Privacy & Information Security Law Blog

On May 13, 2014, the European Court of Justice (the “CJEU”) rendered its judgment in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v. AEPD” or the “case”). The case concerns a request made by a Spanish individual, Mr. Costeja, to the Spanish Data Protection Authority (Agencia Española de Protección de Datos or “AEPD”) to order the removal of certain links from Google’s search results. The links relate to an announcement in an online newspaper of a real estate auction for the recovery of Mr. Costeja’s social security debts. The information was lawfully published in 1998, but Mr. Costeja argued that the information had become irrelevant as the proceedings concerning him had been fully resolved for a number of years. The AEPD upheld the complaint and ordered Google Spain S.L. and Google Inc. (“Google”) to remove the links from their search results. Google appealed this decision before the Spanish High Court, which referred a series of questions to the ECJ for a preliminary ruling. The ECJ ruled as follows:

• The actions of search engine operators, in automatically collecting information from the Internet, storing and indexing that information, and displaying that information in search results, constitutes “processing” of personal data, within the meaning of the EU Data Protection Directive 95/46/EC (the “Directive”). The search engine operator is a “data controller,” within the meaning of the Directive, with respect to such processing.
• Where (1) a search engine operator located outside the EU has subsidiaries in one or more EU Member States, (2) those subsidiaries promote and sell advertising space offered by that search engine, and (3) the search engine directs its activities towards the inhabitants of those Member States (e.g., by providing a website with a local top-level domain and local language customizations), then that search engine operator is treated as being  “established” in those EU  Member States (within the meaning of Article 4(1)(a) of the Directive).
• The ECJ therefore considers that, although Google Inc. is a company registered in California, it is a data controller with  respect to its search services and is “established” in Spain “in the context of the activities” of Google Spain, because Google Spain promotes and sells advertising  services that are integrated into Google Search results, and such advertising is served on Google’s Spanish website (www.google.es).
• At the request of any individual, a search engine operator is required to consider, on a case-by-case basis, whether information that relates to that individual personally should no longer be displayed in the results of a search made on the basis of the individual’s name, particularly if the information is inadequate, irrelevant or excessive, in relation to the purposes for which the information is processed. This consideration should take into account all of the circumstances of the case, including the individual’s rights under  Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.
• If, given the circumstances, the information is inadequate, irrelevant or excessive, then the search engine operator is obligated to remove, from the list of results displayed following a search made on the basis of that individual’s name, links to third party web pages containing that information (even when the original publication of the information on those third party web pages is lawful), unless there are particular reasons (such as the individual’s role in public life) that justify an overriding interest of the general public in having access to that information.