Provides background and explores the interpretation and enforcement of search engines' obligations under European data protection almost four years on from Google Spain (2014) and on the cusp of the new GDPR era. Focuses on four ongoing controversies: (i) the scope of such responsibilities under DP, (ii) the regulation of sensitive persona data, (iii) the legitimacy of webmaster notification and (iv) the geographical scope of action required.
2. Historic Background
Value of data obscuration recognized in law pre-DP (e.g.
Rehabilitation of Offenders Act 1974)
Concern about computer retrieval and profile building even
of public domain data goes back to early days of DP.
Early 2000s: Reality of search engines recognized as a key
aspect of internet architecture (see e.g. French DPA
Resolution (2001) on anonymization of jurisprudential info.)
But not until 2007/08 that any significant DPA focus on
search engine indexing itself.
3. EU Article 29 WP Opinion 1/2008
Recognized need for balance with freedom of expression.
Caching & Active Targeting– clear that full controller here.
Simple indexing – much more ambiguous
However: In practice, only the Spanish DPA targeted simple
indexing prior to 2014, issuing approximately 100 decisions here.
The principle of proportionality requires that to the extent that a search
engine provider acts purely as an intermediary, it should not be considered
to be the principal controller … With regard to the removal of personal data
from their index and search results, search engines have sufficient control
to consider them as controllers (either alone or jointly with others) in those
cases, but the extent which an obligation to remove or block personal data
exists, may depend on the general tort law or liability regulations of the
particular Member State. (p. 14)
4. Google Spain: Core Facts
Mr Costeja objected to Google’s indexing (against his
name) of +10 years old bankruptcy information arguing
that especially that had become irrelevant and out of
date. Claimed a “right to be forgotten”.
Google argued that:
its index was outside the scope of Spanish/EU law
it was an intermediary without data protection
obligations
such obligations would have a chilling effect on free
speech.
5. Google Spain: Core Holdings
Spanish DP law was applicable (at 45-60).
Within DP material scope & Google was controller (at 21-37).
Journalistic etc. derogation not engaged (at 85).
DP principles & legitimating criteria applied in full (absent
use of general restriction) (at 71).
But with ordinary data, was a limited role for balancing.
6. Balancing in Ordinary Data Delisting Cases
74 … Application of Article 7 (f) [“legitimate interests”] … necessitates a
balancing of opposing rights and interests concerned, in the context of
which account must be taken of the significance of the data subject’s
rights arising from Articles 7 and 8 of the Charter …
81. In the light of the potential seriousness of that interference [name-
based searches], it is clear that it cannot be justified merely by ...
economic interest … [T]he data subject’s rights protected by those
[Charter] articles also override, as a general rule interest of interest
users, that balance may however depend, in specific cases, on the nature
of the information in question and its sensitivity for the data subject’s
private life and on the interest of the public in having that information,
an interest of the public in having that information, an interest which
may vary, in particular, according to the role played by the data subject
in public life.
7. Google Spain: The Cryptic Aspects
No acknowledgement that free speech engaged.
Also no mention of intermediary shields.
But caveats to duties still introduced (by sidewind):
Court left unaddressed Art. 8 and sensitive data.
Inasmuch as the activity of a search engine is … liable to affect significantly
and additionally compared with that of the publishers of websites, the
fundamental rights to privacy and to the protection of personal data, the
operator of the search engine … must ensure, within the framework of its
responsibilities, powers and capabilities, that the activity meets the
requirements of Directive 95/46 in order that the guarantees laid down may
have full effect and that effective and complete protection of data subjects,
in particular of the right to privacy, may actually be achieved. (at 38)
8. Immediate Response to Google Spain
High-profile decision prompting support & opposition.
Google quickly rolled out ex post right to object but:
Only on reference on individual’s name
Balance with freedom of expression in all cases
Notification to webmasters of take-down
Generic notification to search users (not default for public figures)
Redaction limited to EEA national domains only.
A29 WP: Guidelines produced in late 2014 (delisting criteria
largely adopted by ICO subsequently).
9. Controversies: Scope of Duties
Google etc.: Limits to specific, ex post action on nominative search.
A29 WP: Appears to accept this (p. 7).
Mosley v. Google (2015): Proactive blocking on all searches.
In refusing a strike out, Justice Mitting found that:
and further that, even if intermediary shields applied:
[t]he claimant’s assertion that he has suffered substantial unwarranted
distress [potentially required for action under DPA 1998] is plainly
capable of belief, and if so, founding the remedy which he seeks.
[g]iven that it is common ground that existing technology permits Google,
without disproportionate effort or expense, to block access to
individual images, as it can do with child sexual abuse imagery, the
evidence may well satisfy a trial judge that it can be done without
impermissible [general] monitoring.
10. Controversies: Sensitive Personal Data
A29 WP / ICO: Points to delisting (but special rules not applicable).
Google Spain logic: Need to apply special rules here in full?
UK Courts: Townsend v Google (2017) on criminal convictions:
Netherlands: Possible exceptionally to rely on journalism provision?
France/CJEU: Conseil d’État referred wide-ranging Qs to CJEU.
the [sensitive] information contained in the personal data has been made
public as a result of steps deliberately taken by the data subject (at 62)
11. Controversies: Website Notification
Google etc.: Specific notification to webmasters.
A29 WP: Unsafeguarded disclosure is illegal.
ICO: Case-by-case. Took formal action in one case after re-indexing:
Spanish DPA: In Sept. 2016, fined Google €150K for notifying:
Google argued (i) no personal data processing, (ii) done with consent,
(iii) “compatible” processing “necessary for “legitimate” interests & (iv) a
notification to third parties required under DP law.
All arguments rejected but decision likely to be appealed in court.
[T]he Commissioner does not dispute that journalistic content relating to
decisions to delist search engine results may be newsworthy and in the
public interest. However, that interest can be adequately and properly
met without a search being made on the basis of the complainant’s name
12. Controversies: Geographical Scope of Action
A29 WP: Can read as requiring global delisting:
ICO (& Spanish DPA):
National domain only ; geo-location blocking .
Summer 2016: ICO Enforcement Action.
Early 2016: New Google policy including geo-blocking.
French Action:
March 2016: DPA fined Google €100K for no global redaction.
Decision appealed to courts.
August 2017: Conseil d’État reference to CJEU.
[D]e-listing should … be effective on all relevant domains, including .com
13. Controversies: Geographical Scope of Subject
A29 WP: Applies to all in law but DPA “focus” only where EU link:
Google: Data subject must be EU resident (or ?citizen).
Spain:
DPA: Pre-Google Spain, did process claims of subjects without significant
link to EU but changed tack after judgment.
Courts: One judgment from October 2017 upholds this new approach.
UK:
ICO: Follows same logic of “in the context of” as new Spanish approach.
Courts: Hegglin (2015) found claim bona fide even though subject only
had a house and business interests in the UK (at 1-2).
“Article 8 of the EU Charter, to which the ruling explicitly refers in a number of paragraphs,
to, [sic] recognises the right to data protection to “everyone”. In practice, DPAs will
focus on claims where there is a clear link between the data subject and the EU, for
instance where the data subject is a citizen or resident of an EU Member State.”
14. Practical Implementation (2014-2017)
Google:
Pan-EU & EFTA: c. 728K claims relating to +2m URLs.
UK: 108K claims relating to 267K URLs.
Acceptance: 43% (39% in UK).
Other Operators:
Pan-EU & EFTA: Only c. 20K claims relating to c. 60K URLs against Bing.
UK ICO:
Assessment in 800 cases (1-1.5% of delisting claims).
Found need for further delisting in c. 1/3 of cases.
Enforcement notice in one case & draft notices in three more (p. 22).
15. Conclusions
Google Spain most high-profile data protection decision to date.
Has already exerted significant effect on internet landscape.
Despite reputation, can be seen also as a “reading down” of DP.
Many legal uncertainties remain & further challenges certain.