By means of the recent judgment of the Court of Justice of the European Union (CJEU) in case C-131/12 (Google Spania SL., Google Inc. V. Agencia Española de Protección de Datos and Mario Costeja Gonzalez), CJEU stepped on the still undefined territory of personal data protection – the issue of applying the relevant European regulations for companies outside Europe carrying out their activity on-line. Furthermore, it is the first time when a European authority states, in an official deed, the right to be “deleted” from the Internet.
In short terms, a Spanish citizen lodged a complaint with the Spanish data protection authority (AEPD) against a Spanish newspaper and Google Inc. (Google) and Google Spain (subsidiary of Google, in charge of promoting advertising spaces displayed by the search engine Google Search), requesting the deletion of the links to the pages of the Spanish newspaper dated 1998, referring to the enforcement of a property of the claimant. The claimant deemed that keeping the information included in such links is irrelevant at this time, and affects its image. AEDP dismissed the complaint regarding the newspaper, which had the legal obligation to publish such enforcement ad, but admitted the count regarding Google Spain and Google. The latter appealed the decision of AEPD before the Spanish Supreme Court, which brought a preliminary claim before CJEU for the interpretation of the provisions of Directive 95/46/EC of the European Parliament and the Council dated 24 October 1995 on the protection of natural persons in relation to personal data processing and free movement of such data (Directive 95).
“Processing” personal data, according to Directive 95, refers to any operation performed over personal data, by automatic or non-automatic means. Thus, loading personal data on a website would involve such “processing”, even if Google Search does not make a distinction between personal data and other types of data and even if the search algorithm used does not alter the form in which the data is published on the website where it comes from. In addition, Google determines the scope of the processing and the means to process personal data, so it is a personal data operator.
Google’s argument that the activity of Google Spain has no direct connection with Google Search, Google beingthe entity which operates the search engine alone, was dismissed by CJEU. The court indicated that personal data processing must be performed “within the activities” of the headquarters located within the territory of the EU Member State and not directly by such headquarters. The activity of Google Spain of promotion and sale of advertising space offered by Google Search, serves directly to render the service offered by Google Search more efficient. It should be noted that CJEU has not replied also to the question whether the use of protocols for indexing the information on the websites located on the servers of a Member State is equivalent to “resorting to the means located within the territory of such Member State”, according to Directive 95.
Processing personal data such as the one performed by Google Search may result in affecting the prestige of the person concerned: searching for the name of a natural person, any user may sketch a profile of the person concerned, which would be hard to compile in the absence of the search engine.
This is where the most important aspect of the judgment appears, with an impact upon all companies active on-line, which process personal data by acting as intermediaries. The personal interest of each individual in this context prevails not only upon the economic interest of Google, but also upon the public interest of having access to certain information. Even if a balance has to be found between the three interests on a case-by-case basis, the only criterion offered by CJEU for such analysis is the role played by the person concerned in public life – normally we are more interested in the life of public persons.
In addition, no prejudice needs to be proven as a result of the display in results in order to exercise the right to oppose the processing. We should not forget that the interests behind such judgment are related to increasing individual control of personal data which concerns us, but a judicial civil procedure for indemnification may still be pursued even after the operator of the engine complies with the request to remove the personal data. In this case, it is necessary to prove the prejudice and then the courts shall be called to assess the actual damage as well as the lost benefit according to some criteria which are unclear at this moment.
The CJEU judgment anticipates a regulation of “the right to be forgotten”, which is part of the future Regulations on personal data processing, adopted in March 2014 by the European Parliament.
Google announced that, in a few hours from the publication of the CJEU judgment, it received thousands of requests to remove the links from the searches made by Google Search, and at the end of May 2014 it announced the implementation of a form to notice the requests for removal of the links, which may be filled in by the persons concerned.
Furthermore, the greatest obstacle to be faced by Google and other search engines is the collaboration with each personal data national supervisory authority out of the 28 Member States so as to be possible to align the settlement of the requests to the national legislations.
As the impact of the judgment of CJEU will spread (and without minimizing the potential of a giant such as Google to adapt underway), it is possible to see the development of alternative systems for data centralization or the creation of instruments for obtaining the agreement for a definite/indefinite period from the persons concerned with respect to data processing by indexation in the search engines.
But, for sure, the accuracy of the results of a Google search is, at least for now, doubtful. In addition, will we have different results depending on the place where we are at the time of searching on the Internet using a search engine? The first data protection authority which shall offer the first answers is the Spanish one, being now forced to implement the conclusions of CJEU in the judgment to be passed in the case regarding Google Spain.
Last but not least, CJEU judgment could be extrapolated for any on-line intermediary that processes personal data taken from public sources. Furthermore, in the sharp competition for finding a European “Silicon Valley”, it is possible that the investments into on-line companies to be hindered, since any presence on the territory of a Member State may place such company in the light of the European regulations concerning personal data protection. Thus, for instance, the cloud computing service providers – a type of service unrelated to hardware components to a high degree – located outside Europe, but which promote their services by means of representative offices located in one or several Member States, would be subject to such regulations; the more presences, the more rules to implement.
//This article was first published in the on-line edition of Ziarul Financiar, in Romanian, on 5 June 2014