Category Archives: European Union

Google Spain vs. AEPD: About the 'right to be forgotten' and the forgotten right of freedom of expression

On 13 May the CJEU accepted a partial ‘right to be forgotten’ in the Case of Google Spain, Google v. AEPD. What is remarkable about this ruling, is the extent of privacy protection adopted.

The Facts of the Case

Some 16 years ago Mario Costeja González was going through a rough patch in his life and was unable to pay his social security debts. As a result, his house was sold via public auction. This auction was announced in a newspaper.  At a later date an electronic version of the newspaper was made available online by its publisher. Google indexed the link and if you ‘googled’ the name of Mr. González a link to the newspaper article showed up in the search results. Even well over a decade after the forced auction of the property it still shows up in the search results on his name. Mr. González wanted the links to the newspaper article removed from Google’s search results. Is Google obligated to comply with his request under the Data Protection Directive? That was the question the CJEU had to answer.

Questions to the CJEU (paraphrased)

Google Spain stated that the actual search engine operator is in California, US and therefore falls outside of the scope of the Data Protection Directive. Is that correct?
Is a search engine operator, such as Google, liable under the Data Protection Directive as a ‘controller’ of ‘processing personal data’ ?
If so, can Google be required to remove the links to webpages showing personal data?
The most important questions of all of these, is the latter. Does there exist something as a ‘right to be forgotten’ and more importantly, what is required before someone may make use of this ‘right’?

Does the Data Protection Directive apply to Google (Spain) in this case?

As regards the first two questions, the CJEU was quick to assume that Google Spain, as a commercial agent of Google Inc. (in California), was processing personal data in the context of the activities of the controller (Google Inc.) on the territory of Spain. Therefore the Directive, and its protection mechanism, was fully applicable. Google was also ‘processing personal data’ as the information which it collects via ‘scraping’ of websites, was subsequently retrieved, recorded and organised within the framework of its indexing programmes, and made available to its users in the form of lists of search results. This is processing in the means of the Directive. (See para. 28 et seq.) Furthermore, Google was ‘controller’ of these data as  “[i]t is the search engine operator which determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of that activity and which must, consequently, be regarded as the ‘controller’ in respect of that processing pursuant to Article 2(d).” (Para. 33).

Independent assessment of liability of Google

This means that, independently of the information and the liability of the provider (in casu  the (online)publisher of the newspaper), Google has its own duty under the Data Protection Directive as a controller of processing personal data. Therefore, the request of Mr. González should be assessed independently of his options against the publisher. (Para. 39-40).

The Charter, the Directive and the search engine operator

Interesting to note is the relationship between the Data Protection Directive, the Charter of Fundamental Rights of the European Union and the existence of search engines. This case required interpretation of the Directive’s provisions in light of the fundamental rights and freedoms laid down by the Charter. Interesting is that the Court stated that the requirements that flow from these Charter rights are implemented in several articles in the Directive. This is rather remarkable considering the fact that the Charter did not exist at the time of the enactment of the Directive. Furthermore, one can ask questions about the Directive in light of the rapid development of the internet. The Directive was drafted in 1990’s and enacted in ’95, when Google founders Larry Page and Sergey Brin had just met, but had not created their famous search engine yet. The Court therefore interprets the provisions of the Directive in a rather wide manner in order to apply old rules to new situations, so that the protection envisaged at the time of enactment has not atrophied due to the technical developments. This extensive interpretation of rules, required due to the age of the Directive shows the reason why a reform of the Data Protection Directive regime is currently being discussed and is very welcome.
The provisions of the Directive nevertheless need to be explained in light of the fundamental freedoms as laid down in the Charter and that has to be done for this particular case as well.

Balancing of fundamental freedoms and the ruling

The Court stated that:

More specifically, the incompatibility of processing personal data with the fundamental rights of the data subject “may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” (para 92.)

More specifically, the incompatibility of processing personal data with the fundamental rights of the data subject “may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” (para 92.)

It is astounding that the Court does not even mention Articles 11 and 16 of the Charter in this respect.  Article 11 of the Charter affords the right to freedom of expression, which is applicable to the freedom of internet users to receive information and the publisher’s right to make information available and to disseminate it. Article 16 of the Charter protects the freedom to conduct a business. Both of which would favour Google’s point of view in this case. The lack of explicitly mentioning these articles appears odd. AG Jääskinen in his opinion (ECLI:EU:C:2013:424) in this case, which was very different from the Court’s ruling, had no qualms using nor interpreting and applying these articles explicitly. The Court however briefly touched upon something akin to Article 16 when discussing Google’s economic interest in exploiting the information. Freedom of expression is only awarded mild attention in the Court’s ruling, and is not strongly used as a counterbalance to the privacy rights of the individual.

For Mr. Gonzáles the balance tipped in his favour. The information regarding the auction of his house due to social security debts, according to the Court, appears to be “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine” and therefore the links have to be deleted. (para 94).

The implications: for Google and search engine operators alike

So, when confronted with a request to remove certain links relating to a search based on a person’s name, what does Google have to do?

The Court does not give much guidance other than that a search engine should examine the request. “in particular [it should, AB] be examined whether the data subject has a right that the information relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name. In this connection, it must be pointed out that it is not necessary in order to find such a right that the inclusion of the information in question in the list of results causes prejudice to the data subject.” (para. 96)

The interest of the person requesting removal should however have to include also “a preponderant interest of the public in having, in the context of such a search, access to that information” (para. 98)

Thus, the tool that Google is currently working on to comply with this case law, will have to assess not only the fundamental rights of the person requesting removal, but also the interest of the public in access to the information. If the application to Google is granted, the links will be removed. If denied, the ‘data subject’ could bring a claim to “the supervisory authority or the judicial authority so that it carries out the necessary checks and orders the controller to take specific measures accordingly”. (para. 77). There are already signs that the Data Protection Agencies have had to deal with an increase in requests concerning links on Google than prior to this judgment.

The implications: for private persons

People will now have the option to have certain data be removed from search engine result lists. The information may very well still be available online, as the publisher of the information may not (necessarily) have to remove the information itself because it was published, for instance, for journalistic purposes or the purpose of artistic or literary expression (Article 9 Data Protection Directive). However, the ease by which the information can be found is significantly reduced.

Some remaining questions about clarity

The judgment does not answer all questions, and raises even more:

What about the right of the publisher? He has a right to disseminate his information and by removing the link, he too is harmed in his rights. In the balancing of fundamental rights, shouldn’t there also be a place of the publisher’s rights? In particular relating to the ‘decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search (…)’ (para 36.)
Is the judgement limited to searching for someone’s ‘name’ or the link itself? For which search terms will the results be removed? All of them, or only the one’s where the search is for someone’s name? If it is restricted to someone’s name, does that then mean that if I were to search for “‘forced foreclosure’ AND ‘social security debt’ AND ‘streetname X’ I would still be able to find the information? In short: Will the indexed link be removed altogether or will the link not show up in a particular search? The implications differ greatly.
What happens if information is considered to be irrelevant or inadequate one day, but a year from now becomes very relevant because, for instance, the person enters into public office. Will the links then automatically (hardly likely) show up again, or will this require regular (manual) oversight over the information and a regular re-assessments of the balance of fundamental rights?
Will there be two types of search engines? One with limited access to the indexes, and one with full access? In particular, when the information may be important in relation to ‘historical, statistical or scientific purposes’ ?
Does this mean that if you in the EU establish a VPN connection or proxy that connects you to the internet as if you were elsewhere, for instance in the US, you would still be able to get all the results?
Conclusion

By very widely interpreting the provisions of the Data Protection Directive, the CJEU has attempted to apply a rather archaïc Directive to a modern situation. The result is an out of proportion win for privacy and a blow to freedom of expression.

NB. As a property lawyer I have to state one last thing: An easier solution for everyone, why not have a look at the requirement to mention the reason for the public auction? Property law might require publicity of certain information such as the announcing of an auction in the newspaper. Yet, one can scrutinise the need for publicity of the reason for the auction as well, i.e. Social security debts. I doubt it is really necessary. Perhaps here, a balance of publicity v. privacy should have been made much earlier, at the property law level.

The Data Retention Directive: Invalid. Now What?!

Today the Court of Justice of the European Union (CJEU) declared the Data Retention Directive to be invalid, based on the fact that ‘the EU legislature has exceeded the limited imposed by compliance with the principle of proportionality’. How did the CJEU come to this decision, what are the governmental responses and what does this mean for harmonisation?

The Directive and the Question

The main objective of the Directive is, as reiterated by the CJEU:

To harmonise Member States’ provisions concerning the retention, by providers of publicly available electronic communications services or of public communications networks, of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as organised crime and terrorism, in compliance with the rights laid down in Articles 7 and 8 of the Charter.

The question posed to the CJEU, was whether the Directive was indeed in compliance with the right to respect for private life (Art. 7) and the right to the protection of personal data (Art. 8) of the Charter.

The Court of Justice Ruling

The Court takes the view that:

“by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.”

It continued by stating that in this particular case, such interference is justified (paragraphs 41-44), however it is not proportional. The measures adopted exceeded the powers of the legislature in terms of proportionality for the following reasons:

  1. The Directive fails to differentiate, limit or make exceptions between individuals and means of electronic communication in the light of the objective of fighting against serious crime (paragraphs 57-59).
  2. The Directive does not lay down objective criteria by which access to the data is granted, the general term of ‘serious crime’ is the only criterion which is insufficiently capable of being a basis on which a sufficient balance of fundamental rights and the goal pursued can be made (paragraphs 60-62).
  3. The data retention period does not depend on the type of data or the type of crime, it is six months for all. The six months can be extended to 24 months, but no objective criteria are available to determine the exact time between six and 24 months (paragraphs 63-64).
  4. The lack of sufficient safeguards to ensure that the risk of abuse or unlawful access and use of data is at an acceptable level is also an issue raised by the CJEU. For instance, service providers are allowed by the Directive to have access, to take into account economic considerations when determining the security measures they put in place and the level of that security. Furthermore, there is no specific guarantee that the data is irreversibly destructed after their retention period has expired (paragraphs 66-67).
  5. The Court also takes issue with the possibility that the Directive leaves for the data to be retained outside the EU, without the safeguards and control that come with retention within the EU (paragraph 68).

The Directive is therefore declared invalid. It is also interesting to note that given the fact that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the Directive entered into force. Meaning, the Directive was never valid to begin with. Hence, all the references made to the Directive by implementing laws in the Member States, refer to a Directive that had never been valid. More interesting is that though the references to a invalid Directive are not necessarily a problem, the content of these implementing laws is. The reasons for the invalidity of the Directive, are codified in the national laws, which are now (or rather, have always been), contrary to EU law.

The Responses of Some Member States’ Officials

The invalidity of the national laws creates an immediate issue. What to do when you know your law is invalid? Well the responses have been diverse.

  • Ireland’s Data Protection Commissioner’s office has welcomed the decision by the European Court of Justice (ECJ) on the data retention directive. Ultan O’Carroll, technology adviser with the office, said the ruling was to be welcomed because there was a “balance and proportionality to be struck” between rights and law enforcement which “I think the commissioner believed was not there before”. (Via Irish Times)
  • The UK Home Office was a little less enthusiastic and stated via a spokesperson that: “We are considering the judgment and its implications carefully. The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security.” (Via The Guardian)
  • The German Minister of the Interior: “Data retention for the purpose of investigating serious crimes is necessary and that remains the case.” Interesting here is that the Directive had never been implemented in Germany itself, as it encountered a lot of court challenges (the Constitutional Court of Germany even annulled a German Law resulting from the Directive). The German Minister further stated that he no longer sees an immediate need for Germany to draft a substitute data retention legislation. (via dw.de)
  • The Dutch Deputy Minister was confronted with the ruling today during question time in Parliament. He stated that he and his staff still have to carefully look at the ruling and he will promised that he would inform Parliament within 8 weeks (which was generally considered to be too long by Parliament). He did however state that he would still want to (find a way to) retain certain data for some time. (via nu.nl) Perhaps he needs the 8 weeks to first carefully study the justification of the (former) Directive itself, because he stated that, this type of information is for instance important to ‘locate stolen phones’. If he considers stolen phones a ‘serious crime’ then the invalidity of the Directive is a godsend.

Now What?

For those countries that have implemented the Directive there are two options, either they repeal the entire law they enacted to implement the Directive, or they very quickly amend the law. The latter is more likely, but creates its own set of problems. The EU itself can also take up the legislative process once more, and draft a new Directive which takes the issues of the CJEU into account. This however, would probably take up too much time for the national legislatures. Although, the President of the European Parliament already talks about the next proposal which the European Commission should work on.

More likely is the scenario in which the national legislature comes up with a very quick amendment to their national law on data retention. With the amendment the national law could become in accordance with EU law again, if the drafters follow the criticism of the CJEU and take the specific criticisms of the Directive into account in their amendment.

This would however, defeat the purpose of harmonisation. If 28 Member States either have none or differing laws as regards data retention, harmonisation is nowhere to be found. The service providers (internet, telephone and the like) that have to retain the data itself, do not necessarily operate within national borders, and will now be subjected to different rules depending on the specific Member State to an even greater extent. It reinvigorates the debate on privacy and security, and restarts the discussion on data retention in a time in which the Snowden-leaks are still making headlines.

A Single Euro Payments Area but no free movement of bank-accounts

As of 1 February 2014 people in the European Union will have to use a lot more ink to fill out bank-account numbers. The International Bank Account Number (IBAN), formerly reserved for cross-border transfer of money, will be the new standard for everyone wanting to transfer money from one account to another, irrespective of a cross-border element. This means that some people in Europe will have to remember up to 31 characters (though the average of the IBAN numbers is closer to 20 characters). For your trouble you may rejoice in the fact that we should then be “one step closer to a proper functioning of the internal market” (Regulation No. 260/2012). A step closer, but a small one at best.

BACKGROUND

Making IBAN the standard for all accounts with European banks follows from EU Regulation No. 260/2012, which aims at advancing towards a Single Euro Payments Area (SEPA). In this area citizens, businesses and public authorities can make and receive payments in euro under the same basic conditions, rights and obligations, regardless of their location. The objective of SEPA is to increase efficiency and competition so that high-quality and competitively priced electronic payment products shall exist throughout the whole of the area.

Interestingly enough, the initiative of SEPA lies not with any of the EU institutions, but with the European Banking Industry, albeit with strong support of the European Commission and the European Central Bank. The SEPA project’s first success was the Direct Debit scheme, which enables consumers to make cross-border direct debit payments throughout all the SEPA countries. This provided consumers with easy payment of bills in other SEPA countries, from their home country by direct debit.

After this initial success, the European Commission did not consider the developments. The Commission also noted that not  all stakeholders were taken into account:

In particular consumer and other user interests have not been taken into account in a sufficient and transparent way. The voice of all relevant stakeholders should be heard.

The Commission thus took over, which led to Regulation No. 260/2012, which amended the earlier Regulation 924/2009 on cross-border payments in the Community.

Using IBAN as the standard, is considered to be “necessary for the proper functioning of the internal market” and will further that goal by increasing competition for (mainly) banks. This, as is often stated in favour of SEPA, will inevitably set a consolidation process in motion, with the resulting economies of scale leading to a lower cost price for payments. Which would be beneficial for consumers and businesses alike.

MY TWO QUESTIONS & CENTS

There are two things I do not understand about the upcoming change: (1) IBAN numbers were already in existence for those who wanted to make use of cross-border debits or credits, why would we need these for domestic debits and credits as well? (2) If advancing competition is the goal, then why no bank account number portability?

1. USE OF IBAN FOR DOMESTIC AND CROSS-BORDER TRANSFERS ALIKE

When the question came up whether the BIC, the Bank Identifier or SWIFT Code which locates the specific bank and helps the translation from IBAN to domestic bank, required in current cross-border transactions, should also come into play, it was specifically stated that:

BIC is required only in a very small, residual number of cases. It seems unjustified and excessively burdensome to oblige all payers and payees throughout the Union always to provide BIC in addition to IBAN for the small number of cases where this is currently necessary.

Whilst I understand that cross-border transactions which make use of IBAN without BIC are frequented more than those that do require such a code, one wonders why the movement towards a SEPA requires the sole use of IBAN. There is no reason to assume that for domestic transfers (within a single country) the IBAN ought to be used. Does this not also put an obligation to all payers and payees throughout the Union that is not necessary?

For cross-border transfers the IBAN is already used. Why not implement all that SEPA wishes to implement but leave out the necessity of going to IBAN for all transfers, including purely domestic ones? Removing hurdles for cross-border transfers is fine. I applaud the effort, but see no reason to extend it to purely domestic transfers. A 2012 Eurobarometer survey showed that 79% of people say they have not bought goods or services of any kind in another EU country over the past year. I suspect, that of the 21% that did, not an awful large part of all their payments was made up of those cross-border transfers, let alone direct credit/debit transfers, more-often a credit card will be used.

Inferences are drawn that a Single Euro Payments Area wishes to extinguish the difference between domestic and cross-border transfers, and therefore adheres to a single standard, that of IBAN. Such is closely tied to the competition argument, which brings me to my second question.

2. IF ADVANCING COMPETITION IS THE GOAL, WHY NOT INTRODUCE NUMBER PORTABILITY; A TRUE FREE MOVEMENT OF BANK-ACCOUNTS?

Had SEPA really wanted to make a step towards an increased competition, then the hurdles for setting up a bank account with another bank should be tackled as well, preferably by the ability to take your account number with you, to whichever bank you see fit, ie. number portability.

The Netherlands (and other Member States) have attempted to make the switching of bank accounts easier with introducing a 13-month switching period, in which you keep two accounts, your old and your new. You then have enough time to change your automatic credits and debits as well as inform all that need to know of your change of bank account. When the discussions in Dutch Parliament turned to the options available, the cheaper 13-month switching period was preferred over introducing number portability with its EUR 300-500 million price tag.

Part of the reason for these high costs was the fact that we had introduced IBAN not too long before that. Introducing number portability is not compatible with the IBAN system; as the latter is a number that is partly constructed by using the bank code. Number portability is therefore incompatible with IBAN. The Dutch Finance Minister at the time nevertheless was in favour of number portability. Yet, because the SEPA progress had already been in progress and EU involvement was present, the Minister considered this to be a matter of EU law, but stated he would do his best to bring number portability back on the table.

In Europe on the other hand, the lack of a Dutch implementation of number portability was an argument used by banking experts to oppose the introduction of EU-wide number portability. A somewhat circular reasoning if you ask me. From that same report is became clear that the banking sector is not in favour of number portability, due to the fact that their systems are designed for IBAN use, and a complete overhaul would cost an awful lot. Basically, had we wanted number portability we should have done it 20 years ago. Moreover, such a change would in their view still make it a burden for consumers (and companies) to change banks.

Also, banks would still need to carry out money laundering checks on new customers and branded products such as debit card and chequebooks would still need to be re-issued by the new bank, and debit cards would need to be re-issued in any case because they carry the International bank identifier number. Finally, account portability would remove the one-to-one relationship between a bank and a sort code, which is important, for example to identify which branch a cheque needs to be sent, and a ‘number portability’ remedy would increase the risk of fraud.

Consumers and companies do not, however, encounter difficulties with having to change a bank card in their wallet or throw out their old chequebook and replace it with a new one. No, the issue lies with having to inform all your debtors and creditors of the changed account. This is not mentioned by the banking experts, but is touched upon by the consumer experts.

In the summary of the public consultation on Bank Accounts, carried out by the Commission, one of the questions was particularly directed at switching bank accounts. It was asked:

What other measures [other than those directed at preventing misdirection of payment, AB] should be considered to improve bank account switching? Please describe.

Consumers and civil society
The majority of the stakeholders that replied to this question indicated that the introduction of bank account number portability offers the best solution, as it would eliminate the risk of misdirection of payments as well as most of the complications for consumers and third parties and would require only the banks concerned to make changes. As an intermediate solution, consumer organisations proposed to introduce a rerouting system, like the one currently in place in the Netherlands and in course of adoption in the UK. Stakeholders indicated that any long-term measure should focus on the portability of bank account numbers or the portability of customer account numbers linked to the underlying bank account numbers (like in the Swedish ‘Bankgiro’ system). Respondents also addressed the importance of ensuring compatibility between account number portability and the SEPA and IBAN frameworks, and called on the European Commission to launch an in-depth feasibility study on this topic.  (emphasis added, AB)

By maintaining the bank-code in the IBAN number enhanced competition is intrinsically hindered by the administrative hurdles of actually switching to competing bank. By opting for the  IBAN-number a step towards a Single Euro Payments Area has been made, but one that will not necessarily be followed (easily) by consumers or companies. In the 2012 Euro Barometer, a mere 5% of the respondents would consider switching to a bank in another country, as opposed to 7% six years earlier. The number has only decreased. Perhaps 1 February 2014 will change the tide, but I expect number portability would do more to that number than switching to IBAN for all transfers would.

One final thought, should competition soar, and people in large numbers change accounts from (traditional) domestic to banks in other countries, the effects of this large scale movement of bank accounts might require another inspection of the Deposit Guarantee System. In volatile economies, banks might not survive, and consumers could lose their deposits with the banks. EU regulation in this area exits, but perhaps requires a recalibration should large scale switching of bank accounts in EU take place.

FUTURE OUTLOOK

A Single European Payments Area has not been achieved yet as several areas have been left out of the scope of the Regulation. This leaves room for hope that in future legislation a truly competitive market will be achieved by implementing something of a free movement of bank-account numbers, which has been hinted at. Though, do not expect this in the upcoming 10 years. Nevertheless, I look forward to future developments in this area. For now, you have roughly 10 months to get used to your (new) account number.

 

This post has also been posted on: www.mepli.eu