Senior Attorney Rosemary Jay reports from London:
On June 25, 2013, Advocate-General Jääskinen of the European Court of Justice (“ECJ”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).
The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.
Background to the Case
Google v AEPD concerns information including the name of an individual which had been published in a Spanish newspaper. The information related to sales of property arising from social security debts and was lawfully published by order of the relevant Ministry. An electronic version of the paper was made available by the newspaper. Searches against the name of the individual made over a decade later continued to deliver this information about the individual. The individual sought to have the material erased by the newspaper, however, he was unsuccessful as the Spanish data protection authority (Agencia Española de Protección de Datos or “AEPD”) held that the material was lawfully published and declined to order removal. The newspaper also refused to restrict the indexing of the page, so it continued to be available to search engines. However, the AEPD ordered Google Spain S.L. and Google Inc. (“Google”) to withdraw links to the information from the search engine index so it could not be accessed on a search.
Google appealed on the basis that: (1) Google Inc., as the provider of the search engine, was not within the scope of the EU Data Protection Directive (Directive 95/46/EC, the “Directive”); and, Google Spain, its local subsidiary, was not responsible for the search engine (although it promoted advertising on the service); (2) there was no processing of personal data in the search function; (3) even if there was processing, neither Google entity could be regarded as a data controller; and, (4) in any event, the data subject had no general right to the removal of lawfully published material.
Referral to the ECJ
The Spanish national court referred three main questions to the ECJ:
- whether the activities of the Google Inc. and the Spanish subsidiary brought the search engine within the territorial scope of the Directive;
- if so, whether the activity of the search engine in collecting, caching, indexing and retrieving data constituted “processing” under the Directive, for which the search engine would be the data controller; and,
- if so, whether the individual could invoke rights under the Directive to seek erasure or object to processing to have the data removed.
The answers were yes to the first question; yes, but only in part, to the second; and a resounding no to the final question.
Opinion of the ECJ Advocate-General
In terms of the application of the Directive and national law, the answers to the first two questions are both instructive and interesting. In terms of the current proposals from the EU (in particular, the Proposed Regulation), the answer to the final question indicates a deep unease with the concept of the right to be forgotten.
On the question of establishment, the Advocate-General rejected any notion that an organization could fall under the Directive on the basis that it targets users or customers in the EU, and emphasized that there must be grounds to bring the activities within Article 4 of the Directive (on establishment). Interestingly, the Advocate-General refused to accept the division of responsibility for provision of the different aspects of the business as a basis for determining establishment under the Directive, stating that “an economic operator must be considered a single unit…[and] not be dissected on the basis of its individual activities related to processing of personal data…”
The Advocate-General held that Google’s search activities involve the processing of personal data, as they include carrying out activities that fall within the definition of “processing,” such as collecting, retrieving and manipulating. However, Google does not thereby become a data controller for the content of delivered search results. The Advocate-General held that Google is not a data controller with respect to the source material on third-party websites, nor cached copies of those source materials held by Google. In the view of the Advocate-General, a data controller must be aware of a defined category of data and process with some degree of intent in respect of that data in order to be a controller.
However, Advocate-General Jääskinen did regard Google as controlling the index of connections between keywords and URLs, Google’s processing of which is legitimate as long as the index is accurate and complete. As such, a data protection authority cannot require Google to remove material from its index unless the authority can show that there is some other breach of the data protection rules with respect to the index.
The Advocate-General also considered the broader rights that could apply under the Charter of Fundamental Rights of the European Union, and emphasized the important question of how the rights of the individual to respect for private life and the rights of others are to be balanced. Here the Opinion strongly favors the importance of freedom of expression and militates against any imposition of a right to be forgotten. stating: “This would entail sacrificing pivotal rights such as freedom of expression and information.”
Conclusions
The role of the Advocate-General is to write a reasoned and impartial opinion on cases which involve new law before the ECJ. While not the judgment of the ECJ, opinions of Advocates-General are, however, influential papers. The final judgment of the ECJ will therefore be eagerly awaited on all aspects.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code