Case Study: Google Spain v. AEPD and Mario Costeja Gonzalez

This article titled ‘Google Spain v. AEPD and Mario Costeja Gonzalez’[1] also known as Right to be forgotten case is a case study of a decision by the CJEU.

The Court held that an internet search engine operator is responsible for the processing that it carries out of personal information which appears on the web pages published by third parties.

I. Facts of the case

In the year 1998, a Spanish newspaper called the La Vanguardia published announcements regarding a forced sale of properties.

These announcements were published on the order of the Spanish Ministry of Labour and Social Affairs and the purpose behind the announcements was to attract multiple bidders for this sale. The two announcements were published in the printed paper, and later on, a version of the same was available on the internet.

One of the properties in the announcement belonged to Mario Costeja Gonzalez. In November 2009, Mario contacted La Vanguardia to complain about how when his name was Googled, it would redirect the page to the announcements.

He requested that this data be deleted from their side as the forced sale was over years ago and that it was no longer relevant. However, since the announcements were published on request of the Ministry of Labour, La Vanguardia refused to erase the data from the webpage.

To no avail, Mario contacted Google Spain in February 2010 and requested the announcement links to be removed. Google Spain then forwarded this request to Google Inc., situated at the USA. At the same time, Mario filed a complaint with the Spanish Data Protection Agency (hereinafter referred to as ‘AEPD’) asking for the newspaper and Google to remove the links to the data.

In July 2010, the Director of AEPD rejected the complaint only against La Vanguardia, but however, upheld the complaint against Google and asked them to remove the links complained of so as to make access to the data impossible.

Google Spain and Google Inc. then brought our separate actions against the Director’s decision stating that Google Inc. was not within the scope of the Data Protection Directive of the EU and that Google Spain was not responsible for merely the search engine.

Further, they claimed that there was no processing of personal data within this search function. Additionally, even if there was the processing of personal data, neither Google Spain nor Google Inc. could be regarded as the data controller.

The final claim made was that Mario, as the data subject, did not have the right to erase what is lawfully published material. The Spanish High Court referred the matter to the CJEU under their preliminary ruling procedure.

II. Issues

The actions and claims of both Google and AEPD were clubbed by the National High Court of Spain and redirected to the CJEU so as to provide a singular hearing to address all the issues.

The issues that were raised are:

• Do the activities of Google in compiling its search results constitute activities that are covered by the Data Protection Directive?

Within the provisions of the Directive, does Google undertake data processing? Additionally, is Google a data controller?

• Is the Data Protection Directive territorially applicable to Google’s activities?

• Do the rights of the data subject (Mario) extend to requesting that search engines remove or erase personal data?

III. Rule for Issues

In the year 1995, the European Council passed Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (hereinafter referred to as the ‘Data Protection Directive’ or ‘Directive’).

The proposed issues seek guidance from the provisions of the Data Protection Directive so as to settle the differences between the parties involved.

IV. Analysis of the Case

The Directive 95/46 obliges all the EU states to protect the fundamental rights and freedoms of natural persons and their right to privacy with respect to the processing of personal data.[2] It further prohibits the restrictions on the free flow of personal data between the different EU members.

According to the directive, personal data[3] is regarded as the information relating to an identified or identifiable natural person who is referred to as the data subject. In particular, this refers to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Thus, the act of ‘processing’ such personal information includes a set of operations performed upon this personal data, including collection, organization, dissemination, alteration et cetera, as specified by the Directive.

Additionally, a ‘controller’ of personal data according to the legislation is any natural or legal person, public authority, agency or other bodies, which alone or jointly with others, determine the purposes and means of the processing of personal data.[4]

The CJEU first aimed at understanding whether the activity of an internet search engine alone can be defined as processing of personal data within the meaning of the provision in the Directive.[5] Further, if it is said to be the processing of personal data, does the operator of a search engine become a controller that carries out such procedures of processing personal information.

The Court asserted that some or many information is indexed and stored by search engines, which relates to identifiable natural persons, and thus, within the meaning of ‘personal data’[6] as provided. Further, through a constant search of online information, an operator of a particular search engine will inevitable collect personal data that is subsequently stored, indexed and made available to users on the internet.

Thus, the CJEU found that Google’s act of collecting, storing, indexing and disclosing personal data is to be considered as ‘processing’ of such information within the scope of the Directive’s provisions.

The question still remained as to whether Google must then be regarded as the ‘controller’ of processing personal data. In answer to this, the Court found that the definition of the controller within the Directive must be interpreted broadly so as to ensure effective protection of data subjects.

Further, the Court stated that search engines play an incredibly decisive role in the overall dissemination of personal data and thus, exclusion of these engines would be contrary to the objectives of the Directive.

Now that Google was asserted to be a controller of processing personal data by the CJEU, the question of territorial jurisdiction came into the picture.

Court records showed that Google Spain was established by Google Inc. in 2003 to act as a commercial agent in Spain. The scope of this agent was to promote, facilitate and effect the sale of online advertising of products and services to third parties, and the marketing of that advertising.

The Court took into consideration this objective and read it along with Article 4(1)(a) of the Directive to claim that Google is subject to the Directive’s provisions because its subsidiary, Google Spain, is an establishment in Spain that intends to promote and sell in Spain, the advertising space offered by the search engine, which serves to make the service offered by that engine profitable.

The CJEU then addressed the extent of Google’s responsibility as a mere internet search engine with respect to personal information published by third party websites and subsequently, sought to be removed or altered by the data subject, Mario.

The Directive affirms that every personal data subject has the right to obtain from the controller as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular, because of the incomplete or inaccurate nature of the data.[7]

Further, the Directive grants the data subject the right to object on compelling legitimate grounds relating to this particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve that data.[8]

In response, Google argued that the removal of personal information must be addressed to the website that published the data and made it available to the public in the first place. Thus, the publisher is in the best position to assess the lawfulness of the information.

However, the Court then referred to the fundamental rights provided by the EU Charter and stated that everyone has the right to the protection of personal data concerning him or her.[9] Further, this data may be processed for specified purposes and with the consent of the person involved.

Additionally, everyone has the right of access to data which is collected concerning him and they have the right to get it rectified. In light of these principles read along with provisions of the Directive, the Court held that search engines are subject to affect the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name.

The CJEU then ruled that the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages’, published by third parties and containing information relating to the person.

The Court further held that individuals whose personal data is publicly available may request that the information in question is no longer made available to the general public on account of its inclusion in such as a list of results as their rights to privacy and protection of personal data override the economic interest of the search engine along with the interest of the general public in having access to that information upon a search relating to the particular data subject’s name.

However, if the personal information provided is justified, the right to initiate a request of erasure may cease to exist.

While the decision did not explicitly grant a right to be forgotten, the Advocate General did consider questions relating to a right to be forgotten. He held that rights of freedom of information and expression would take precedence over a right to erasure.

The GDPR was mooted to include a right to be forgotten, but between the draft and the final version of the Regulation, the provision was changed to a right to request erasure for specific reasons. The Court, however, did hold that the processing of data which is inadequate, irrelevant or excessive might also be incompatible with the directive.

In such cases, wherein the data in question is incompatible with the provisions of Articles 6(1)(e-f) relating to data quality, then the information and links in the list of the results must be erased. It is, however, not necessary that the information must be prejudicial to the data subject.

In 2015, Google did announce that it would remove links to non-consensual pornography on request, however, experts noted that this was not the same as implementing a right to be forgotten as the company already has the policy to deal with sensitive personal data. However, various consumer advocacy groups called on Google to extend the right to be forgotten to US users by filing complains about commissions.

V. Conclusion

In the case of Google v. Spain[10], the European Court of Justice ruled that the European citizens have a right to request for commercial search firms which gather personal information for profit, like Google, to remove links to private information when asked, provided that the information is no longer relevant.

The Court did not ask for newspapers to remove the articles, but rather found the actions of search engines to be infringing fundamental rights of data subjects.

Various experts claim that this ruling provides an essential for public debate as the European Commission considers reform of the Directive in the upcoming General Data Protection Regulation. However, other experts state that the judgement is profoundly harmful to the operation of the internet and is in essence, a betrayal to Europe’s legacy in protecting the freedom of expression.

The Harvard Law Review, however, provides insight by stating that critics to the judgement ignore the fact that the Court made a reasonable interpretation of the Directive’s text and the privacy values that it contains. Thus, the debate that extends to today still fails to find a correct side to be on, however, the outcomes of the case remain as a landmark judgement in cyberlaw and privacy in all of Europe.

---

References

• Google Spain SL, Google Inc v. Agencia Espanola de Proteccion de Datos es Mario Costeja Gonzalez ECLI:EU:C:2014:317 [Case Number C-131/12]
• Marc Rotenberg, Google’s Position Makes No Sense, USA Today, 2015.
• Marc Rotenberg, The Right to Privacy is Global, US News and World Report, 2014.
• Marc Rotenberg & David Jacobs, Updating the Law of Information Privacy: The New Framework of the EU, 36 Harv. J. L. & Pub. Pol’y, 605, 2013.
• Marc Rotenberg, On International Privacy: A Path Forward for the US and Europe, Harvard International Review, 2014.
• Google Transparency Report, European Privacy Requests for Search Removals, 2014.
• Jeffrey Rosen, The Right to be Forgotten, 64 Stan. L. Rev. Online 88, 2012.
• Steven C. Bennett, The Right to be Forgotten: Reconciling EU and US Perspectives, Berkley J. Intl Law 161, 2012.
• Meg Ambrose and Jef Ausloos, The Right to be Forgotten Across the Road, 3 Journal of Information Policy 1, 2012.

---

[1] Google Spain SL, Google Inc v. Agencia Espanola de Proteccion de Datos es Mario Costeja Gonzalez ECLI:EU:C:2014:317 [Case Number C-131/12]

[2] Article 1, Data Protection Directive, 95/46/EC.

[3] Article 2(a), Data Protection Directive, 95/46/EC.

[4] Article 2(d), Data Protection Directive, 95/46/EC.

[5] Article 2(c), Data Protection Directive, 95/46/EC.

[6] Supra 3

[7] Article 12(b), Data Protection Directive, 95/46/EC.

[8] Article 14(a), Data Protection Directive, 95/46/EC.

[9] Article 8, Charter of Fundamental Rights of the European Union.

[10] Google Spain SL, Google Inc v. Agencia Espanola de Proteccion de Datos es Mario Costeja Gonzalez ECLI:EU:C:2014:317 [Case Number C-131/12]

---

1. Cyber Space Jurisdiction: Issues and Challenges