—David Erdos, University of Cambridge
[Cross-posted from UK Constitutional Law Blog]
The European Union Data Protection Directive of 1995 has always had lofty, and in many ways implausible, ambitions. As regards the private sector, it seeks to outlaw the input, storage or other processing on computer of any information relating to a living individual “data subject” (irrespective of whether the information is innocuous and/or widely available in the public domain) unless in each and every case that processing complies with a set of provisions put in place to ensure the protection of “the fundamental rights and freedoms of natural persons, and in particular their right to privacy” (Art. 1 (1)).
Subject to certain qualified and limited exemptions, that code requires that all data “controllers” – that is anyone who either “alone or jointly” determines the “purposes and means” of processing (Art. 2 (d)) – comply with a set of detailed rules designed inter alia to ensure fairness and transparency for the data subject and, in most circumstances, to completely outlaw processing of whole categories of “sensitive” information (for example regarding political opinion, religious belief and criminality) absent the subject’s explicit consent or unless this information is currently being manifestly made public by her (which may be taken as an albeit very tenuous kind of implicit consent) (Arts. 8, 10, 11 and 12).
In terms of legal principle, this code should have deeply structured the entire architecture of publication and dissemination of information on the World Wide Web. And yet, long before even the advent of Web 2.0, it was clear that the Web was largely operating according to an almost diametrically opposed understanding, namely, that information – in particular, publicly-available information – should, except in extraordinary circumstances, be “free”. This ethic is certainly at the heart of Google’s operations – indeed, its public mission is “to organise the world’s information and make it universally accessible and useful”.
The recently handed down Court of Justice of the European Union (CJEU) decision of C-131/12 Google Spain, Google v Agencia Espanola de Protection de Datos (2014) brings into stark relief the chasm between these two different understandings.
The case originated from an attempt by a Spanish individual to use Spanish data protection legislation to get Google to delete from its search engine publicly available information relating to his bankruptcy from over ten years previously. His case, along with some 200 or so others, received the backing of the Spanish Data Protection Authority.
Google, however, contested liability on the basis that (i) it was not subject to Spanish law, (ii) it was not a “controller” of the processing and (iii) that making it comply would have a chilling effect on fundamental rights. Whilst many of these arguments received support in the advisory Advocate General Opinion of last June, the CJEU has now strikingly rejected all three. In sum it held that:
- Google search engine was bound to comply with Spanish law since the activities of its advertising subsidiary (Google Spain), unquestionably established on Spanish territory, were “inextricably linked” to the search engine itself (at 56). Therefore, all the processing was carried out “in the context of the activities” of the Spanish subsidiary. (As an aside, this implies that European Data Protection Authorities have been wrong to hold that Facebook is only subject to Irish law and can therefore ignore the data protection provisions of all the other 28 EU Member States).
- Google was clearly determining the “purposes and means” of processing data as it was deciding to create a search engine (at 33). It therefore was a “controller”. It was not relevant that the data in question had “already been published on the internet and are not altered by the search engine” (at 29).
- Far from constituting a chilling effect on fundamental rights, placing responsibilities on Google was essential to securing the “effective and complete” protection of data subjects’ rights and freedoms envisaged by the Directive (at 38). This was particularly the case since inclusion of information on a list of search engine results “may play a decisive role in the dissemination of that information” and “is liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page” (at 87).
What was particularly striking and unexpected was that the Court went out of its way to enunciate both the ambit and substantive duties of Google in an even more expansive way than that suggested by the Spanish Data Protection Authority (DPA).
As its Press Release following the judgment indicated, the Spanish DPA’s argument was limited to the idea that it only on being asked by the data subject to remove material that Google became liable under data protection law. Moreover, Google would only have to accede to a “right to be forgotten” if its dissemination lacked “relevance or public interest” and was “causing harm to the affected individual”. On each of these aspects, however, the understanding of the CJEU was much broader.
Firstly, the Court stated that a search engine would be a controller not as a result of receiving a data subject request but merely because it was “processing” on its own behalf or, in other words, collecting and disseminating information from the web. It followed that:
Inasmuch as the activity of a search engine is … liable to affect significantly, and additionally, compared with that of publishers of websites, the fundamental rights to privacy and to the protection of personal data [as noted above, the Court found that this would often be the case], the operator of the search engine … must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of [Data Protection] Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved. (at 38)
Secondly, the Court stated that there could be a valid opposition to the search engine’s inclusion of personal data irrespective of whether inclusion in the search engine results “causes prejudice to the data subject” (at 96).
Even more strikingly, the Court found that the simple making of an opposition would “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding the information upon a search relating to the data subject’s name” (at 97). As a partial caveat, the Court did add that, at least as regards ordinary personal data “that would not be the case if it appeared, for particular reasons such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the lists of results, access to the information in question” (at 97). In stark contrast to the Advocate General’s Opinion, the Court made no mention at all of how the much stricter, sensitive information rules were meant to operate in this context.
The Court was right to find that Google was subject to Spanish law and was indeed a controller of its search engine results. What is surprising and more troubling were the Court’s views on the breadth and depth of search engines’ data protection responsibilities.
It is particularly striking that vis-à-vis Google the Court made no mention of freedom of expression even though this is enunciated in both Article 10 of the European Convention on Human Rights and Article 11 of the EU Fundamental Rights Charter. There was therefore no express attempt to balance this right against the data protection provisions set out in the Data Protection Directive and Article 8 of the EU Charter.
Instead, data protection was given priority, subject only to the partial caveat of a rather narrowly construed public interest centered on public figures. This approach can indeed be seen as required in order to secure the “effective and complete” protection of data subjects intended by the founders of European data protection.
However, such a vision is in profound tension with the whole way in which information is disseminated and sought out online including not only by large corporations such as Google but also by hundreds of millions of individuals. Much of the legal debate in the months and years to come will focus on dissecting exactly what the few limits left in play by the Court, which relate not only to public interest but also the “responsibilities, powers and capabilities” of search engines, actually mean.
But, in terms of real implementation, what is likely to matter more is how powerful the ideal of data protection enunciated in this judgment is when placed against the vast cultural, political and economic power of “internet freedom”. Whatever results from this, interesting times are ahead for the future development of this legal framework, with profound implications for the freedom of expression and information of us all.