13 May 2014: CJEU judgment in Google Spain (C-131/12)
We have previously discussed the opinion of AG Jääskinenin the Google Spain case, where he argued that an online service provider like Google (providing search engine services) should not be considered to fall under the definition of a data controller, meaning that it would not be obliged to comply with the data protection requirements and control what data is revealed through its search results. (see No forgetting...) Interestingly, in today's judgment the CJEU takes a different stand on these issues.
"According to Google Spain and Google Inc., the
activity of search engines cannot be regarded as processing of the data
which appear on third parties’ web pages displayed in the list of
search results, given that search engines process all the information
available on the internet without effecting a selection between personal
data and other information. Furthermore, even if that activity must be
classified as ‘data processing’, the operator of a search engine cannot
be regarded as a ‘controller’ in respect of that processing since it has
no knowledge of those data and does not exercise control over the data." (Par 22)
While, Google Spain claimed that it should not be seen as either a data controller or a subject of data protection rules, the CJEU disagreed, mentioning that already previously loading of personal data on a website that was considered as falling under the data processing definition from the Data Protection Directive. (Par. 26)
"Therefore, it must be found that, in exploring
the internet automatically, constantly and systematically in search of
the information which is published there, the operator of a search
engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’
and ‘organises’ within the framework of its indexing programmes,
‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes
available’ to its users in the form of lists of search results. As those
operations are referred to expressly and unconditionally in
Article 2(b) of Directive 95/46, they must be classified as ‘processing’
within the meaning of that provision, regardless of the fact that the
operator of the search engine also carries out the same operations in
respect of other types of information and does not distinguish between
the latter and the personal data." (Par. 28)
This finding cannot be contradicted by a claim that personal data has already been published somewhere else online and not changed by the search engine. (Par. 29, 31) Moreover, since the definition of data controller in the Directive should be broadly understood, the fact that Google may not have control over what's posted on other websites doesn't exclude it from under this definition. (Par. 33-37)
The CJEU also reminds the need to protect both private life and personal data, since these are among the fundamental rights mentioned in the Chapter. (Par. 69) While the data subject may request revision or removal of his personal data from the search engine's results, this request for data protection can clash with the freedom of expression and other people's right to information.
"In the light of the potential seriousness of
that interference, it is clear that it cannot be justified by merely the
economic interest which the operator of such an engine has in that
processing. However, inasmuch as the removal of links from the list of
results could, depending on the information at issue, have effects upon
the legitimate interest of internet users potentially interested in
having access to that information, in situations such as that at issue
in the main proceedings a fair balance should be sought in particular
between that interest and the data subject’s fundamental rights under
Articles 7 and 8 of the Charter. Whilst it is true that the data
subject’s rights protected by those articles also override, as a general
rule, that interest of internet users, that balance may however depend,
in specific cases, on the nature of the information in question and its
sensitivity for the data subject’s private life and on the interest of
the public in having that information, an interest which may vary, in
particular, according to the role played by the data subject in public
life." (Par. 81)
Keeping this in mind, the CJEU then decides that "the operator of a search engine is obliged to
remove from the list of results displayed following a search made on the
basis of a person’s name links to web pages, published by third parties
and containing information relating to that person, also in a case
where that name or information is not erased beforehand or
simultaneously from those web pages, and even, as the case may be, when
its publication in itself on those pages is lawful.". (Par. 88)
Finally, the CJEU recognizes the "right to be forgotten". The data controller, like Google may need to remove data that originally was published lawfully, but which became with time "no longer necessary in the light of the
purposes for which they were collected or processed. That is so in
particular where they appear to be inadequate, irrelevant or no longer
relevant, or excessive in relation to those purposes and in the light of
the time that has elapsed." (Par. 93)
For the applicability of the Directive to Google's services, please read the judgment further (replies to question 1) where the CJEU debates the matter of, among others, establishment's definition. (Par. 45-61)
This is an interesting decision that might lead to some practical difficulties in its application. Imagine that consumers start now asking Google to remove various links leading to websites containing information about them en masse. How long would Google have to react to these requests/demands, when would it be able to refuse to remove a link from a search engine (who decides whether the content on that website was lawfully published or stopped being relevant etc.?), etc?
This is an interesting decision that might lead to some practical difficulties in its application. Imagine that consumers start now asking Google to remove various links leading to websites containing information about them en masse. How long would Google have to react to these requests/demands, when would it be able to refuse to remove a link from a search engine (who decides whether the content on that website was lawfully published or stopped being relevant etc.?), etc?
