Category Archives: Law and Technology

Google Spain vs. AEPD: About the 'right to be forgotten' and the forgotten right of freedom of expression

On 13 May the CJEU accepted a partial ‘right to be forgotten’ in the Case of Google Spain, Google v. AEPD. What is remarkable about this ruling, is the extent of privacy protection adopted.

The Facts of the Case

Some 16 years ago Mario Costeja González was going through a rough patch in his life and was unable to pay his social security debts. As a result, his house was sold via public auction. This auction was announced in a newspaper.  At a later date an electronic version of the newspaper was made available online by its publisher. Google indexed the link and if you ‘googled’ the name of Mr. González a link to the newspaper article showed up in the search results. Even well over a decade after the forced auction of the property it still shows up in the search results on his name. Mr. González wanted the links to the newspaper article removed from Google’s search results. Is Google obligated to comply with his request under the Data Protection Directive? That was the question the CJEU had to answer.

Questions to the CJEU (paraphrased)

Google Spain stated that the actual search engine operator is in California, US and therefore falls outside of the scope of the Data Protection Directive. Is that correct?
Is a search engine operator, such as Google, liable under the Data Protection Directive as a ‘controller’ of ‘processing personal data’ ?
If so, can Google be required to remove the links to webpages showing personal data?
The most important questions of all of these, is the latter. Does there exist something as a ‘right to be forgotten’ and more importantly, what is required before someone may make use of this ‘right’?

Does the Data Protection Directive apply to Google (Spain) in this case?

As regards the first two questions, the CJEU was quick to assume that Google Spain, as a commercial agent of Google Inc. (in California), was processing personal data in the context of the activities of the controller (Google Inc.) on the territory of Spain. Therefore the Directive, and its protection mechanism, was fully applicable. Google was also ‘processing personal data’ as the information which it collects via ‘scraping’ of websites, was subsequently retrieved, recorded and organised within the framework of its indexing programmes, and made available to its users in the form of lists of search results. This is processing in the means of the Directive. (See para. 28 et seq.) Furthermore, Google was ‘controller’ of these data as  “[i]t is the search engine operator which determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of that activity and which must, consequently, be regarded as the ‘controller’ in respect of that processing pursuant to Article 2(d).” (Para. 33).

Independent assessment of liability of Google

This means that, independently of the information and the liability of the provider (in casu  the (online)publisher of the newspaper), Google has its own duty under the Data Protection Directive as a controller of processing personal data. Therefore, the request of Mr. González should be assessed independently of his options against the publisher. (Para. 39-40).

The Charter, the Directive and the search engine operator

Interesting to note is the relationship between the Data Protection Directive, the Charter of Fundamental Rights of the European Union and the existence of search engines. This case required interpretation of the Directive’s provisions in light of the fundamental rights and freedoms laid down by the Charter. Interesting is that the Court stated that the requirements that flow from these Charter rights are implemented in several articles in the Directive. This is rather remarkable considering the fact that the Charter did not exist at the time of the enactment of the Directive. Furthermore, one can ask questions about the Directive in light of the rapid development of the internet. The Directive was drafted in 1990’s and enacted in ’95, when Google founders Larry Page and Sergey Brin had just met, but had not created their famous search engine yet. The Court therefore interprets the provisions of the Directive in a rather wide manner in order to apply old rules to new situations, so that the protection envisaged at the time of enactment has not atrophied due to the technical developments. This extensive interpretation of rules, required due to the age of the Directive shows the reason why a reform of the Data Protection Directive regime is currently being discussed and is very welcome.
The provisions of the Directive nevertheless need to be explained in light of the fundamental freedoms as laid down in the Charter and that has to be done for this particular case as well.

Balancing of fundamental freedoms and the ruling

The Court stated that:

More specifically, the incompatibility of processing personal data with the fundamental rights of the data subject “may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” (para 92.)

More specifically, the incompatibility of processing personal data with the fundamental rights of the data subject “may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” (para 92.)

It is astounding that the Court does not even mention Articles 11 and 16 of the Charter in this respect.  Article 11 of the Charter affords the right to freedom of expression, which is applicable to the freedom of internet users to receive information and the publisher’s right to make information available and to disseminate it. Article 16 of the Charter protects the freedom to conduct a business. Both of which would favour Google’s point of view in this case. The lack of explicitly mentioning these articles appears odd. AG Jääskinen in his opinion (ECLI:EU:C:2013:424) in this case, which was very different from the Court’s ruling, had no qualms using nor interpreting and applying these articles explicitly. The Court however briefly touched upon something akin to Article 16 when discussing Google’s economic interest in exploiting the information. Freedom of expression is only awarded mild attention in the Court’s ruling, and is not strongly used as a counterbalance to the privacy rights of the individual.

For Mr. Gonzáles the balance tipped in his favour. The information regarding the auction of his house due to social security debts, according to the Court, appears to be “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine” and therefore the links have to be deleted. (para 94).

The implications: for Google and search engine operators alike

So, when confronted with a request to remove certain links relating to a search based on a person’s name, what does Google have to do?

The Court does not give much guidance other than that a search engine should examine the request. “in particular [it should, AB] be examined whether the data subject has a right that the information relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name. In this connection, it must be pointed out that it is not necessary in order to find such a right that the inclusion of the information in question in the list of results causes prejudice to the data subject.” (para. 96)

The interest of the person requesting removal should however have to include also “a preponderant interest of the public in having, in the context of such a search, access to that information” (para. 98)

Thus, the tool that Google is currently working on to comply with this case law, will have to assess not only the fundamental rights of the person requesting removal, but also the interest of the public in access to the information. If the application to Google is granted, the links will be removed. If denied, the ‘data subject’ could bring a claim to “the supervisory authority or the judicial authority so that it carries out the necessary checks and orders the controller to take specific measures accordingly”. (para. 77). There are already signs that the Data Protection Agencies have had to deal with an increase in requests concerning links on Google than prior to this judgment.

The implications: for private persons

People will now have the option to have certain data be removed from search engine result lists. The information may very well still be available online, as the publisher of the information may not (necessarily) have to remove the information itself because it was published, for instance, for journalistic purposes or the purpose of artistic or literary expression (Article 9 Data Protection Directive). However, the ease by which the information can be found is significantly reduced.

Some remaining questions about clarity

The judgment does not answer all questions, and raises even more:

What about the right of the publisher? He has a right to disseminate his information and by removing the link, he too is harmed in his rights. In the balancing of fundamental rights, shouldn’t there also be a place of the publisher’s rights? In particular relating to the ‘decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search (…)’ (para 36.)
Is the judgement limited to searching for someone’s ‘name’ or the link itself? For which search terms will the results be removed? All of them, or only the one’s where the search is for someone’s name? If it is restricted to someone’s name, does that then mean that if I were to search for “‘forced foreclosure’ AND ‘social security debt’ AND ‘streetname X’ I would still be able to find the information? In short: Will the indexed link be removed altogether or will the link not show up in a particular search? The implications differ greatly.
What happens if information is considered to be irrelevant or inadequate one day, but a year from now becomes very relevant because, for instance, the person enters into public office. Will the links then automatically (hardly likely) show up again, or will this require regular (manual) oversight over the information and a regular re-assessments of the balance of fundamental rights?
Will there be two types of search engines? One with limited access to the indexes, and one with full access? In particular, when the information may be important in relation to ‘historical, statistical or scientific purposes’ ?
Does this mean that if you in the EU establish a VPN connection or proxy that connects you to the internet as if you were elsewhere, for instance in the US, you would still be able to get all the results?
Conclusion

By very widely interpreting the provisions of the Data Protection Directive, the CJEU has attempted to apply a rather archaïc Directive to a modern situation. The result is an out of proportion win for privacy and a blow to freedom of expression.

NB. As a property lawyer I have to state one last thing: An easier solution for everyone, why not have a look at the requirement to mention the reason for the public auction? Property law might require publicity of certain information such as the announcing of an auction in the newspaper. Yet, one can scrutinise the need for publicity of the reason for the auction as well, i.e. Social security debts. I doubt it is really necessary. Perhaps here, a balance of publicity v. privacy should have been made much earlier, at the property law level.

HEMA-deeds taken to disciplinary court

HEMA-deeds
Little over two weeks ago, I discussed the HEMA-deeds. HEMA, a popular shop with branches all over the Netherlands, famous for its own branded products at a relatively low price, has started offering notarial deeds. More specifically, last wills and co-habitation agreements are offered by HEMA, at the relatively low price of 125 EUR per deed. According a spokesperson from HEMA, they have already sold ‘many deeds’.

Disciplinary court procedure
Today, The Royal Dutch Association of Civil-law Notaries (Koninklijke Notariële BeroepsorganisatieKNB) has put out a press statement in which it announced that is taking the notaries (or some of them, this is unclear as of yet) to the Disciplinary Court for notaries, as the Board of the KNB questions whether or not the notaries attached to the HEMA-deeds live up to the notarial rules and regulations. They would therefore like the opinion of the disciplinary court.

Issues of the KNB
In its statement the KNB expresses concerns and questions about the fulfilment of the duty of care exercised by the HEMA-deed notaries. In particular, the brunt of the work is left to the consumer(s) themselves, who supply HEMA (and with it the notaries attached to this project) all the required information by filling out a simple online form that they send via the HEMA website: httpss://notarisservice.hema.nl. Afterwards, a notary of their choosing will contact the consumer(s) to set up an appointment. It is at this point that the notaries become involved. They will meet with the parties and go over the deed and its (legal) consequences.

To me, this sounds no different from the regular practice of notaries, save for the fact that normally you would have a first meeting in person, via telephone or email by which you request the drafting of a deed and give the necessary information, rather than do all of this via the HEMA website. Hence, only the initial contact with the notary and the data-supply seems different, whereas the practice after first contact seems no different from an ordinary meeting with the notary. The KNB, however, is a bit more wary and has asked the disciplinary court to look into the matter.

Discussion starter
The KNB states that this practice, of taking work from the notaries and giving it to the consumer, could be a danger to the fulfilment of the duty of care the notary has for the legal protection of the consumer. It would therefore like to start a discussion within the ranks of the notaries about how these new societal and digital developments give rise to a possible new interpretation of the duty of care without degrading the legal protection awarded to consumers.

Thus, next to wanting to hear the disciplinary court’s opinion on the HEMA-deeds and the role of the notary, the KNB would also like to start a discussion about the role of the notary in a changing society.

The discussion has also started in Parliament, where Member of Parliament Jan de Wit asked questions to the Minister of Justice of the Netherlands, about the HEMA initiative (see this post for a translation of those questions). So far, there has not been a reply yet by the Minister.

Response of HEMA
When asked for a response, HEMA is stated it was ‘surprised’ by the statement of the KNB. According to a representative of HEMA:”this is not a new phenomenon. There are more websites that offer services like this.” According to her, perhaps the KNB was unpleasantly surprised by the large amount of attention given to the HEMA-deed.

Property law bypassed by technology: Google does not want you to transfer or lend out your new Google Glass

Google Glass has since its introduction sparked many interesting discussions amongst lawyers and bloggers concerning issues of privacy. One of the provisions in the Terms of Sale of Google Glass has now also raised my eyebrows as a property lawyer. The article prohibits a resale or lending of the first buyer’s Google Glass. Specifically the Terms of Sale state:

You may not commercially resell any Device, but you may give the Device as a gift, unless otherwise set forth in the Device Specific Addendum. Recipients of gifts may need to open and maintain a Google Wallet account in order to receive support from Google. These Terms will also apply to any gift recipient.

It goes on to specify for the Google Glass Explorer edition, which was sent out to early testers, that:

[..] you may not resell, loan, transfer, or give your Device to any other person. If you resell, loan, transfer, or give your device to any other person without Google’s authorization, Google reserves the right to deactivate the Device, and neither you nor the unauthorized person using the Device will be entitled to any refund, product support, or product warranty.

This is a somewhat odd provision to see for a property lawyer, from a European perspective at least.

Legal non-transferability

In most European legal systems the non-transferability clause either carries very little, to no proprietary effect. Non-transferability clauses are criticised for good reason: it would bring a halt to trade if widely accepted. Some legal systems heavily restrict (France and Germany) or even, such as my own, the Dutch, make it impossible to give a non-transferability clause proprietary effect for a movable and restricts it use to claims alone. Meaning that if Google Glass were introduced in the Netherlands with these terms and conditions it would have no effect in property law. You can still transfer the Device (Google Glass) and ownership will pass, but you will be in breach of contract, and liable under the contract. The acquirer thus becomes the full owner and is not hindered by the contractual obligations between the seller and Google. The seller, however, is by virtue of the sale in breach of contract and liable under the contract.

‘Factual’ non-transferability

The interesting thing about Google’s provision is that they in fact make the object non-transferable by the sanction on a breach of contract: the device will be deactivated. For the acquirer who was transferred the device it will therefore become a useless pair of glasses. What Google, therefore, does is make the object factually non-transferable.

The legal non-transferability is thusly undermined by the ‘factual/technical’ non-transferability. Property law bypassed by technology. A trend noticable in more areas than just this new Google Glass. As more and more objects become dependent on technology and in particular the internet; more and more things become subject to remote-control. To such an extent that technology serves as the control mechanism, rather than the law that stipulated and denied the possibilities of certain terms and conditions.

Interesting? Absolutely. Legally desirable? Not necessarily.

Thanks to this Mashable article for bringing the provision to my attention.