The ECJ’s ruling could affect not only search engines and EU organisations but also US ones with a presence in Europe
A few months after the publication of the ruling of the European Court of Justice (ECJ) on the so-called “right to be forgotten”, the debate it triggered is still “alive and kicking”. The objective of this article is to highlight that the ruling is not relevant only to search engines and to organisations based in the EU, but it can also potentially affect US-based organisations with a presence in Europe too.
By way of background, the case concerned a Spanish national who complained to Google about online newspaper reports it had indexed relating to debt recovery proceedings against him. When the individual’s name was entered into Google, it brought up search results linking to newspaper announcements about these proceedings. The proceedings in question dated back to 1998 and had long since been resolved. The matter escalated through the Spanish Data Protection Authority and the Spanish High Court, which referred various questions to the ECJ for a ruling.
The ruling is ground-breaking for many reasons.
First, it recognised that search engines are “controllers” of personal data. In practice, this means that, as controllers, they are subject to the European data protection legal regime.
Second, it establishes that an individual has the “right to be forgotten”, which is the focus of this article. This means that they have the right to have search results about them removed if these appear to be “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue”. To this end, the ECJ said it was not necessary to show that the list of results “causes prejudice to the data subject” and that the right of the individual to have results removed “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name”.
Last, the ECJ held that the personal data processing operations carried out by a US entity that has an establishment in an EU member state may be considered to be carried out in the “context of the activities” of that establishment (so, effectively, within that European establishment). This is the case even when the US entity does not have any involvement in the processing of the personal data, if the activities of the EU establishment are “inextricably linked” with those of the US entity for the purpose of promoting and selling the service to which the personal data processing relates. In practice, this means that US-based businesses cannot shield themselves from EU data protection law simply by structuring their service so that it operates from the US if they have EU sales offices. It is not yet clear, however, whether European data protection regulators will implement these criteria to organisations in other sectors and with different business models to Google.
This is by no means an attempt to summarise all reactions since the ruling was issued; instead, our aim is to highlight some recent developments that we consider relevant for the purposes of this article.
What is Google doing?
Google has argued that it has moved quickly to comply with the ECJ decision on 13 May of this year, launching a webform on 30 May to process removals. In doing so, the company acknowledges that this process will change over time as data protection authorities and courts issue further guidance on the issue. The company has revealed that, as of 10 October, it had received more than 142,000 removal requests involving more than 490,000 URLs from Google search results. Google revealed that it has received the most removal requests from France, Germany, the UK, Spain and Italy respectively, with the top domains that appear in the URL-removal requests from individuals including Facebook, Badoo and two Google-operated sites, YouTube and Google Groups.
In addition to launching this formal process to complying with the ruling, Google announced the formation of an ‘Advisory Council’ in early summer, utilising external expertise from various privacy advocates, lawyers and ethics professors to work with Google on weighing the issues presented by the ruling. The search engine announced that the Council would start a series of public consultations in cities across Europe to gather views from a wide spectrum of experts on matters of law, technology and ethics and how they impinge on the right to be forgotten and the ECJ ruling. These consultations started in Madrid and Rome on 9 and 10 September respectively, followed by Paris on 25 September, Warsaw on 30 September, Berlin on 14 October, London on 16 October and Brussels on 4 November, whereupon the Council will produce a report on its findings, which is
scheduled to be published in early 2015.
The European Data Protection Authorities gear up
At the time of writing, precise details of the discussions of the meeting that took place between the Article 29 Working Party (WP29) and Google, Microsoft and Yahoo! are unknown.
A WP29 press release indicates that in addition to discussing the practical implementation of the ECJ ruling, the aim of the meeting was also to provide input on future WP29 guidelines on this issue, which are expected to be released in the autumn to ensure “a consistent handling of complaints by European data protection authorities facing requests lodged by individuals following delisting refusals by search engines” and also “frame the action of search engines ensuring the consistent and uniform implementation of the ruling”. The meeting addressed those questions sent to each party before the meeting took place and addressed the modalities of their delisting processes (for example, scope of application of the ruling, the notification of the delisting to third parties and the justifications for their refusal). It is understood that additional meetings have been organised, including with media companies in September.
It is clear therefore that European data protection authorities expect search engines to gear up for the thousands of requests they will receive and, at the same time, prepare themselves for similar waves of complaints from individuals.
This triggers at least two questions. First, a profound one about the effect of the ruling in the balancing of the right to privacy against the right to free speech; namely, are search engines to become not merely gateways to information on the web, but also, in some circumstances, the censors preventing access to information based on objections received?
The second question is a more practical one: is it fair to expect that search engines (and, potentially, any organisation subject to EU data protection law) are able to master the practical application of the “right to be forgotten” only weeks after the ruling was issued?
It is worth having a look at the very detailed set of questions that the WP29 put to search engines in July to realise that the WP29 expected them to have sophisticated procedures ready to be put in place.
One may find it difficult to sympathise with the internet giants that attended the WP29 meeting. However, smaller search engines and potentially other business will also need to spend considerable resources to get ready to deal with the requests from individuals. This was one of the points made by the UK’s House of Lords report, referred to in the next section.
The UK’s House of Lords
On 30 July, a UK House of Lords report that considered evidence from the UK Information Commissioner’s Office, the UK minister for justice and civil liberties and Google considered the ECJ decision ‘unworkable’.
Regardless of one’s opinion of the Lords’ report, the fact that such a ruling now attracts the attention of UK government departments and regulators indicates the importance that data privacy rights and obligations now have in society.
The political attention the ruling is receiving is at the core of the controversy that the reform of the European data protection framework has triggered. It is therefore not surprising that in one of her first statements after being appointed new EU justice commissioner, Martine Reicherts stated that criticisms to the right to be forgotten will not delay the progress of the reform of the European data protection legal framework in the form of the General Data Protection Regulation.
The bottom line: how does this affect you?
One may argue that the ruling has, in practice, brought forward the implementation of one of the most controversial rights of the forthcoming Regulation by finding that this right already exists under the Data Protection Directive (95/46/EC). The practical consequences of this are potentially significant.
The ruling establishes that Article 12(b) – regarding the right to request the erasure of personal data – and Article 14(a) – regarding the right to object to the processing of personal data – of the Directive provide valid legal bases for individuals to exercise their right to be forgotten. In theory, this effectively means that individuals will not have to wait until the Regulation comes into force to exercise this right.
Furthermore, if individuals can ask search engines to erase their data under the Directive, does this mean that they can do so to any organisation that is subject to European data protection law? As a result, will organisations find themselves receiving, and having to deal with, requests for deletion of data (which to date have been few and far between)? Given the high-profile nature of the ruling, we can assume that individuals will try to apply this right to be forgotten to organisations other than search engines.
The technical difficulty, though, is that the Directive does not apply directly to organisations, which are instead subject to the local laws of the EU member states that have transposed the Directive. In many countries, the transposition of the relevant articles of the current Directive provides individuals with much narrower rights than those established by the ruling. For example, in the UK, individuals can effectively request the deletion of their personal data only under limited circumstances. Consequently, a risk arises that organisations will be drawn into legalistic arguments over the direct application of the Directive.
Last, although this article has focused on the right to be forgotten, an equally important aspect of the ruling is the way in which the ECJ interpreted key aspects of the Directive (in particular the applicable law and establishment rules) with the result that a US entity was required to comply with EU law. A risk arises that EU courts and/or regulators will try to export EU data privacy rules in other cases.
The effect and exact scope of application of the outcome of the ruling is not entirely understood yet. What is certain is that the combined effect of potentially broadening the criteria under which European data protection law may apply to non-EU based organisations and the uncertainty about who is required to honour requests from individuals to exercise the “right to be forgotten” may potentially leave controllers in legal limbo until the Regulation is approved and, with it, the rules on applicable law and the right to be forgotten are clarified. In the meantime, we shall hope that promised guidance from WP29 will provide some answers.
Ironically, on a closing note, the high-profile nature of the ruling has also meant that the information relating to the Spanish national in question has become much more widely publicised (the so-called ‘Streisand effect’). As a consequence, far from being forgotten, his name and story will forever live on in the public consciousness and in articles such as this.