If its age could be measured in ‘Internet years’, the EU’s data protection Directive would be prehistoric. This can easily be demonstrated by comparison with the age of Facebook. The Directive was adopted seven years before the virtual panty raid on Harvard students’ privacy that ultimately launched Facebook. Indeed, when the Directive was adopted in 1995, Mark Zuckerberg was eleven years old, and attending primary school. He turns 30 today.
That’s a significant birthday – but is there anything in the Google Spain judgment that would ruin the party? This blog post looks in detail at the possible application of the judgment to two well-known features of the Internet: social networks and Wikipedia.
Long ago (in Internet years), the Internet shifted to a ‘Web 2.0’ model, dominated increasingly by user-generated content such as social networks and Wikipedia (along with blogs and many other forms of such content). The question I want to pose here is whether the Google Spain judgment could launch a ‘Web 3.0’: an Internet dominated by data subjects’ control of their personal data?
Applying the Google Spain judgment to social networks and Wikipedia
Material scope of EU law
First of all, the information placed on social networks and Wikipedia certainly constitutes personal data, at least as far as it concerns living natural persons. It’s an interesting question as to whether the legislation also applies to dead persons: this conjures up the image of the supporters and critics of (say) Ronald Reagan or Margaret Thatcher using data protection law to litigate over the reputation of their heroes (or villains). But the exclusion of legal persons means that data protection law cannot be a vehicle for companies (or other legal persons such as NGOs, political parties, charities or governments) to attempt to remove all traces of criticism of their actions.
As the CJEU has made clear several times, it isn’t relevant that the data was initially (or subsequently) made available elsewhere. This point is relevant to Wikipedia in particular, given the sources it links to for most of its information.
Placing information on the Internet amounts to ‘data processing’, at least where it is available to the general public. This is particularly relevant to Wikipedia, but it’s also relevant to those social network profiles which are accessible to the outside world. In both cases, the personal data would also be accessible by means of search engines, which means that Google (or other search engines) would be separately liable for securing data protection rights under the conditions set out in the Google Spain judgment.
However, where a social network profile is genuinely closed to the outside world and made accessible only to persons selected by the data subject, the EU’s ‘Article 29’ working party on data protection (a body made up of national data protection supervisors, which gives non-binding advice on the application of EU data protection law) has suggested that the so-called ‘household exception’ in the Directive might apply. This would mean that, since the data could only be seen by a closed circle of (presumably) friends and family, the EU law wouldn’t apply at all. Obviously, though, that exception wouldn’t apply to any processing of the personal data in question by the company which established the social network itself, for direct marketing or other purposes.
Who is the ‘data controller’, ie the person with greater liability for application of EU data protection legislation, as regards social networks and Wikipedia? On this point, there is a clash between the nature of Web 2.0 and the putative Web 3.0, to the extent that the content of the personal data is generated by the users. In principle, each individual chooses how much personal data to place online and who has access to it, and similarly the editors of Wikipedia generate its content. The liability of the social network provider or Wikipedia might arise, however, to the extent that they alter the privacy settings, or could be regarded as controlling (as in Google Spain) the systematic presentation of the data to the outside world. We can’t forget that in that judgment, the CJEU ruled that there has to be a ‘broad definition of the concept’ of a data controller.
Back when the Internet was (in Internet years) a teenager, the CJEU ruled in Lindqvist that the special rules on external relations in the data protection Directive should not, by means of the nature of the Internet, become a general regime applicable to the entire world. But in Google Spain, the Court conversely was anxious to ensure that the general rules of the Directive were applicable to companies based outside the EU.
However, this doesn’t mean that all social networks, or Wikipedia, are necessarily subject to the Directive. They are certainly subject to it if they are in the same situation as Google: with a subsidiary in a Member State, which is selling advertising connected to the Internet-related activities of the parent body. But this is surely not the only scenario when the Directive applies to companies based outside the EU. As the CJEU said in Google Spain, the Directive has ‘a particularly broad territorial scope’ and the relevant rules ‘cannot be interpreted restrictively’. So while it is an oversimplification to say that the Directive applies to any entity ‘doing business in the EU’, it probably applies at least where there is a significant local activity (certainly in the form of a branch, possibly in the form of an agent or licensee) by the parent entity, that has some link to its Internet activities.
It is also still open to argue (since the Court did not address the issue) whether a parent company can be regarded as ‘established’ or using equipment on the territory due to its use of domain names, storage of data, and use of crawlers or robots on the territory, or whether the EU Charter of Fundamental Rights imposes broader criteria as regards the territorial scope of the rules.
Of course, there will be practical difficulties enforcing the Directive where a non-EU entity does not have assets in the EU. However, in such cases there might be possibilities to enforce the Directive’s rules by seeking to enforce a court ruling in a non-Member State, or more directly by means of obtaining an injunction to block access to the information which infringes data protection rules. Undoubtedly, such an injunction could be sought against Google, where the data is accessible by means of its search engine, and arguably (by analogy with copyright law) against an Internet service provider.
One interesting question which the Court did not have to deal with in Google Spain was the personal scope of data subjects. For instance, could a celebrity based in America, who finally gets tired of stories about her enormous backside, try to use EU data protection law to prevent access to such stories?
There is no requirement in the Directive that the data subject must be a national of a Member State, and/or domiciled in the EU. Nor do the rules on the territorial scope of the Directive mention this factor. So it must follow that non-EU citizens who are not resident in the EU can rely upon the Directive to assert their data protection rights within Member States. So in principle, at least, the supporters and detractors of Barack Obama or Vladimir Putin could bring their disputes, in the context of editing Wikipedia entries, to the courts and data protection supervisors of EU countries.
While this might sound absurd, in fact there are other reasons which would stand in the way of the application of EU data protection law to such disputes – to which we now turn.
Responsibility of data controllers
Data controllers must ensure that the data quality rules in the Directive are satisfied, and that data was processed in accordance with one of the legal grounds for processing.
On the latter point, one of the crucial factors in the Google Spain case was that Google could only rely (as regards its search engine) on its ‘legitimate [commercial] interest’ in processing personal data, in accordance with Article 7(f) of the Directive. The same provision refers to the interests of third parties, namely freedom of expression. However, the Court held that such interests were overridden by the data subject’s rights in that case, due to the huge invasion of his privacy due to the use of search engines.
Two issues arise here: the balancing test, and the grounds for processing. The first issue is particularly relevant for Wikipedia, since (like Google, as regards its search engine) it must rely on this balancing test in order to justify its processing of personal data, in the absence of other possible grounds to justify it.
Applying the balancing test, the CJEU ruled on both Google’s interest and the public interest in freedom of expression. As regards Google, the Court stated that its ‘merely economic’ interests were outweighed by the data subject’s. This suggests that a non-profit body like Wikipedia would arguably have a greater claim to assert its interests than a profit-making entity.
As regards the public interest, the Court listed the factors to be considered as ‘the nature of the information’, its ‘sensitivity for the data subject’s private life’, and the public’s interest in the data, which could ‘vary, in particular’, on the data subject’s ‘role…in public life’. It should be recalled that the concept of ‘private life’ usually includes data concerning a person’s activity in public, but here the Court does suggest that there might be a distinction between public and private activities. So the balance tips in favour of freedom of expression the more that the person concerned is a public figure, and the more that the information concerns his or her public activities. So certainly Wikipedia could contain a record of public criticism of a politician; but the sordid details of his intern’s (postponed) dry-cleaning might possibly be another matter.
The crucial question here is whether the test can be regarded as severable: ie can it be argued that even if a person is a public figure, his or her public and private activities can be distinguished? In any event, his or her mistress or children are data subjects in their own right, so would have a data protection right to assert independently of the politician, and are unlikely to be public figures. But of course, some spurned mistresses are very keen indeed to waive their data protection rights.
But who is a public figure in the first place? Presumably the concept has an autonomous meaning in EU law, so it is not up to Wikipedia (or the persons concerned) to determine what it means by themselves. But surely the nature of Wikipedia is a significant factor to take into account when developing and applying such a definition.
As regards the nature of the personal data, what if the information in question reflects very badly upon the person concerned? The CJEU did not address this issue expressly in Google Spain. But it could be argued that it depends on the public interest in receiving that information. So while past financial difficulty does not raise a public interest issue, there is a better case for arguing (say) that a woman who has been groped by a particular car mechanic has every right to warn other women against him via means of social networks.
Another crucial element in the Google Spain judgment was the journalist exception in the Directive. It didn’t apply, because Google itself was not a journalist, and the Court disregarded the use that journalists make of search engines. But where content is user-generated, such as Wikipedia and on blogs, surely the exception must apply, given the Court’s broad approach to it in previous judgments such as Satamedia and Lindqvist. So in that case it could be argued that the exception should be applied in practice by the national courts. Indeed, perhaps the only reason why the CJEU undertook the task of applying the balancing test between privacy and freedom of expression itself in Google Spain was because the journalist exception did not apply.
As for the second issue, social networks will usually be able to point to other grounds justifying the processing of personal data: namely unambiguous consent, and necessity to perform a contract. This raises important questions of how to interpret these grounds for data processing, but these are clearly different issues not addressed at all by the Google Spain judgment.
That judgment would only be relevant as regards the processing of personal data about third parties in social networks, for instance a man ranting about his ex-girlfriend on his Facebook page. The way to resolve situations such as these is for social networks to adopt and apply robust privacy policies, but the Google Spain judgment can only be an indirect source of inspiration for such policies.
The right to be forgotten
Finally, what of the ‘right to be forgotten’? The Court derived such an implicit right from the rules in the Directive on the relevance of data (one of the data quality principles), given that it might cease to be relevant over a long period of time. While this can be seen as a positive right for data subjects, conversely it suggests that if information is accurate (and complies with all other rules in the Directive), there is not much of a right for a data subject to object to its dissemination as long as it is relatively fresh.
Is there good reason for Mark Zuckerberg's own knickers to be in a twist, following the Google Spain judgment? The CJEU does suggest that the territorial scope of the Directive is relatively broad, and as such is more likely to apply to social networks and other well-known Internet services than might otherwise have been thought. But it is not yet certain whether and when the Directive does apply to entities whose situation differs from Google’s. Equally the judgment confirms that the material scope of the Directive is broad, and it seems clear enough that its personal scope is broad too.
However, the judgment is unlikely to lead to a ‘Web 3.0’ as regards Internet services besides search engines, because there are basic differences in the substantive data protection law of the EU as it applies to the bodies offering such services. These differences concern in particular: the very nature of user-generated content (arguably changing who is the ‘data controller’); the existence of privacy or editing policies; the public figure exception; the possible application of different, additional grounds for processing personal data; and the Google Spain judgment itself – since it provides for an alternative, more effective means of blocking access to the personal data concerned.
Barnard & Peers: chapter 9