The EU 'Right to Be Forgotten' Judgment

Costeja Gonz'lez made two requests in his complaint. The first was that La Vanguardia either remove or alter the pages in question, so that personal data relating to him would no longer appear, or to use certain tools made available by search engines in order to protect the data. The second was that that either Google Spain or Google Inc. remove or conceal the personal data relating to him, so that it would no longer appear in the search results and in the links to La Vanguardia.

The Spanish Data Protection Agency rejected the complaint against La Vanguardia, on the basis that the information had been lawfully published by the latter. But, the Agency upheld the complaint against the two Google companies, and accordingly requested the companies to, in effect, remove the data in question and to make future access to the data impossible.

In response, the Google companies brought actions against the Agency's ruling in the Spanish High Court which then referred the matter under the EU's so-called preliminary ruling procedure to the European Court (based in Luxembourg) for interpretation of certain provisions of the EU's 1995 Data Protection Directive in order for the Spanish court to be able to resolve the dispute at hand.

Processing

The European Court ruled that the nature of the activities of a search engine qualify it as “processing” personal data under the EU Data Protection Directive. By searching automatically, constantly and systematically for information published on the Internet, the operator of a search engine is considered under the Directive as collecting data. The operator, within the framework of its indexing programs, retrieves, records and organizes the data in question, which it then stores on its servers, which, where applicable, it discloses and makes available to its users in the form of lists of results. Those operations are to be considered as “processing” under the Directive, regardless of the fact that the operator of the search engine carries them out indistinctively in respect of information other than the personal data, even where the operations exclusively concern material that has already been published as it is in the media.

Controller

According to the European Court, because a search engine operator determines the means and purposes of the above-mentioned “processing,” it qualifies as a “controller” of the “processing” under the EU Data Protection Directive.

Extra-Territorial Jurisdiction

The European Court ruled that the EU Data Protection Directive has extra-territorial jurisdiction application where the above-mentioned “processing” is carried out in the context of the activities of an EU-located branch or subsidiary of a business. Google Spain is a subsidiary of Google Inc. on Spanish territory and, therefore, according to the Court, an “establishment” under the Directive. Where data are “processed” for the purposes of a search engine operated by a business which, although it has its seat in a non-EU Member State, has an “establishment” (branch or subsidiary) in a Member State, the “processing” is carried out in the context of the activities of that “establishment,” under the Directive: 1) if the “establishment” is intended to promote and sell, in the Member State in question, advertising space offered by the search engine; and 2) orientates its activity toward the inhabitants of that Member State, in order to make the service offered by the engine profitable.

Right to Be Forgotten

According to the European Court, when requested to do so, a search engine operator must remove links to Web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person's name. This obligation also applies where the name, or information, in question, is not erased beforehand or simultaneously from those Web pages, and even when its publication in itself on those pages is lawful. Public interest might override this concerning public figures, depending on the circumstances at hand.

Further, aggrieved individuals may make their requests directly to the search engine operators. But, it must be emphasized, this newly interpreted “right to be forgotten” exists within the context of EU Data Protection Directive criteria, i.e. , where the information in question is, in particular, inadequate, irrelevant or outdated. In that case, a request can be made to have a link removed from future search results. The “right to be forgotten” is therefore not absolute, but qualified to these types of circumstances.

Legal Effect of Ruling

European Court preliminary rulings are not appealable. Although technically speaking the ruling only legally binds the (Spanish) court that referred the case, the ruling has in effect the character of precedent on other EU Member State courts, without prejudice to the right of those courts to make requests for preliminary rulings on the interpretation of the Data Protection Directive.

Reaction

The ruling has met with criticism and raised a number of issues. The ruling itself does not accord with certain aspects of the earlier official Opinion of the European Court's Advocate General (who makes preliminary recommendations, but which are not binding on the Court) whose approach was more subtle and convincing concerning the key issues of data “controlling and, the right to be forgotten balanced against the freedom of expression and information. Criticism from the U.S. has understandably focused on this latter issue in what is seen as a legal culture clash of the trumping of (EU) privacy over the (U.S.) right to free speech. The technical-logistical challenges of deleting data and the consequent financial costs are inevitable issues. The extent of the role of search engine operators operating as quasi-censors or arbiters in deciding what is in the public interest and who is a public figure has been questioned. Whether the ruling will restrict the efforts of law enforcement investigations also raises concerns.

Next Steps

As can be imagined, immediately following the ruling there has been a deluge of so-called take-down (removal) requests made by individuals, principally to search engine operators but also to data protection regulators.

The most immediate next step was therefore Google's response, which was to put online a form allowing for search engine users to request the removal of, what Google has summarized as the Court's ruling, “results for queries that include their name where those results are inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.” Requests must be supported by valid ID, a URL for each link to be removed, and the appropriate justification for removal.

The evaluation of requests will consider whether results include outdated information or public interest in the information such as with regard to “financial scams, professional malpractice, criminal convictions, or public conduct of government officials.” Information will not of course be totally removed online as it will always remain on the website in question ' it will just be more difficult to find as it won't come up on search engine results.

Because the form requires proof of identity to be provided this has itself raised privacy concerns with regard to the “processing” of the personal data contained in the identification. It could well be that the form itself is open to challenge by national data protection regulators. The UK's Information Commissioner's Office (ICO) had recently said in the context of subject access requests that the recipient of a request cannot insist on its own form being used to the exclusion of any other valid form of request.

The Hamburg data protection commissioner (Germany has a local not national system for most data protection regulation), Johannes Caspar, has also criticized Google's form and the level of personal information it seeks on the basis that Google must only ask for personal data that is absolutely required for the purpose of verifying the individuals' identity and that other details should be redacted. Caspar also suggested that Google may cause more privacy issues with its new procedure by not being clear how long it would hold the new data before deleting the information.

Some national data protection regulators in the EU, like the ICO, have also publicly stated that they are giving search engines a period of grace to put in place systems to deal with take-down requests and that following this, their focus will be on cases “linked to clear evidence of damage and distress to individuals.”

New EU Data Protection Rules

The European Court's ruling strengthens the hand of those in the EU backing “the right to be forgotten” under new proposed legislation. At the time that the EU Data Protection Directive was first proposed in 1990, the Internet and search engines were at a rudimentary stage of development and popularity. By 1995, when the directive was finalized, it did not really envisage the extent to which the use of the Internet and the activities of search engines would fall under its scope. Bringing data protection up-to-date is therefore one of the aims of proposed new EU data protection rules, in the form of an EU Regulation put forward by the European Commission.

As reported by one of these authors in the July 2014 edition of this newsletter (article available at http://bit.ly/1umDSPc), the EU is currently at an important stage in the process of overhauling the EU data protection rules, although final implementation might not be until 2016. In particular, the proposed Regulation contains a specifically set-out (qualified but not absolute) “right-to-be-forgotten” provision. Under this, a person will have the right to have his or her data erased when there are no legitimate grounds for the data to be retained, as long as this does not encroach on the freedom of expression and information.

In addition, not only will the proposed new Regulation apply where either a data-controller or processor, or, “data subject” (an identified or identifiable person to whom specific personal data relates) are based in the EU, but, in addition, the rules will also apply to businesses based outside the EU where they process data of EU residents who are offered goods or services ' this extra-territorial reach has been very specifically spelled out. This all has to be put into the context of another aspect of the proposed new Regulation, which empowers data protection authorities to fine businesses that infringe the data protection rules (specifically including the “right to be forgotten”) up to Euro 1 million or up to 2% of the global annual turnover of a business, whichever is the greater. These figures may be higher in the final version of the new rules.

The European Commission is of the view that the recent European Court ruling has vindicated the Commission's inclusion of the “right to be forgotten” in the new proposed Regulation, and has gone so far as to issue its own fact sheet on the ruling, concluding that the ruling makes the adoption of new EU data protection rules “more, not less, urgent.” This said, not everyone has been comfortable with “the right to be forgotten,” including persons at high political levels in some EU Member States. Therefore, its legislative introduction is not necessarily a foregone conclusion. Ironically the judge-led introduction of the “right to be forgotten” comes at a time when the Commission's proposed statutory “right to be forgotten” seemed to be losing some of its momentum.

Compliance Considerations

Corporate counsel will rightly be asking themselves at this stage how this ruling affects their business, especially as there is no equivalent “right to be forgotten” in the U.S., and the new EU law has yet to be finalized.

The outcome of the ruling is that individuals based in the EU have a stronger right and ability to control the dissemination of public information about them, which they can now in effect exercise extra-territorially and over a wider category of organization controlling data.

If your business is a search engine (with an EU connection) it will therefore clearly be directly affected and the most immediate practical consideration will be to develop solutions to removing links. The ruling has already, however, had a much wider impact than search engine businesses. For other businesses, maybe at a different point in the supply chain, there may be an issue as to whether for certain of their activities they could now be considered as data controllers who are processing data on people in the EU. They could also now be subject to EU data protection laws including the new “right to be forgotten.”

From another perspective, if your company is making a search, for example, in the context of due diligence (with an EU aspect), there is now a distinct possibility that the search results may not be as complete as would be expected. In other words, if links have been deleted following the granting of take-down requests (which may be extensive if a search engine decides to play things as cautiously as possible) all the information expected to be captured in a due diligence exercise might not be there.

One area of particular concern here given the higher profile now given to corruption and bribery issues, is whether it will be more difficult to trace all the relevant information in this high-risk area. Legislation in Europe like the UK Bribery Act 2010 has seen an increased focus on due diligence in a commercial setting and some sectors like financial services have seen increased regulatory activity in this area of their business. One solution would be to undertake more in-depth due diligence where appropriate in order to ensure compliance, but this will likely be more resource-intensive and costly.

Another speculative issue is whether at a later stage, the ruling could be extended (through a further preliminary ruling process) to going beyond removing a link to the information, and widened to include the information itself. The current ruling has ruled this possibility out, but this does not mean that in certain particular circumstances (as yet unforeseen) removing the information might have to be undertaken. In the meantime, certain individuals might try this now anyway, as Costeja Gonz'lez did in the case itself.

By way of general legal risk reduction, this ruling is also a timely reminder of the need for any business to refresh its official data retention and destruction policies and check on what information the business retains and what it should delete where no longer needed.

And as a final ironic reflection, if you don't want to be forgotten, type into Google the surnames Costeja Gonz'lez.

Andr' Bywater and Jonathan Armstrong , a member of the Board of Editors of our sister newsletter, The Corporate Counselor, are commercial lawyers with Cordery Compliance in London, where they focus on regulatory compliance, processes and nvestigations. They can be reached at [email protected],'and [email protected], respectively.

When the European Union's highest court, the European Court of Justice, handed down a controversial landmark ruling in a matter commonly referred to as the “right to be forgotten” case, it sent ripples that impact online privacy in the United States. The core of the case concerns the obligations of search engine operators under the EU Data Protection Directive. But at a wider level, the ruling's ramifications go beyond the EU, as it imposes extra-territorial privacy obligations on U.S. businesses. Counsel for e-commerce organizations therefore need to be aware of the legal compliance impact that it may have on U.S. businesses.

Background

The background to the case is straightforward enough. In 2010, a complaint was lodged by a Spanish national, Mario Costeja Gonz'lez, with the Agencia Espa'ola de Protecci'n de Datos (“the Spanish Data Protection Agency”) against La Vanguardia Ediciones SL (“La Vanguardia”), a Spanish newspaper publisher, and two companies, Google Spain and Google Inc. Costeja Gonz'lez was unhappy that when Internet users entered his name into the Google search engine, the list of results would display links to two pages of La Vanguardia dated January and March 1998. Those particular two pages contained an announcement for a real-estate auction organized following attachment proceedings for the recovery of social security debts owed by Costeja Gonz'lez. According to Costeja Gonz'lez, these proceedings had been fully resolved a number of years ago and so reference to them was now consequently entirely irrelevant.

Costeja Gonz'lez made two requests in his complaint. The first was that La Vanguardia either remove or alter the pages in question, so that personal data relating to him would no longer appear, or to use certain tools made available by search engines in order to protect the data. The second was that that either Google Spain or Google Inc. remove or conceal the personal data relating to him, so that it would no longer appear in the search results and in the links to La Vanguardia.

The Spanish Data Protection Agency rejected the complaint against La Vanguardia, on the basis that the information had been lawfully published by the latter. But, the Agency upheld the complaint against the two Google companies, and accordingly requested the companies to, in effect, remove the data in question and to make future access to the data impossible.

In response, the Google companies brought actions against the Agency's ruling in the Spanish High Court which then referred the matter under the EU's so-called preliminary ruling procedure to the European Court (based in Luxembourg) for interpretation of certain provisions of the EU's 1995 Data Protection Directive in order for the Spanish court to be able to resolve the dispute at hand.

Processing

The European Court ruled that the nature of the activities of a search engine qualify it as “processing” personal data under the EU Data Protection Directive. By searching automatically, constantly and systematically for information published on the Internet, the operator of a search engine is considered under the Directive as collecting data. The operator, within the framework of its indexing programs, retrieves, records and organizes the data in question, which it then stores on its servers, which, where applicable, it discloses and makes available to its users in the form of lists of results. Those operations are to be considered as “processing” under the Directive, regardless of the fact that the operator of the search engine carries them out indistinctively in respect of information other than the personal data, even where the operations exclusively concern material that has already been published as it is in the media.

Controller

According to the European Court, because a search engine operator determines the means and purposes of the above-mentioned “processing,” it qualifies as a “controller” of the “processing” under the EU Data Protection Directive.

Extra-Territorial Jurisdiction

The European Court ruled that the EU Data Protection Directive has extra-territorial jurisdiction application where the above-mentioned “processing” is carried out in the context of the activities of an EU-located branch or subsidiary of a business. Google Spain is a subsidiary of Google Inc. on Spanish territory and, therefore, according to the Court, an “establishment” under the Directive. Where data are “processed” for the purposes of a search engine operated by a business which, although it has its seat in a non-EU Member State, has an “establishment” (branch or subsidiary) in a Member State, the “processing” is carried out in the context of the activities of that “establishment,” under the Directive: 1) if the “establishment” is intended to promote and sell, in the Member State in question, advertising space offered by the search engine; and 2) orientates its activity toward the inhabitants of that Member State, in order to make the service offered by the engine profitable.

Right to Be Forgotten

According to the European Court, when requested to do so, a search engine operator must remove links to Web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person's name. This obligation also applies where the name, or information, in question, is not erased beforehand or simultaneously from those Web pages, and even when its publication in itself on those pages is lawful. Public interest might override this concerning public figures, depending on the circumstances at hand.

Further, aggrieved individuals may make their requests directly to the search engine operators. But, it must be emphasized, this newly interpreted “right to be forgotten” exists within the context of EU Data Protection Directive criteria, i.e. , where the information in question is, in particular, inadequate, irrelevant or outdated. In that case, a request can be made to have a link removed from future search results. The “right to be forgotten” is therefore not absolute, but qualified to these types of circumstances.

Legal Effect of Ruling

European Court preliminary rulings are not appealable. Although technically speaking the ruling only legally binds the (Spanish) court that referred the case, the ruling has in effect the character of precedent on other EU Member State courts, without prejudice to the right of those courts to make requests for preliminary rulings on the interpretation of the Data Protection Directive.

Reaction

The ruling has met with criticism and raised a number of issues. The ruling itself does not accord with certain aspects of the earlier official Opinion of the European Court's Advocate General (who makes preliminary recommendations, but which are not binding on the Court) whose approach was more subtle and convincing concerning the key issues of data “controlling and, the right to be forgotten balanced against the freedom of expression and information. Criticism from the U.S. has understandably focused on this latter issue in what is seen as a legal culture clash of the trumping of (EU) privacy over the (U.S.) right to free speech. The technical-logistical challenges of deleting data and the consequent financial costs are inevitable issues. The extent of the role of search engine operators operating as quasi-censors or arbiters in deciding what is in the public interest and who is a public figure has been questioned. Whether the ruling will restrict the efforts of law enforcement investigations also raises concerns.

Next Steps

As can be imagined, immediately following the ruling there has been a deluge of so-called take-down (removal) requests made by individuals, principally to search engine operators but also to data protection regulators.

The most immediate next step was therefore Google's response, which was to put online a form allowing for search engine users to request the removal of, what Google has summarized as the Court's ruling, “results for queries that include their name where those results are inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.” Requests must be supported by valid ID, a URL for each link to be removed, and the appropriate justification for removal.

The evaluation of requests will consider whether results include outdated information or public interest in the information such as with regard to “financial scams, professional malpractice, criminal convictions, or public conduct of government officials.” Information will not of course be totally removed online as it will always remain on the website in question ' it will just be more difficult to find as it won't come up on search engine results.

Because the form requires proof of identity to be provided this has itself raised privacy concerns with regard to the “processing” of the personal data contained in the identification. It could well be that the form itself is open to challenge by national data protection regulators. The UK's Information Commissioner's Office (ICO) had recently said in the context of subject access requests that the recipient of a request cannot insist on its own form being used to the exclusion of any other valid form of request.

The Hamburg data protection commissioner (Germany has a local not national system for most data protection regulation), Johannes Caspar, has also criticized Google's form and the level of personal information it seeks on the basis that Google must only ask for personal data that is absolutely required for the purpose of verifying the individuals' identity and that other details should be redacted. Caspar also suggested that Google may cause more privacy issues with its new procedure by not being clear how long it would hold the new data before deleting the information.

Some national data protection regulators in the EU, like the ICO, have also publicly stated that they are giving search engines a period of grace to put in place systems to deal with take-down requests and that following this, their focus will be on cases “linked to clear evidence of damage and distress to individuals.”

New EU Data Protection Rules

The European Court's ruling strengthens the hand of those in the EU backing “the right to be forgotten” under new proposed legislation. At the time that the EU Data Protection Directive was first proposed in 1990, the Internet and search engines were at a rudimentary stage of development and popularity. By 1995, when the directive was finalized, it did not really envisage the extent to which the use of the Internet and the activities of search engines would fall under its scope. Bringing data protection up-to-date is therefore one of the aims of proposed new EU data protection rules, in the form of an EU Regulation put forward by the European Commission.

As reported by one of these authors in the July 2014 edition of this newsletter (article available at http://bit.ly/1umDSPc), the EU is currently at an important stage in the process of overhauling the EU data protection rules, although final implementation might not be until 2016. In particular, the proposed Regulation contains a specifically set-out (qualified but not absolute) “right-to-be-forgotten” provision. Under this, a person will have the right to have his or her data erased when there are no legitimate grounds for the data to be retained, as long as this does not encroach on the freedom of expression and information.

In addition, not only will the proposed new Regulation apply where either a data-controller or processor, or, “data subject” (an identified or identifiable person to whom specific personal data relates) are based in the EU, but, in addition, the rules will also apply to businesses based outside the EU where they process data of EU residents who are offered goods or services ' this extra-territorial reach has been very specifically spelled out. This all has to be put into the context of another aspect of the proposed new Regulation, which empowers data protection authorities to fine businesses that infringe the data protection rules (specifically including the “right to be forgotten”) up to Euro 1 million or up to 2% of the global annual turnover of a business, whichever is the greater. These figures may be higher in the final version of the new rules.

The European Commission is of the view that the recent European Court ruling has vindicated the Commission's inclusion of the “right to be forgotten” in the new proposed Regulation, and has gone so far as to issue its own fact sheet on the ruling, concluding that the ruling makes the adoption of new EU data protection rules “more, not less, urgent.” This said, not everyone has been comfortable with “the right to be forgotten,” including persons at high political levels in some EU Member States. Therefore, its legislative introduction is not necessarily a foregone conclusion. Ironically the judge-led introduction of the “right to be forgotten” comes at a time when the Commission's proposed statutory “right to be forgotten” seemed to be losing some of its momentum.

Compliance Considerations

Corporate counsel will rightly be asking themselves at this stage how this ruling affects their business, especially as there is no equivalent “right to be forgotten” in the U.S., and the new EU law has yet to be finalized.

The outcome of the ruling is that individuals based in the EU have a stronger right and ability to control the dissemination of public information about them, which they can now in effect exercise extra-territorially and over a wider category of organization controlling data.

If your business is a search engine (with an EU connection) it will therefore clearly be directly affected and the most immediate practical consideration will be to develop solutions to removing links. The ruling has already, however, had a much wider impact than search engine businesses. For other businesses, maybe at a different point in the supply chain, there may be an issue as to whether for certain of their activities they could now be considered as data controllers who are processing data on people in the EU. They could also now be subject to EU data protection laws including the new “right to be forgotten.”

From another perspective, if your company is making a search, for example, in the context of due diligence (with an EU aspect), there is now a distinct possibility that the search results may not be as complete as would be expected. In other words, if links have been deleted following the granting of take-down requests (which may be extensive if a search engine decides to play things as cautiously as possible) all the information expected to be captured in a due diligence exercise might not be there.

One area of particular concern here given the higher profile now given to corruption and bribery issues, is whether it will be more difficult to trace all the relevant information in this high-risk area. Legislation in Europe like the UK Bribery Act 2010 has seen an increased focus on due diligence in a commercial setting and some sectors like financial services have seen increased regulatory activity in this area of their business. One solution would be to undertake more in-depth due diligence where appropriate in order to ensure compliance, but this will likely be more resource-intensive and costly.

Another speculative issue is whether at a later stage, the ruling could be extended (through a further preliminary ruling process) to going beyond removing a link to the information, and widened to include the information itself. The current ruling has ruled this possibility out, but this does not mean that in certain particular circumstances (as yet unforeseen) removing the information might have to be undertaken. In the meantime, certain individuals might try this now anyway, as Costeja Gonz'lez did in the case itself.

By way of general legal risk reduction, this ruling is also a timely reminder of the need for any business to refresh its official data retention and destruction policies and check on what information the business retains and what it should delete where no longer needed.

And as a final ironic reflection, if you don't want to be forgotten, type into Google the surnames Costeja Gonz'lez.

Andr' Bywater and Jonathan Armstrong , a member of the Board of Editors of our sister newsletter, The Corporate Counselor, are commercial lawyers with Cordery Compliance in London, where they focus on regulatory compliance, processes and nvestigations. They can be reached at [email protected],'and [email protected], respectively.