In its judgment published on 13 May in the case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez, the Court of Justice of the European Union (CJEU), Grand Chamber, recognized a “right to be forgotten” with regard to Internet search engine results. Unfortunately, the judgment has important international implications that the Court did not sufficiently consider. In this post, I will put aside the issues of EU data protection law that the judgment raises, and focus instead on its implications for the rights of individuals to use the Internet as a global communications medium. It is important to note that application of the judgment extends beyond particular search engine providers to include any “provider of content which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference” (paragraph 21), which could include Internet archives, social media, news crawler services, and many other types of online services.
The plaintiff in the case complained to the Spanish Data Protection Agency (DPA) against a Spanish newspaper and Google, stating that a Google search brought up a link to the newspaper containing irrelevant information about him, and requesting that the newspaper be required to remove or alter the pages and that Google be required to remove the data from the search results. The DPA found against Google, which then appealed to the Spanish Audiencia Nacional (National High Court). The Spanish court referred the case to the CJEU. On June 25, 2013, Advocate-General Jääskinen recommended that the Court find that it had jurisdiction over Google; that in its role as a search engine provider, Google was a data processor rather than a controller; and that the EU Data Protection Directive 95/46 does not contain a right to be forgotten that could entitle the plaintiff to have his data deleted from search engine results.
In its judgment, the Court differed in several important points from the Advocate-General’s opinion, and reached the following conclusions:
–Google’s branches in the EU are subject to the national data protection law of the EU member states where they are located, since they are “inextricably linked” to the activities of the Google headquarters in the US by virtue of Google Spain selling advertising space on the search engine provided by Google Inc, even if the actual processing is carried out in the US (paragraphs 42-60).
–Search engines are “data controllers” and as such are independently responsible for the personal data they retrieve, store, and display from websites (paragraphs 21-41).
–Under the Directive, there exists a limited right to have search engines delete material from search results (i.e., a “right to be forgotten”), regardless of whether the material indexed was posted legally or whether it is accurate (paragraphs 62-99).
–Exercise of this right must respect a “fair balance” between the fundamental rights of individuals to delete links and the interest of others in having access to such information (paragraph 81). The rights of the individual should “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name”, though the individual’s rights should not take precedence if factors such as “the role played by the data subject in public life” would justify an interference with them (paragraph 97).
The Court’s analysis of the fundamental rights issues at stake is an example of what Gráinne de Búrca has called (at p. 184) the CJEU’s “self-referential and detached style of judgment” that is “largely unconcerned about the external impact and influence of its rulings”, and that often fails to consider relevant materials from other jurisdictions. The Court emphasizes the right of individuals to remove their personal data from the results generated by search engines, but barely mentions the right to freedom of expression, and never refers at all to Article 11 of the Charter of Fundamental Rights. It also states (paragraph 81) that the right to data protection generally overrides the interest of the general public in finding information relating to a data subject’s name, while at the same time stating that the balance between the two must depend on the specific case at issue. The judgment requires data controllers, data protection authorities, and courts to strike a “fair balance” between these rights (paragraph 81), but gives almost no criteria for doing so.
The judgment also seems inward-looking, and represents a step backwards from the Court’s Lindqvist judgment of 2003, where it considered the implications for the Internet when interpreting the transborder data transfer restrictions of Article 25 of the EU Data Protection Directive (see paragraph 69 of that judgment). Advocate-General Jääskinen had recognized the implications of the case for the global Internet and the need to strike “a correct, reasonable and proportionate balance between the protection of personal data, the coherent interpretation of the objectives of the information society and legitimate interests of economic operators and internet users at large” (paragraph 31 of his opinion), an approach that the Court rejected. Strikingly, the judgment does not mention even once the European Convention on Human Rights or the jurisprudence of the European Court of Human Rights in its reasoning. Since the Court seems to base its decision on what it views as the special data protection risks posed by Internet search engines (paragraphs 36-38 and 80), it establishes in effect a different regime for application of the right to be forgotten in the online world than applies offline. In this respect, the judgment would have benefited from a reference to the resolution of the UN Human Rights Council passed on 29 June 2012 that the rights to freedom of expression and to cross-border communication must apply in both worlds.
The judgment also raises important issues for determining the territorial extent of data protection rights. Much attention is now rightly being paid to the extension of privacy rights to extraterritorial intelligence surveillance online. But, as I have argued in this blog, determining the jurisdictional boundaries of online privacy rights is also important, in order to avoid unnecessary conflicts between legal systems. On its face, the judgment deals narrowly with the question of when an Internet service is established in the EU for jurisdictional purposes, but it opens the door to questions concerning the Directive’s territorial scope that are left unanswered. For example, does the right to be forgotten extend to search engines operating under .com and other domains that are not EU-specific? And could individuals in regions outside Europe exercise such right with regard to searches that they carry out on search engines that are subject to EU law? These are just a few of the issues that will require further examination.
The judgment has the potential to create a kind of “EU Internet” separate from the global Internet, with search results and other web content displayed differently in the EU from how they are in the rest of the world. This could adversely affect the right of EU individuals to receive information “regardless of frontiers” under Article 19 UDHR and Article 19 ICCPR.
In sum, while the Court’s determination to grant individuals greater control over the processing of their personal data is to be welcomed, it has insufficiently considered the global nature of the Internet, and failed to take into account the fundamental rights of Europeans to communicate across borders.