No Right To Be Forgotten says the EU’s Advocate General
On 25 June, Advocate General Jääskinen issued his Opinion in Case C-131/12 (Google Spain SL and Google Inc. vs Agencia Española de Protección de Datos (AEPD) and Mario Costeja González).
The Advocate General’s opinion, which precedes the final judgment of the Court of Justice of the European Union, analyzes important questions about the balance between freedom of expression and the right to privacy, and about whether search engine providers can be held responsible for personal data on web pages they serve up. CDT supports the Advocate General’s conclusions on both questions. The Advocate General argues that a broad right to eliminate all unwanted personal information would cause unacceptable if unintended damage to freedom of expression, and that search engines cannot be held responsible for personal data contained in search results.
The background in brief: In 2009, a Spanish citizen, Mario Costeja González, contacted a Spanish newspaper requesting deletion of articles dating from 1998 about a forced sale of real estate, brought about by his social security debts. These articles, also available in the newspapers’ online version, came up in Internet searches on his name. He argued that the social security debt issues had been resolved long ago and were no longer relevant – the accuracy of the reporting was never in question. The newspaper refused the request, arguing that the publication of information on such transactions was obligatory under the law. Mr González then made a request to Google’s Spanish subsidiary, which forwarded the request to Google Inc., considering that the parent company was the entity providing the service. Mr González also filed a complaint with the Spanish Data Protection Authority (AEDP). AEDP upheld the complaint against Google, requesting withdrawal of the relevant data from its index, but requested no action on the part of the newspaper publisher. Google appealed the AEDP’s decision to the Spanish National High Court (Audiencia Nacional), which, faced with fundamental questions on interpretation of European law, referred a series of questions to the Court of Justice of the European Union (CJEU).
The questions put before the CJEU were in three categories: First, the Court asked whether EU data protection law (the 1995 Data Protection Directive – and the Spanish 1990) applied to the processing of personal data in question. Second, the Court asks whether a search engine can be considered a data controller in the meaning of the 1995 Directive in regard to personal data appearing on the web pages to which it directs searches. Finally, the Court asks whether the 1995 Directive’s right to erasure and to object effectively constitute a right to be forgotten and extend such a right to content published legitimately.
First, on the Right To Be Forgotten: The Advocate General concludes that current EU data protection law does not establish a right to be forgotten. He addresses the question whether the rights to erasure and blocking of data set out in Article 12(b) and the right to object to processing of data in Article 14(a) extend to the case before the Court. He finds that, as it cannot be argued that the disputed published information is either inaccurate or incomplete, the rights set out in these articles cannot be invoked.
The Advocate General goes on to examine whether a general right to be forgotten can be based on Articles 7 and 8 of the 2010 Charter of Fundamental Rights of the European Union, guaranteeing rights to private life and protection of personal data. He finds that the Charter does not add new substantive rights, but restates principles already laid down in European law. Further, he argues that while the processing of personal data involved in this case does constitute interference with the rights in Article 7 and 8, this interference is both based on law and necessary in a democratic society, as set out in the European Convention of Human Rights (ECHR). He addresses the core question head on: how should European courts adjudicate between the right to privacy and to free expression? In his examination, he delivers a strong defense of the fundamental freedom of expression, and sets out in compelling terms why it would be so costly to free and democratic societies to accommodate requests to remove legitimate and accurate information from the public domain, for no other reason than someone’s desire not to have that information available. There are cases in which it is reasonable to ensure that information is removed, but it is important that such exceptions are carefully defined and delineated. In our recent paper on this issue, we provide our view on how, in the proposed Data Protection Regulation, this can be done.
Second, in his analysis of the second set of questions, the Advocate General determines that an Internet search engine provider cannot be considered responsible for personal data on the web pages to which it directs, and that it cannot be considered to be a data controller in the meaning of the 1995 Directive. He does not dispute whether in the course of Internet search, personal data is processed; it is. But he concludes that merely locating information on the Internet cannot entail the responsibilities and obligations laid out in Articles 6-8 of the Directive. He also links the principle of limited liability for search engines acting as intermediaries to the free expression issue. He rightly cautions against leaving the task of balancing the competing rights to privacy and free expression to search engine providers and other intermediaries on a case-by-case basis. Such notice and takedown procedures would lead to automatic removal of objected content and disputed links – with obvious and serious consequences for free expression and access to information. CDT has written extensively on the crucial importance of protecting intermediaries from liability for content placed on their platforms or transmitted through their networks. Such protection from liability is fundamental to maintaining the open and free Internet.
Finally, on the question of territorial applicability of Spanish data protection legislation: The Advocate General does not accept Google’s argument that its Spanish subsidiary is not involved in the provision of search engine services, and that as a result Spanish and European data protection law does not apply. This may be true based on the definition of ‘establishment’ in Article 4.1 of the 1995 Directive. But, argues the Advocate General, it is necessary to look at the business model of search engine services. The economic raison d’etre of search engine provision is advertising, and advertising requires presence in the country. In CDT’s view, this conclusion seems appropriate. Internet transactions involving transfers and processing of data in multiple countries create complex jurisdictional issues, and it is clearly problematic from a data protection perspective if regulators are unable to enforce protections under the law in which the data subject in question resides.
However, we think those data protection rules need to be reasonably scoped, and carefully balanced against free expression rights. We agree with the Advocate General that privacy rules should not give data subjects the automatic rights to eliminate all unwanted factual information about them, and we support his robust arguments against imposing responsibility on search engines for personal data contained in search results. We are hopeful that the Court of Justice will follow these recommendations.