directive. The Advocate General had opined that a controller should be treated as a single economic unit for these purposes if free processing services provided are cross-subsidised by revenues generated by advertising which link the two limbs of the business [Opinion, 66 and 67].

 Rights and Obligations pursuant to the Data Protection Directive

 Having established that Google Spain fell within the scope of the Directive, the Court then considered its responsibilities under the Directive. In particular, the Court considered whether an obligation flowed from Articles 12(b) and 14(1)(a) of the Directive for a search engine operator to remove links to lawful material published on third party webpages. The Court began by emphasising the Directive’s objective to ensure a high level of protection for the right to privacy [66] and that the Directive must be interpreted in light of fundamental rights which are general principles of law and set out in the EU Charter [68]. It recalled the protection offered by Articles 7 and 8 of the Charter which set out the rights to privacy and data protection respectively [69]. It noted that Article 12(b) of the Directive provides the data subject with the right to obtain rectification, erasure or blocking of data the processing of which does not comply with the Directive. While Article 12(b) specifies examples of processing which is not compatible with the Directive, the Court reiterates that these examples are not exhaustive [70] and that processing must also comply with the data quality principles in Article 6 and have a legitimate legal basis pursuant to Article 7 of the Directive [71]. The Court held that the data processing in the present case was capable of being covered by Article 7(f) [73] which requires a balancing of the opposing rights and interests of the data subject and the data controller, while taking into account the Charter rights to data protection and privacy [74]. Article 14(b) of the Directive allows the data subject to object to processing conducted on the basis of Article 7(f) by advancing compelling legitimate grounds relating to his particular situation [76]. The data subject may address such a claim directly to the controller or, to a national authority if the request is not granted [77].

 The Court went on to consider Mr. Costeja Gonzalez’s request in the present case. It held that while the data subject’s right to privacy and data protection override ‘as a general rule’ the interest of internet users in having access to information, the balance in specific cases may depend on other factors (such as the nature of the data and whether the public had an interest in it) [81]. Following such an appraisal, a supervisory or judicial authority could order the removal of a link to a page by a search engine operator without ordering the webpage publisher to remove the original [82]. In this regard, the Court highlighted that some publishers may be beyond the scope of EU legislation [84] and that a search engine operator does not appear to benefit from the derogation to the Directive for processing carried out ‘solely for journalistic purposes’ [85]. Moreover, it noted that the balancing exercise conducted under Articles 7(f) and 14(a) of the Directive differ depending on whether the processing is conducted by a publisher or a search engine operator [86]. This is because, according to the Court, processing by a search engine is likely to constitute a more significant interference with the right to privacy than publication on a web page [87]. Consequently, the Court held that in so far as the conditions laid down in Article 12(b) and 14(1)(a) of the Directive are complied with, a search engine operator must remove links to web pages which are returned when a person is searched for by name even whether those web pages are themselves lawful [88].

 The Court then considered whether this removal of these links could be justified on the basis that the information they contained may be prejudicial to the data subject or that he may simply wish it to be forgotten. The Court held that if, having regard to the circumstances of the case, it appears that the information concerned no longer complies with the Directive (for instance, if is no longer adequate or relevant or is excessive), that information must be erased pursuant to Article 12(b) [94]. When appraising requests for such erasure, it is not necessary to find that the information in question causes prejudice to the data subject [96]. The Court then went as far as to say that the fundamental rights to privacy and data protection should, ‘as a rule’ override ‘not only the economic interest of the operator but also the interest of the general public in finding that information’. However, in certain circumstances, there may be a preponderant interest of the general public (for instance, if the individual concerned was a public figure) [97]. No such preponderant interest exists in the current case according to the Court however, this is an assessment which must be made by the national court [98].

The Implications of the Court’s Judgment  

 This is a judgment which will have far-reaching implications which it is impossible to document in a single blog post. Most evidently however, the judgment reflects a renewed enthusiasm for the rights to privacy and data protection albeit perhaps at the expense of the right to freedom of expression. While the Court is ordinarily cautious in its approach to balancing fundamental rights (Promusicae being an obvious case in point), such caution is notably absent in this judgment.

 The Court bolsters the right to data protection, first, by ensuring the broad scope of application of the Directive. In his Opinion, the Advocate General had commented (with disapproval) about the far-reaching grasp of the Directive and in particular of the concept of ‘controller’ (Opinion, [81]). In order to reduce the scope of application of the Directive, the Advocate General incorporated a subjective element to the concept of the controller (arguing that a controller must have ‘awareness’ of the existence of the personal data it was processing). The problems with such an approach are however evident: for instance, could a company plead ignorance in order to avoid the application of the rules? The Court, by adopting a literal interpretation of the concept of controller and eschewing any subjective component, preserved the broad scope of application of the Directive and emphasised the importance of such a broad scope of application for the effectiveness of data protection rules.

 The number of references in the judgment to Articles 7 and 8 of the EU Charter, and the right to privacy in particular, is also quite noticeable. Indeed, the Court is at pains to emphasise that the privacy and data protection implications of processing by a search operator are distinct from and additional to the implications of publishing on a web page. This is because of a search engine’s ability to aggregate information and create a profile and also because it ensures wider dissemination of the data and easier access to it (this is emphasised in paras.38 and 87). While data processing by a search engine may have more significant privacy implications for an individual, it could also be argued that the removal of data from a search engine rather than a web page also has more significant freedom of expression implications for the very same reasons: it prevents easy access to data for a larger number of individuals. The failure of the Court to refer directly to Article 10 ECHR or Article 11 EU Charter, which protect the freedom to impart and receive information is in this regard quite remarkable. The Court appears to be of the opinion that only ‘public interest’ speech can trump the rights to data protection and privacy. Intermediaries such as Google have therefore been given a strong steer to protect privacy over freedom of expression except in limited circumstances. In practice, such intermediaries are unlikely to engage in a detailed ‘public interest’ assessment with the probable result that ‘take-down’ will be the new default. This is consistent with the interests pursued by European data protection law – in particular giving individuals enhanced control over their personal data – but puts the EU on a collision course with the US when it comes to online freedom of expression.