Upholding of complaint against Google brings important consequencesPrint publication
Earlier this week, the Court of Justice of the European Union (CJEU) gave a preliminary ruling in proceedings between Google Spain SL / Google Inc. (Google), the Spanish Data Protection Agency (AEPD), and a third party complainant. The judgment gives individuals considerable power to prevent search engines including personal data in search results. The CJEU has also emphasised the broad territorial scope of current data protection laws. The decision has important consequences for all organisations subject to the Data Protection Directive (the Directive).
In March 2010, Mario Costeja González lodged a complaint with the AEPD against both Google and daily newspaper publisher, La Vanguardia Ediciones SL. This was based on the fact that when Mr González’s name was entered into Google a link was provided to two pages of La Vanguardia detailing a property auction undertaken for social security debt recovery purposes. The bankruptcy proceedings having been resolved a number of years previously, Mr González argued that the references were irrelevant. To this end, he requested that:
- La Vanguardia be made to remove / alter the pages so his personal data no longer appeared or use appropriate search engine features to protect the information; and
- Google should be made to remove / hide the information so it did not feature in search results.
Google contested liability on the basis that:
- it was not subject to Spanish law;
- it could not be regarded as a ‘data controller’ with responsibility for processing of personal data; and
- fundamental rights of universal access to public information would be undermined if it had to comply with the removal request.
While the complaints against La Vanguardia were rejected, the AEPD upheld those against Google. Certain questions were referred to the CJEU for a preliminary ruling. The CJEU’s subsequent judgment essentially establishes that:
- search engines such as Google are ‘processing personal data’ within the meaning of the Directive when they find, compile, index, temporarily store and make available personal data in search results;
- these operators must correspondingly be regarded as ‘data controllers’ in respect of that processing, as per Article 2(d) of the Directive;
- personal data appearing in search results is the responsibility of the entity behind the engine;
- individuals can object to personal information being included in Google’s search results;
- an individual can require personal data to be deleted from search results when certain conditions are satisfied, particularly if the information is not being processed as per EU data protection law – such as if it is out-of-date or irrelevant; and
- data controllers are still subject to EU laws, even when based outside the EU, if they have EU subsidiaries which undertake activities clearly linked to personal data processing.
For companies operating engines such as Google, the possibility of substantial amounts of individuals’ data having to be removed is likely to negatively impact search functionality and may adversely affect their commercial viability. The decision means considerably increased administrative and compliance duties, costs and time pressures with the assumption of responsibility for the personal data processed. Google is not alone in having previously complained of the disproportionate and unrealistic burdens this presents. However, the CJEU established that valid opposition from a data subject would “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding the information”.
Both non-EU and EU-based businesses must also now consider their arrangements for global subsidiaries and offices to ensure all are appropriately adhering to EU data protection requirements. Where entities operate across a number of jurisdictions, this is likely to pose difficulties as substantial resources will be needed to ensure compliance and a uniform, ‘one size fits all’ approach will not necessarily suffice. Organisations within the consumer credit sector will particularly have to consider what information is made publicly available relating to debtors. While the AEPD found there had been a legitimate right to publish details of Mr González’s unpaid debt here (having been undertaken upon order of the Ministry of Labour and Social Affairs), this will not necessarily always be the case.
The CJEU’s decision comes as work continues on the new Data Protection Regulation (the Regulation). The Regulation is intended to overhaul data protection law across the EU, ensuring both greater consistency and increased rights for individuals. However, with data subjects’ so-called ‘right to be forgotten’ and the territorial scope of EU data protection law strengthened by the judgment, it seems steps are already being made towards achieving these objectives. Claims that freedom of expression will be undermined have seemingly been ignored by the CJEU. Rather than having a chilling effect on fundamental rights, heightened obligations on search engines are regarded as a way to secure “effective and complete” protection of individuals’ rights and freedoms.
For more information, contact the Regulatory team at Walker Morris.