Category Archives: Privacy

Google Spain vs. AEPD: About the 'right to be forgotten' and the forgotten right of freedom of expression

On 13 May the CJEU accepted a partial ‘right to be forgotten’ in the Case of Google Spain, Google v. AEPD. What is remarkable about this ruling, is the extent of privacy protection adopted.

The Facts of the Case

Some 16 years ago Mario Costeja González was going through a rough patch in his life and was unable to pay his social security debts. As a result, his house was sold via public auction. This auction was announced in a newspaper.  At a later date an electronic version of the newspaper was made available online by its publisher. Google indexed the link and if you ‘googled’ the name of Mr. González a link to the newspaper article showed up in the search results. Even well over a decade after the forced auction of the property it still shows up in the search results on his name. Mr. González wanted the links to the newspaper article removed from Google’s search results. Is Google obligated to comply with his request under the Data Protection Directive? That was the question the CJEU had to answer.

Questions to the CJEU (paraphrased)

Google Spain stated that the actual search engine operator is in California, US and therefore falls outside of the scope of the Data Protection Directive. Is that correct?
Is a search engine operator, such as Google, liable under the Data Protection Directive as a ‘controller’ of ‘processing personal data’ ?
If so, can Google be required to remove the links to webpages showing personal data?
The most important questions of all of these, is the latter. Does there exist something as a ‘right to be forgotten’ and more importantly, what is required before someone may make use of this ‘right’?

Does the Data Protection Directive apply to Google (Spain) in this case?

As regards the first two questions, the CJEU was quick to assume that Google Spain, as a commercial agent of Google Inc. (in California), was processing personal data in the context of the activities of the controller (Google Inc.) on the territory of Spain. Therefore the Directive, and its protection mechanism, was fully applicable. Google was also ‘processing personal data’ as the information which it collects via ‘scraping’ of websites, was subsequently retrieved, recorded and organised within the framework of its indexing programmes, and made available to its users in the form of lists of search results. This is processing in the means of the Directive. (See para. 28 et seq.) Furthermore, Google was ‘controller’ of these data as  “[i]t is the search engine operator which determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of that activity and which must, consequently, be regarded as the ‘controller’ in respect of that processing pursuant to Article 2(d).” (Para. 33).

Independent assessment of liability of Google

This means that, independently of the information and the liability of the provider (in casu  the (online)publisher of the newspaper), Google has its own duty under the Data Protection Directive as a controller of processing personal data. Therefore, the request of Mr. González should be assessed independently of his options against the publisher. (Para. 39-40).

The Charter, the Directive and the search engine operator

Interesting to note is the relationship between the Data Protection Directive, the Charter of Fundamental Rights of the European Union and the existence of search engines. This case required interpretation of the Directive’s provisions in light of the fundamental rights and freedoms laid down by the Charter. Interesting is that the Court stated that the requirements that flow from these Charter rights are implemented in several articles in the Directive. This is rather remarkable considering the fact that the Charter did not exist at the time of the enactment of the Directive. Furthermore, one can ask questions about the Directive in light of the rapid development of the internet. The Directive was drafted in 1990’s and enacted in ’95, when Google founders Larry Page and Sergey Brin had just met, but had not created their famous search engine yet. The Court therefore interprets the provisions of the Directive in a rather wide manner in order to apply old rules to new situations, so that the protection envisaged at the time of enactment has not atrophied due to the technical developments. This extensive interpretation of rules, required due to the age of the Directive shows the reason why a reform of the Data Protection Directive regime is currently being discussed and is very welcome.
The provisions of the Directive nevertheless need to be explained in light of the fundamental freedoms as laid down in the Charter and that has to be done for this particular case as well.

Balancing of fundamental freedoms and the ruling

The Court stated that:

More specifically, the incompatibility of processing personal data with the fundamental rights of the data subject “may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” (para 92.)

More specifically, the incompatibility of processing personal data with the fundamental rights of the data subject “may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” (para 92.)

It is astounding that the Court does not even mention Articles 11 and 16 of the Charter in this respect.  Article 11 of the Charter affords the right to freedom of expression, which is applicable to the freedom of internet users to receive information and the publisher’s right to make information available and to disseminate it. Article 16 of the Charter protects the freedom to conduct a business. Both of which would favour Google’s point of view in this case. The lack of explicitly mentioning these articles appears odd. AG Jääskinen in his opinion (ECLI:EU:C:2013:424) in this case, which was very different from the Court’s ruling, had no qualms using nor interpreting and applying these articles explicitly. The Court however briefly touched upon something akin to Article 16 when discussing Google’s economic interest in exploiting the information. Freedom of expression is only awarded mild attention in the Court’s ruling, and is not strongly used as a counterbalance to the privacy rights of the individual.

For Mr. Gonzáles the balance tipped in his favour. The information regarding the auction of his house due to social security debts, according to the Court, appears to be “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine” and therefore the links have to be deleted. (para 94).

The implications: for Google and search engine operators alike

So, when confronted with a request to remove certain links relating to a search based on a person’s name, what does Google have to do?

The Court does not give much guidance other than that a search engine should examine the request. “in particular [it should, AB] be examined whether the data subject has a right that the information relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name. In this connection, it must be pointed out that it is not necessary in order to find such a right that the inclusion of the information in question in the list of results causes prejudice to the data subject.” (para. 96)

The interest of the person requesting removal should however have to include also “a preponderant interest of the public in having, in the context of such a search, access to that information” (para. 98)

Thus, the tool that Google is currently working on to comply with this case law, will have to assess not only the fundamental rights of the person requesting removal, but also the interest of the public in access to the information. If the application to Google is granted, the links will be removed. If denied, the ‘data subject’ could bring a claim to “the supervisory authority or the judicial authority so that it carries out the necessary checks and orders the controller to take specific measures accordingly”. (para. 77). There are already signs that the Data Protection Agencies have had to deal with an increase in requests concerning links on Google than prior to this judgment.

The implications: for private persons

People will now have the option to have certain data be removed from search engine result lists. The information may very well still be available online, as the publisher of the information may not (necessarily) have to remove the information itself because it was published, for instance, for journalistic purposes or the purpose of artistic or literary expression (Article 9 Data Protection Directive). However, the ease by which the information can be found is significantly reduced.

Some remaining questions about clarity

The judgment does not answer all questions, and raises even more:

What about the right of the publisher? He has a right to disseminate his information and by removing the link, he too is harmed in his rights. In the balancing of fundamental rights, shouldn’t there also be a place of the publisher’s rights? In particular relating to the ‘decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search (…)’ (para 36.)
Is the judgement limited to searching for someone’s ‘name’ or the link itself? For which search terms will the results be removed? All of them, or only the one’s where the search is for someone’s name? If it is restricted to someone’s name, does that then mean that if I were to search for “‘forced foreclosure’ AND ‘social security debt’ AND ‘streetname X’ I would still be able to find the information? In short: Will the indexed link be removed altogether or will the link not show up in a particular search? The implications differ greatly.
What happens if information is considered to be irrelevant or inadequate one day, but a year from now becomes very relevant because, for instance, the person enters into public office. Will the links then automatically (hardly likely) show up again, or will this require regular (manual) oversight over the information and a regular re-assessments of the balance of fundamental rights?
Will there be two types of search engines? One with limited access to the indexes, and one with full access? In particular, when the information may be important in relation to ‘historical, statistical or scientific purposes’ ?
Does this mean that if you in the EU establish a VPN connection or proxy that connects you to the internet as if you were elsewhere, for instance in the US, you would still be able to get all the results?
Conclusion

By very widely interpreting the provisions of the Data Protection Directive, the CJEU has attempted to apply a rather archaïc Directive to a modern situation. The result is an out of proportion win for privacy and a blow to freedom of expression.

NB. As a property lawyer I have to state one last thing: An easier solution for everyone, why not have a look at the requirement to mention the reason for the public auction? Property law might require publicity of certain information such as the announcing of an auction in the newspaper. Yet, one can scrutinise the need for publicity of the reason for the auction as well, i.e. Social security debts. I doubt it is really necessary. Perhaps here, a balance of publicity v. privacy should have been made much earlier, at the property law level.

The Data Retention Directive: Invalid. Now What?!

Today the Court of Justice of the European Union (CJEU) declared the Data Retention Directive to be invalid, based on the fact that ‘the EU legislature has exceeded the limited imposed by compliance with the principle of proportionality’. How did the CJEU come to this decision, what are the governmental responses and what does this mean for harmonisation?

The Directive and the Question

The main objective of the Directive is, as reiterated by the CJEU:

To harmonise Member States’ provisions concerning the retention, by providers of publicly available electronic communications services or of public communications networks, of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the prevention, investigation, detection and prosecution of serious crime, such as organised crime and terrorism, in compliance with the rights laid down in Articles 7 and 8 of the Charter.

The question posed to the CJEU, was whether the Directive was indeed in compliance with the right to respect for private life (Art. 7) and the right to the protection of personal data (Art. 8) of the Charter.

The Court of Justice Ruling

The Court takes the view that:

“by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.”

It continued by stating that in this particular case, such interference is justified (paragraphs 41-44), however it is not proportional. The measures adopted exceeded the powers of the legislature in terms of proportionality for the following reasons:

  1. The Directive fails to differentiate, limit or make exceptions between individuals and means of electronic communication in the light of the objective of fighting against serious crime (paragraphs 57-59).
  2. The Directive does not lay down objective criteria by which access to the data is granted, the general term of ‘serious crime’ is the only criterion which is insufficiently capable of being a basis on which a sufficient balance of fundamental rights and the goal pursued can be made (paragraphs 60-62).
  3. The data retention period does not depend on the type of data or the type of crime, it is six months for all. The six months can be extended to 24 months, but no objective criteria are available to determine the exact time between six and 24 months (paragraphs 63-64).
  4. The lack of sufficient safeguards to ensure that the risk of abuse or unlawful access and use of data is at an acceptable level is also an issue raised by the CJEU. For instance, service providers are allowed by the Directive to have access, to take into account economic considerations when determining the security measures they put in place and the level of that security. Furthermore, there is no specific guarantee that the data is irreversibly destructed after their retention period has expired (paragraphs 66-67).
  5. The Court also takes issue with the possibility that the Directive leaves for the data to be retained outside the EU, without the safeguards and control that come with retention within the EU (paragraph 68).

The Directive is therefore declared invalid. It is also interesting to note that given the fact that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the Directive entered into force. Meaning, the Directive was never valid to begin with. Hence, all the references made to the Directive by implementing laws in the Member States, refer to a Directive that had never been valid. More interesting is that though the references to a invalid Directive are not necessarily a problem, the content of these implementing laws is. The reasons for the invalidity of the Directive, are codified in the national laws, which are now (or rather, have always been), contrary to EU law.

The Responses of Some Member States’ Officials

The invalidity of the national laws creates an immediate issue. What to do when you know your law is invalid? Well the responses have been diverse.

  • Ireland’s Data Protection Commissioner’s office has welcomed the decision by the European Court of Justice (ECJ) on the data retention directive. Ultan O’Carroll, technology adviser with the office, said the ruling was to be welcomed because there was a “balance and proportionality to be struck” between rights and law enforcement which “I think the commissioner believed was not there before”. (Via Irish Times)
  • The UK Home Office was a little less enthusiastic and stated via a spokesperson that: “We are considering the judgment and its implications carefully. The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security.” (Via The Guardian)
  • The German Minister of the Interior: “Data retention for the purpose of investigating serious crimes is necessary and that remains the case.” Interesting here is that the Directive had never been implemented in Germany itself, as it encountered a lot of court challenges (the Constitutional Court of Germany even annulled a German Law resulting from the Directive). The German Minister further stated that he no longer sees an immediate need for Germany to draft a substitute data retention legislation. (via dw.de)
  • The Dutch Deputy Minister was confronted with the ruling today during question time in Parliament. He stated that he and his staff still have to carefully look at the ruling and he will promised that he would inform Parliament within 8 weeks (which was generally considered to be too long by Parliament). He did however state that he would still want to (find a way to) retain certain data for some time. (via nu.nl) Perhaps he needs the 8 weeks to first carefully study the justification of the (former) Directive itself, because he stated that, this type of information is for instance important to ‘locate stolen phones’. If he considers stolen phones a ‘serious crime’ then the invalidity of the Directive is a godsend.

Now What?

For those countries that have implemented the Directive there are two options, either they repeal the entire law they enacted to implement the Directive, or they very quickly amend the law. The latter is more likely, but creates its own set of problems. The EU itself can also take up the legislative process once more, and draft a new Directive which takes the issues of the CJEU into account. This however, would probably take up too much time for the national legislatures. Although, the President of the European Parliament already talks about the next proposal which the European Commission should work on.

More likely is the scenario in which the national legislature comes up with a very quick amendment to their national law on data retention. With the amendment the national law could become in accordance with EU law again, if the drafters follow the criticism of the CJEU and take the specific criticisms of the Directive into account in their amendment.

This would however, defeat the purpose of harmonisation. If 28 Member States either have none or differing laws as regards data retention, harmonisation is nowhere to be found. The service providers (internet, telephone and the like) that have to retain the data itself, do not necessarily operate within national borders, and will now be subjected to different rules depending on the specific Member State to an even greater extent. It reinvigorates the debate on privacy and security, and restarts the discussion on data retention in a time in which the Snowden-leaks are still making headlines.