Forget that you ever knew me

In May 2014, the Court of Justice of the European Union ruled that individuals in the EU have the right to request that search engines delete their personal data from internet search results, in certain circumstances: Google Spain SL, Google Inc v Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez (Case C-131/12). This right derives from the EU’s Data Protection Directive 95/46/EC (“DPD”), and has been termed the “right to be forgotten”.

Gonzalez sought to have historic newspaper announcements relating to an auction of his house to meet social security debts removed from Google search results against his name. He also sought to have the announcements deleted from the newspaper website, but the Spanish courts refused this. They referred to the CJEU a number of questions relating to the applicability of the DPD to Google’s internet search results.

The CJEU decided four key issues:

Was there “processing” by a data “controller” ?

Google argued that its search engine activities were not “processing” of personal data, since search engines process all information on the internet without differentiating between personal data and other information.

The CJEU disagreed. It noted that in exploring the internet automatically, constantly and systematically to search the information, a search engine operator “collects, retrieves, records, organises, stores, discloses and makes available” data so that it eventually forms a list of search results. These activities fell within the DPD definition of “processing”.

Google also argued it was not a “data controller”. The CJEU rejected this. “Data controller” must be defined broadly in order to give effective data protection to subjects. Google determined the purposes and means of its own processing, so was the “controller”. Google’s processing was in addition to the website publishers’ processing, and played a key role in the overall dissemination of the information. Search results provide a structured overview of online information about a person, enabling a detailed profile to be built up. Thus the search engine’s activities could fundamentally affect the data subject’s rights to privacy and the protection of personal data.

Does the DPD apply to a US company?

Article 4(1)(a) DPD states that member states must apply the DPD to “processing… carried out in the context of the activities of an establishment of the controller” in EU territory.

Google argued that Google Inc carried out all search activities, so the data processing was carried out in California. Its subsidiary, Google Spain, only carried out advertising activities.

The CJEU disagreed. Google Spain was an establishment of Google Inc. Google Spain’s activities were intended to promote the search engine’s advertising space, which made the search activities profitable. Google Inc’s search activities enabled Google Spain’s activities to be performed. The two companies’ activities were “intrinsically linked”, and the DPD applied to Google Inc’s search activities.

When must search engines remove data?

The CJEU confirmed that article 12(b) DPD allows individuals to seek deletion of their personal data from search engine results, not only where it is inaccurate or incomplete, but where it has been processed in contravention of any other processing ground in the DPD. Also, article 14(a) allows the data subject to object to data processing where there are “compelling legitimate grounds” to do so.

It stated that data is unlawfully processed when it conflicts with the data processing principles set out in article 6 DPD, i.e. when it is:

• inadequate, irrelevant or excessive in relation to the purposes of the processing
• inaccurate or not kept up to date; or
• kept for longer than is necessary unless required to be kept for historical, statistical or scientific purposes.

The data subject has a right to protection of his or her personal data and can object to any data processing that conflicts with these requirements. Data subjects also have a right to privacy, and personal data processing can be objected to on this ground also.

Is there a “right to be forgotten”?

On the basis of the principles outlined above, the CJEU decided that individuals could request that information be deleted from internet search results. It noted that it was possible for the continued processing of data which was initially processed lawfully to become unlawful, on the basis that, for example, the data was now out of date or irrelevant. In deciding whether personal data should be removed, the search engine must weigh up: (i) the legitimate economic interests of the search engine operator in providing thorough search results; (ii) the interests of internet users in receiving and using the information; and (iii) the rights of the data subject to protection of his or her personal data, and to privacy.

The CJEU held that as a general rule, the data subject’s rights will override the interests of the search engine operator and those of internet users generally. However, that would not be the case if, having regard to particular reasons such as the data subject’s role as a public figure, their rights would be outweighed by the public interest in having access to the information. This suggests that search engines will have to comply with requests for removal of information, unless exceptional circumstances apply.

The result is that individuals can request search engine operators to remove old information that is stored and appears in searches on the basis that it is out of date and/or irrelevant, and thus be “forgotten”. In deciding this, the court placed a heavy emphasis on the impact of the internet, and search results, on an individual’s private life. A search engine collects a variety of information on a subject and displays it in one place, making the data more accessible than if it merely remained on a publisher’s website or archives. Thus, the publisher of the information may be entitled to keep the personal data on its website even if the website entry can no longer appear in search results, due to the comparatively lesser impact of continued publication there.

What happens now?

The judgment cannot be appealed further. It obviously has significant consequences for search engines and website publishers.

Google has set up an online form by which individuals can request the removal of data from search results. Google makes a decision based on the balancing exercise identified by the CJEU. By the beginning of June, Google had received more than 41,000 requests, many of which concerned search results relating to serious crimes committed by individuals. Bing has announced that it is setting up a similar system.

The DPD is implemented into UK law by the Data Protection Act 1998 (“DPA”). In particular, s 14 allows a court to order rectification, blocking, erasure and destruction, but only of inaccurate data and not expressly of data falling into the broader categories identified by the CJEU. That said, the data processing principles set out in article 6 DPD and relied on by the CJEU in this part of the judgment are contained in sched 1 DPA.

Section 3 of the European Communities Act 1972 will require the UK courts to interpret s 14 in light of this judgment. Assuming the courts do so, an individual could request rectification, blocking, erasure and destruction of data, the continued processing of which breaches one of the broad data processing principles set out in sched 1 DPA.

However, the judgment leaves open a number of questions likely to be the subject of further litigation, including:

• Does the DPD apply to a search engine operator which does not have an “establishment” in the EU?
• When exactly does data become “irrelevant”, and by what standard is relevance determined? When is data “out of date”?
• What constitutes “excessive” processing by search engines? Does the number of search results on a page matter? How is the impact and reach of search results on individuals to be measured?
• Is it appropriate for search engines to make the initial decision as to whether search results should be removed? Would it be more appropriate for the balancing test to be carried out by an independent third party such as the Information Commissioner’s Office?
• What remedies might an individual have if he or she considered that the search engine had not appropriately handled a request for removal?

Potential implications for businesses

The implications for businesses will not be fully known until we see how this judgment will be applied by UK courts. All search engine operators with establishments in the EU are likely now to provide a means for individuals to apply to have data deleted.

Of course, the obligations in the DPA apply to all other providers of online information who are data controllers, including newspapers and sites such as Wikipedia. This means that the “right to be forgotten” has implications for them also. However, as noted above, the balancing test may have different implications for individual publishers than search engines. Also, if the original publishing was “solely for journalistic purposes”, it will fall within the derogation in article 9 DPD.

With so many unanswered questions to be addressed, it is certain that we have not heard the last of the “right to be forgotten”.