The CJEU's Google Spain judgment: failing to balance privacy and freedom of expression

By Steve Peers

The EU’s data protection Directive was adopted in 1995, when the Internet was in its infancy, and most or all Internet household names did not exist. In particular, the first version of the code for Google search engines was first written the following year, and the company was officially founded in September 1998 – shortly before Member States’ deadline to implement the Directive.

Yet, pending the completion of negotiations for a controversial revision of the Directive proposed by the Commission, this legislation remains applicable to the Internet as it has developed since. Many years of controversy as to whether (and if so, how) the Directive applies to key elements of the Web, such as social networks, search engines and cookies have culminated today in the CJEU’s judgment in GoogleSpain, which concerns search engines.

The background to the case, as further explained by Lorna Woods, concerns a Spanish citizen who no longer wanted an old newspaper report on his financial history (concerning social security debts) to be available via Google. Of course, the mere fact that he has brought this legal challenge likely means that that the details of his financial history will become known even more widely – much as many thousands of EU law students have memorised the name of Mr. Stauder, who similarly brought a legal challenge with a view to keeping his financial difficulties private, resulting in the first CJEU judgment on the role of human rights in EU law.

The Court’s judgment

The CJEU addressed four key issues in its judgment: (a) the material scope of the Directive, ie whether it applies to search engines; (b) the territorial scope of the Directive, ie whether it applies to Google Spain, given that the parent company is based in Silicon Valley; (c) the responsibility of search engine operators; and (d) the concept of the ‘right to be forgotten’, ie the right of an individual to insist (in this case) that his or her history be removed from accessibility via a search engine. The details of the Court’s ruling have been summarised by Lorna Woods, but I will repeat some key points here in order to put the following analysis into context.  

Material scope

Does the Directive apply to search engines? The CJEU said yes.  The information at issue was undoubtedly ‘personal data’, and placing it on a website was ‘processing’. A search engine was processing personal data, even though it originated from third parties, because (using the definition in the Directive) it ‘collects’ data from the Internet, then ‘retrieves’, ‘stores’ and ‘discloses’ it. It was irrelevant that the material had been published elsewhere and not altered by Google, as the CJEU had already ruled in the Satamedia case (in the context of tax information published on CD-ROM). Moreover the definition of ‘processing’ does not require that the data be altered.

A second – and perhaps more important point – was whether Google was a ‘controller’ of the data, with the result that it has liability for the data processing.  Again the key issue was Google’s use of data already published elsewhere. The Advocate-General had concluded from this that Google was not a data controller – but the CJEU reached the opposite conclusion. On this point, the Court, ruling that there must be a ‘broad definition of the concept’ of a ‘controller’, distinguished between the original publication of the data and its processing by a search engine: Google undoubtedly controlled the latter activity, by means of its control over the search process. One is unavoidably reminded of the Machiavellian search-engine billionaire who frequently appears on episodes of The Good Wife – although of course he is nothing like the executives of Google.

In particular, the Court ruled that the activities of search engines make information available to people who would not have found it on the original web page, and provides a ‘detailed profile of the data subject’, and so have a much greater impact on the right to privacy than the original website publication.

Territorial scope

Does the Directive apply to search engine companies based in California, with a subsidiary in Spain? The national court suggested three grounds on which this might be the case: the ‘establishment’ in the territory; the ‘use of equipment’ in the territory (as regards crawlers or robots, the possible storage of data and the use of domain names); or the default application of the EU Charter of Fundamental Rights.

The Court found that Google Spain was ‘established’ in the territory, and therefore the data protection Directive, in the form implemented by Spain, applied. It was not necessary to rule on the other possibilities as regards the scope of the Directive, which are very significant in the context of the Internet, so those issues remain open. It should be noted, however, that in light of the objectives of the Directive, the rules on its scope ‘cannot be interpreted restrictively’, and that it had ‘a particularly broad territorial scope’.

Why was Google Spain established there, even though it did not carry out any search engine activities? The CJEU said that it was sufficient that the company carried out advertising activities, these being linked to the well-known business model of Google (selling advertising which was relevant to search engine results).

Responsibility of search engine operators

The CJEU ruled that search engine operators are responsible, distinct from the original web page publishers, for removing information on data subjects from search engine results, even where the publication on the original pages might be lawful. It confirmed that the right to demand rectification, erasure or blocking of data did not apply only where the data was inaccurate or inaccurate, but also where the processing was unlawful for any other reason, including non-compliance with any other ground in the Directive relating to data quality or criteria for data processing, or in the context of the right to object to data processing on ‘compelling legitimate grounds’.

This meant that data subjects could request that search engines delete personal data from their search results, and complain to the courts or data protection supervisory authorities if they refused.  As for Article 7(f) of the Directive, which provides that one ground for processing data (where there was no contract, legal obligation, public interest requirement or consent by the data subject) was the ‘legitimate interests of the controller’, this was a case where (as Article 7(f) provides) those interests were ‘overridden’ by the rights of the data subject.

There has to be a balancing of rights in such cases – including the public right to freedom of expression – but in light of the ease of obtaining information on data subjects, and the ‘ubiquitous’ nature of the ‘detailed profile’ that results from search engine results, the huge impact on the right to privacy ‘cannot be justified by merely the economic interest’ of the search engine operator. The public interest in the information was only relevant where the data subject played a role in public life.

In light of the greater impact of search engine results on the right to privacy, search engines are not only subject to a separate application of the balancing test, but a more stringent application of that test – meaning that the information might remain available on the original website, even if it was blocked from the search engine results. The CJEU states that search engines cannot rely on the ‘journalistic’ exception from the Directive.

The ‘right to be forgotten’

Finally, the CJEU accepts the arguments that the Directive’s requirements that personal data must be retained for limited periods, only for as long as it is relevant, amounts to a form of ‘right to be forgotten’ (although the Court does not say that such a right exists as such). While it leaves it to the national court to apply such a right to the facts of this case, the Court clearly guides the national court to the conclusion that the data subject’s rights have been violated.

Comments

The essential problem with this judgment is that the CJEU concerns itself so much with enforcing the right to privacy, that it forgot that other rights are also applicable.

As regards the right to privacy, the Court’s analysis is convincing. Of course, information on a named person’s financial affairs is ‘personal data’, and it has long been established that prior publication is irrelevant in this regard – a particularly important point for search engines. Equally, the Court had previously ruled (convincingly) in the Lindqvist judgment that placing data online is a form of ‘data processing’. 

While it is less obvious that Google is a ‘data controller’, given that it does not control the original publication of the data, the Court’s conclusion that search engines are data controllers is ultimately convincing, given the additional processing that results from the use of a search engine, along with the enormous added value that a search engine brings for anyone who seeks to find that data. In this sense, Google is a victim of its own success.

Similarly, as regards the territorial scope of the Directive, it would be remarkable if Google, having established a subsidiary and domain name in Spain and sought to sell advertising there, would not be regarded as being ‘established’ in that country. The sale of advertising in connection with free searches is, of course, the key element of Google’s business model (leaving aside the many other companies, such as YouTube and Blogger, that Google has acquired over the years), and making money is surely one of the ‘activities’ of any business that aims to make profits.

The separate liability of Google as a ‘data controller’ obviously justifies the Court’s conclusion that it might, in appropriate cases, be required to take down material from its search engine results that infringes the data protection directive. This is most obviously relevant where that data is inaccurate or libellous, but that is not the case here, where the personal data is simply embarrassing.

So, in the absence of another legitimate ground for processing (which will normally be the case as regards search engines), the case ultimately turns on the balancing of interests between the data subject, the search engine and other Internet users. And here is where the Court’s reasoning goes awry.

In its previous judgment in ASNEF, the Court ruled that Spanish law failed to apply the correct balance between data subjects and direct marketing companies, because by banning any use of personal data which was not already public, it implicitly did not give enough weight to the company’s right to carry on a business. But here the Court makes no reference to that right, even though Google’s methods are as central to its business model as the use of private personal data is for direct marketers. Indeed, Google’s highly targeted advertising (not as such an issue in this case) is itself obviously a form of direct marketing.

Also in ASNEF, the Court criticised the Spanish law for its automaticity, because it failed to weigh up the interests of companies and data subjects in individual cases. But in Google Spain, it is the Court which sets out an automatic test: the economic interest of the search engine is overridden if the individual is not a public figure.

The interests of other Internet users are only briefly mentioned, even though Article 7(f) requires only a balancing of interests between not only as between the data controller (ie, the search engine in this case) and the data subject, but also as regards third parties to whom the data are disclosed, ie the general public. Oddly, the Court does not expressly refer to the Charter right to freedom of expression (it’s in Article 11 of the Charter), and does not expressly link its statements about the balancing test to the case law of the European Court of Human Rights on the best way to balance privacy and freedom of expression.

Furthermore, unlike in ASNEF, the Court makes no mention of Article 52 of the Charter (the provision dealing with limitation of Charter rights, including in the interest of protecting other rights, which also requires consistent interpretation with the ECHR). It should also be noted that, in deciding the key freedom of expression issue itself, the Court has departed from its prior approach (in Satamedia and Lindqvist, for instance) of leaving it to the national courts to decide on this issue.

The Court’s dismissal of the journalistic exception also contradicts its willingness to agree, in Satamedia, that merely sending personal tax data by text message to nosy neighbours could constitute ‘journalism’. Here, of course, it is not Google which is the journalist; but Google is a crucial intermediary for journalists. If journalism can consist of sending out tax information by text message, it could also equally consist of commenting (for whatever reason, and in whatever forum) on an individual’s past financial problems. And there is no reason why the passage of time should count against the exercise of the right of freedom of expression – although that factor should be relevant, as the Court says, as regards the right to privacy.

Consequences of the judgment

Obviously, today’s judgment only concerns search engines, but it may have broader relevance than that.  Its relevance to social networks will soon be considered in another post on this blog. For search engines, those which are less successful than Google might not have an ‘establishment’ within the meaning of this judgment, which raises the question of whether they would otherwise have an establishment, use equipment on the territory, or can be covered due to the Charter.

More broadly, any non-EU company with a subsidiary selling advertising in an EU Member State in connection with its Internet services must obviously be regarded as covered by the data protection Directive by analogy with this judgment, without prejudice to those broader possibilities.

As for those search engines which do fall within the scope of the judgment, most obviously Google, it seems that their legal obligations are considerably greater than what they had thought them to be. They must respond to individual complaints that the personal data which can be found about that individual is simply too old to be relevant any more, whether it is accurate or not, and they can be challenged before the courts or a supervisory authority if they do not comply.  In fact, an individual could also take action to this end before a supervisory authority.

Could a supervisory authority act of its own motion to enforce this judgment? Probably not, because the rights at issue in this case are triggered by individual complaints. Some people assiduously search Google to see what results they can find on themselves; in this context, I should point out that I am not the same ‘Steve Peers’ from Essex who has been convicted for non-payment of council tax. But others are unaware of, or don’t care about, or couldn’t be bothered to challenge, or are positively thrilled about, the existence of old information about them which can be found by means of using Google.

So not everyone who might conceivably be embarrassed by such old information will complain to Google, but a considerable number are likely to do so. Google’s liability extends to responding to such individuals, but not to completely changing the way it processes personal data in the absence of such complaints. 

Interesting questions may arise, however, as regards the interpretation of the rules set out in the judgment: what exactly is a public figure, and how long has to pass before personal data is no longer relevant? For instance, a job applicant can certainly object to Google if its search results include pictures of her dancing drunkenly on a table in 1998. But she could hardly argue that a record of last night’s debauchery must be 'forgotten'  already - even if she cannot remember it herself. 

Such disputes may well prove an opportunity to argue that the remit of this judgment is narrower than it first appears, or even to request (which any national court can do) that the Court reverse at least some aspects of its judgment. For now, however, the CJEU has established a potentially far-reaching right to be forgotten, with possible significant impacts at least on the activity of search engines. While in the Lindqvist judgment, the Court was keen to ensure that the data protection Directive was adapted to the reality of the Internet, in Google Spain it seems to demand that the Internet should rather be adapted to the Directive. 

As for the initiative to amend the Directive (to be replaced by a general data protection Regulation), this judgment might speed that process up, since Internet companies now have an incentive to use the process as an opportunity to limit their liability compared to what it would otherwise be - rather than (before the judgment) an interest in slowing the process down, in order to avoid an increase in that liability. Time will tell what the result of that negotiation will be.

Barnard & Peers: chapter 9

The EU’s Data Retention Directive: Fighting Back against mass surveillance in the EU’s Court of Justice

Steve Peers

I’m writing this post on ‘The Day We Fight Back’ against mass surveillance. So it seems a suitable day to comment (a bit belatedly) on the Advocate-General’s opinion from last December on the validity of the EU’s data retention Directive (Directive 2006/24; Cases C-293/12 Digital Rights and C-594/12 Seitlinger).

Overall context

These cases, referred from the Irish and Austrian courts, present the Court of Justice of the EU (CJEU) with its best chance yet to deliver an iconic judgment relating to the EU’s Charter of Fundamental Rights. The Test-Achats judgment of 2011, concerning the invalidity of EU rules permitting insurance discrimination between men and women, just didn’t amount to such a judgment, resulting as it did in higher car insurance rates for women drivers without much analysis of the key issues by the CJEU.

This time around, the CJEU is aware that: the constitutional courts of Germany and Romania have criticised the Directive on fundamental rights grounds; the European Court of Human Rights is dubious about mass surveillance (cf the S and Marper judgment); and there is considerable public concern across the EU about mass surveillance, in particular in the current context of revelations about spying by American security agencies.

As for the Directive itself, it requires Member States to compel telecom and Internet access providers to keep records of all phone calls, Internet use and mobile phone location data for at least six months, with no real fixed upper limit, so the police can access those records for the purposes of investigations into serious crime. (There is a nominal two-year upper limit for keeping this data, but Member States can keep in place any higher limits that they already applied, or ask the Commission for the power to set new higher limits in place if they didn’t already apply them). Other EU laws giving Member States an option to require that telecom providers keep such data for other reasons were unaffected. Overall, as I pointed out at the time, ‘Member States could insist on (or at least request) the retention of any type of data for any type of security purpose for any period at all’.

Furthermore, the Directive set no safeguards as regards the use of that data which industry was required to retain. This was because the Directive had to limit itself to regulation of the telecoms industry, due to its ‘internal market’ legal base (upheld by the CJEU in Case C-301/06 Ireland v EP and Council), so it couldn’t regulate what police forces did with the data when they got it.

While it is possible that this mass surveillance may assist in the prosecution of crime or the prevention of terrorism, that does not automatically excuse it. No doubt there is less crime in totalitarian states, but democratic states need to strike a balance between liberty and security. According to the long-standing case law of the European Court of Human Rights, targeted surveillance is only acceptable if the law in question is very precise and sets out detailed safeguards for the persons concerned. This must surely apply a fortiori to laws such as this Directive, which provide for mass surveillance – if indeed such surveillance can ever be justified at all.

The Advocate-General’s opinion

The opinion takes as its starting point (correctly) that the data retention Directive interferes with the rights to privacy and data protection (Articles 7 and 8 of the Charter). So the focus of the case is whether such interference can be justified. Article 52(1) of the Charter allows restriction of Charter rights where those restrictions are provided for by law, respect the essence of the rights, and are proportionate to protecting a public interest recognised by EU law or the rights of others. Here there is clearly a public interest, so the Advocate-General examines the other facets of the test.

He concludes that the EU Directive is not ‘prescribed by law’, within the meaning of that phrase set out in the jurisprudence of the European Court of Human Rights. The crucial problem here is the quality of the law set out in the Directive. In particular, it is not sufficiently precise as regards the limitation on Charter rights, and it does not set out guarantees for use of the data.

This raises an issue specific to the nature of the relationship between the EU and its Member States. Since Directives must be applied by Member States in their national law, it could potentially be left to the Member States to provide for such precise details concerning the interference with Charter rights when they transpose the Directive. It would be possible for the CJEU to clarify further what such rules must address, as it has in a line of case law concerning interference with privacy rights justified by the protection of intellectual property (ie downloads of music, et al, in breach of copyright).

The Advocate-General rejects that possibility here – and quite rightly. The difference is that the data retention Directive requires the Member States to interfere with Charter rights, whereas the legislation at issue in the other cases merely permits them to do so. In such a case the EU must surely bear a significant part of the responsibility – if not the whole responsibility – for satisfying the ‘quality of law’ test. This would be consistent with the case law of the European Court of Human Rights in the Bosphorus Airways v Ireland case, and the draft EU accession agreement for the ECHR, which both distinguish between cases where the EU requires its Member States to act, and where it simply permits them to do so.

Yet on this point, there is another complication arising from the nature of EU law. Before the entry into force of the Treaty of Lisbon, the legal order of the Union was divided into three so-called ‘pillars’. While the internal market was part of the first pillar (Community law), police cooperation was part of the third pillar (policing and criminal law). So a Directive based on the internal market could not address issues relating to police cooperation, and this Directive does not. That was precisely why the CJEU rejected the Irish government’s challenge to the Directive in 2009.

To address this problem, the Advocate-General suggests that the EU should at least have agreed some guarantees informally. But this would not be good enough, as non-binding guarantees would not satisfy the ‘quality of law’ test. The EU could, however, have adopted a third pillar ‘Framework Decision’ setting out such guarantees before the Treaty of Lisbon; and now it can set them out in the form of a Directive.

Finally, the Advocate-General concludes that the Directive is also disproportionate, since there is not a good enough reason for the possibly unlimited period of retaining personal data. Yet it must be pointed out that Member States’ power to retain existing national laws allowing for longer periods of data retention is built into the internal market rules of the Treaty. To disable the application of those provisions, the Court of Justice would have to rule that the Charter took priority over the Treaty (ie, other EU primary law).

Conclusions

These cases give the opportunity to the CJEU to add a lot of flesh to the bones of the rules concerning interference with Charter rights – in particular the application of the ‘quality of law’ test, which the CJEU has not referred to at all before. The difficulties created by the previous division of EU law into pillars, and the particular rules set out in the internal market provisions of the Treaties, must also be addressed. Yet in light of the overall context of these cases, the established jurisprudence of the European Court of Human Rights, and the strong opinion of the Advocate-General, it would simply be shocking if the Court of Justice did not either rule the Directive invalid, or at the very least lay down detailed rules which Member States have to follow when applying it.

[update: the CJEU gave its ruling in April 2014. For discussion of the judgment see here.]

Barnard & Peers: chapter 9