Explaining The CJEU's 'Right To Be Forgotten' Ruling

European Court of Justice

To read Privacy International's take on the ruling, go here.

What does the decision actually say?

The primary question that the Court was asked to consider was whether Google Search has obligations under the Data Protection Directive 1995, the EU legal framework regulating how public bodies and businesses deal with individuals’ personal data.

There were three primary issues at hand: the first was whether Google Inc., the international entity which operates Google Search, was under the responsibility of a “data controller” that is “established” in a Member State. Essentially, this was a question of whether Google Inc. was brought within EU jurisdiction by its relationship with Google Spain and whether Google Search had to abide by the rules in data protection law. The second issue was whether Google Inc. could be said to be “processing” data in the context of its relationship with Google Spain. Finally, the Court was asked to consider the extent of the responsibility of search engine operators in light of the previous two findings.

 

Is Google Inc subject to European privacy law?

The Court started by recognising that Google Search “does not merely give access to content hosted on” indexed websites - like news sites, Wikipedia, company websites etc - but rather ‘takes advantage of that activity and includes, in return for payment, advertising associated with the internet users’ search terms.”

The Court noted that Google Inc. relied on its subsidiary Google Spain for the sale of advertising space generated on Google, and that Google Inc. had designated Google Spain as the controller of data collected for the purpose of selling advertising services in Spain. Mr Gonzalez argued that it did not matter that Google Spain plays no role in indexing or storing data for the purposes of Google Search; it was sufficient that Google Spain sells advertising space that constitutes part of Google Inc’s commercial activity that is closely linked to Google Search. The Court agreed - it said that a search engine like Google, that has a local subsidiary operating within the EU, is processing data “in the context of the activities” of the subsidiary if the latter is promoting and selling advertising space offered by the search engine which serves to make the service offered by that engine profitable.

 

Does Google “process” data?

With regard to the second issue, the Court was unwavering in its stance that “the very display of personal data on a search results page constitutes processing of such data”. That being so, the Court said, the company cannot escape the obligations and guarantees laid down by data protection law. To do so “would compromise the directive’s effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure, in particular their right to privacy”.

 

What steps must Google take?

The Court ruled that the operator of a search engine must remove a link from a list of search results where a search is made on the basis of a person’s name. The individual must show that the data displayed by Google are inadequate, irrelevant or excessive in relation to purpose for which Google is processing the data, or is not kept up to date or is kept for longer than is necessary to be kept for historical statistical or scientific purposes (this is the exact language in data protection law)

Google argued before the court that they should not have to remove information from search results; instead, the publisher of the website concerned should be the recipient of any complaint. To require the operator of a search engine to withdraw information published on the internet from its indexes, Google maintained, would take insufficient account of the fundamental rights of publishers, internet users and the company itself.

In confronting this argument, the Court noted that the directive seeks to ensure a high level of protection of fundamental rights of individuals, particularly the right to privacy, and the provisions of the directive are to be interpreted in light of the rights outlined in the Charter of Fundamental Rights of the European Union, which includes explicit reference to both privacy and data protection rights. In order to make good on these protections, institutions must ensure all processing of personal data complies with the principles related to data quality set out in the directive, and be for a legitimate purpose.

Data protection law in the form of the European Union Directive on data protection stipulates that an individual who wishes to object on legitimate grounds to the processing of data relating to them can do so directly to data controller, who is obliged to examine the merits of the request and the processing of the data in question. If the controller does not grant the request, the individual may bring the matter before a supervisory authority, often a data protection or information commissioner.

The Court made the important declaration that the processing activities conducted by search engines like Google

affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him. Furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous. (para 80)

As a result, the Court said, such processing cannot be justified by merely the economic interest that Google has in providing search results and related advertising; rather, the Court recognised that indexing results on a search engine is an important activity to fulfill the rights of internet users to access information. In such circumstances, “a fair balance” should be sought between that interest and an individual’s right to privacy.

 

How should a fair balance be struck between individual’s right to privacy and the public interest in accessing information?

Here the CJEU declined to provide one overarching test for determining how privacy should be balanced against access to information, instead stating that the balance will have to be considered in each individual situation. The balance may depend, the Court said, “in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.”

Here the Court made clear that the public interest in having access to certain information, particularly information pertaining to an individual who plays a role in public life, may outweigh any request to have a search result removed from Google Search. The Court rightly said that the public interest should be considered in each specific case. Whereas generally, the individual’s right to privacy overrides, “as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name,” that is not the case when the individual plays a role in public life, in which case “the interference with his fundamental right is justified by the preponderant interest of the general public in having… access to the information in question.”

Following this reasoning, the Court said:

  • a data protection authority can order the operator of a search engine to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages published by third parties containing information relating to that person; 
  • the operators of search engines must ensure, within the framework of its responsibilities, powers and capabilities, that their processing activities meet the requirement of the directive;
  • they have a particular responsibility to do so because “the inclusion in the list of results, displayed following a search made on the basis of a person’s name, of a web page and of the information contained on it relating to that person makes access to that information appreciably easier for any internet user making a search in respect of the person concerned and may play a decisive role in the dissemination of that information, [and therefore] is liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page” itself
  • the publishers of websites themselves should not be subject to a requirement to similarly remove information both because such a requirement would be unlikely to achieve the effective and complete protection of data users, and may in any event - when carried out ‘solely for journalistic purposes’ - be exempt from the directive.

In the end, after all the confusion, we can see that data protection law actually is concerned with the protection of journalism and free expression. But the law does not look favourably upon search engine companies.