Introduction and overview of the decision
In May earlier this year, the Court of Justice of the European Union (‘CJEU’) applied the scope of a ‘right to be forgotten’ to a non-EU based internet search engine in the CJEU judgment Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (the ‘Judgment’).
The qualified right for individuals to object to the processing of their data and to have personal data erased or blocked (pursuant to EU Directive 95/46/EC (‘the Directive’)) preceded this decision. This right could be exercised where there are ‘compelling legitimate grounds’ and/or the data controller has only been permitted to process the individual’s data in the first place because of a legitimate or public interest.
However, the significance of the CJEU Judgment was that the right could be applied to non-EU based entities and specifically, Internet search engines, prompting the so-called ‘right to be forgotten:’ the idea that an individual can request to remove themselves from appearing in search engine results relying on European data protection laws, or, conversely, that a non-EU entity is subject to European data protection laws if it has ‘establishment’ in the European Union.
Despite the fact that Google Inc.’s search engine operations were based in the US, the CJEU held that the role of Google’s EU subsidiaries in selling advertising was a related service active within the EU, meaning that processing of personal data took place when a search was made in the context of the activities of the subsidiary. The search engine operations would therefore be subject to the Directive.
Practical implementation of the decision
The CJEU decision was met with immediate debate and, as the CJEU decision did not provide any practical guidance on its application, the European data protection authorities embarked on a consultation process with a number of search engines with the view to establishing a common framework for approaching take down requests.
Last month, the Article 29 Working Party (‘the Working Party’), which represents data protection regulators across Europe, produced its highly anticipated guidelines on the subject. The Working Party produced a list of 13 criteria for local data protection authorities to apply on a case by case basis (with no single criteria being determinative) to complaints following de-listing refusals by search engines. Commenting on who exactly would be able to issue take down requests, the Working Party suggested that, although “under EU law, everyone has a right to data protection”, in practice, enforcement by data protection authorities will focus on claims where there is a “clear link between the data subject and the EU”.
However, the most notable element of the guidance was the Working Party’s comments on applying the CJEU decision to .com domains. The Working Party highlighted that take down decisions must be applied in a manner which guarantees the protection of the rights of data subjects; the key implication of this is that take down requests must apply to .com as well as EU domains.
The expansion to .com domains magnifies the territorial scope of the CJEU decision. This raises issues surrounding whether the impact of the decision is too draconian, or conversely, whether this expansion is simply a necessary step in fully protecting the rights of data subjects which, otherwise, could be too easily circumvented. Certainly the EU will be open to the argument that it is looking to extend the impact of the CJEU ruling beyond its own jurisdiction and, necessarily, questions of how it can expect to enforce these guidelines beyond its jurisdiction.
This extension of the ‘right to be forgotten’ will certainly pile more pressure on search engines, one of which has reportedly received take down requests relating to over 630,000 URLs since the CJEU Judgment. Some commentators have criticised the ruling for placing the responsibility of removal of offending links with search engines, without obliging the source of the indexed context to be removed by the relevant host.
Search engines will now need to review the Working Party guidance and produce their own criteria for dealing with requests. The implications of the Working Party guidance may be that search engines produce different results depending upon the geo-location of site users, or search engines may apply a worldwide approach to take down requests. The former approach would no doubt be difficult and costly, whilst the latter approach raises questions surrounding territorial jurisdiction. Whilst the guidelines emphasise that a balance needs to be struck between privacy and data protection concerns and the interests of the public in having access to information, other jurisdictions, such as the US, more fiercely protect freedom of expression and it will be interesting to see how search engines will resolve the EU approach with those of other jurisdictions. Further, given that, strictly speaking, the Working Party has no enforcement powers, it remains to be seen whether search engines and local authorities will adopt the guidelines in their current format.
Some will argue that the guidance has raised more questions than it has answered. No doubt global businesses will require further clarity on this issue over the coming months.
We at Edwards Wildman continue to monitor relevant case law and the legislative process surrounding data protection law and privacy in the European Union and are on hand to answer any questions you may have. Please contact one of the authors listed above or a member of our Privacy and Data Protection team.