Tuesday 13 May 2014

Google as data controller and right to be forgotten - CJEU in Google Spain (C-131/12)

13 May 2014: CJEU judgment in Google Spain (C-131/12)

We have previously discussed the opinion of AG Jääskinenin the Google Spain case, where he argued that an online service provider like Google (providing search engine services) should not be considered to fall under the definition of a data controller, meaning that it would not be obliged to comply with the data protection requirements and control what data is revealed through its search results. (see No forgetting...) Interestingly, in today's judgment the CJEU takes a different stand on these issues.

"According to Google Spain and Google Inc., the activity of search engines cannot be regarded as processing of the data which appear on third parties’ web pages displayed in the list of search results, given that search engines process all the information available on the internet without effecting a selection between personal data and other information. Furthermore, even if that activity must be classified as ‘data processing’, the operator of a search engine cannot be regarded as a ‘controller’ in respect of that processing since it has no knowledge of those data and does not exercise control over the data." (Par 22)

While, Google Spain claimed that it should not be seen as either a data controller or a subject of data protection rules, the CJEU disagreed, mentioning that already previously loading of personal data on a website that was considered as falling under the data processing definition from the Data Protection Directive. (Par. 26)

"Therefore, it must be found that, in exploring the internet automatically, constantly and systematically in search of the information which is published there, the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results. As those operations are referred to expressly and unconditionally in Article 2(b) of Directive 95/46, they must be classified as ‘processing’ within the meaning of that provision, regardless of the fact that the operator of the search engine also carries out the same operations in respect of other types of information and does not distinguish between the latter and the personal data." (Par. 28)

This finding cannot be contradicted by a claim that personal data has already been published somewhere else online and not changed by the search engine. (Par. 29, 31) Moreover, since the definition of data controller in the Directive should be broadly understood, the fact that Google may not have control over what's posted on other websites doesn't exclude it from under this definition. (Par. 33-37)

The CJEU also reminds the need to protect both private life and personal data, since these are among the fundamental rights mentioned in the Chapter. (Par. 69) While the data subject may request revision or removal of his personal data from the search engine's results, this request for data protection can clash with the freedom of expression and other people's right to information.

"In the light of the potential seriousness of that interference, it is clear that it cannot be justified by merely the economic interest which the operator of such an engine has in that processing. However, inasmuch as the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information, in situations such as that at issue in the main proceedings a fair balance should be sought in particular between that interest and the data subject’s fundamental rights under Articles 7 and 8 of the Charter. Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life." (Par. 81)

Keeping this in mind, the CJEU then decides that "the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.". (Par. 88)

Finally, the CJEU recognizes the "right to be forgotten". The data controller, like Google may need to remove data that originally was published lawfully, but which became with time "no longer necessary in the light of the purposes for which they were collected or processed. That is so in particular where they appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed." (Par. 93)

For the applicability of the Directive to Google's services, please read the judgment further (replies to question 1) where the CJEU debates the matter of, among others, establishment's definition. (Par. 45-61)

This is an interesting decision that might lead to some practical difficulties in its application. Imagine that consumers start now asking Google to remove various links leading to websites containing information about them en masse. How long would Google have to react to these requests/demands, when would it be able to refuse to remove a link from a search engine (who decides whether the content on that website was lawfully published or stopped being relevant etc.?), etc?