Google Spain vs. Mario Costega Gonzalez (“Right to be Forgotten”)

by Parvathi Bakshi

This piece is a summary and analysis of the Google vs. Gonzalez which paved the path for the drafting of “Right to be Forgotten”

Background

In 2010, a Spanish National registered a complaint against Google Spain and Google Inc. among others, requesting that certain information relating to him appearing in google search results, be taken down. The information which the complaint, Mr. Gonzalez, had an issue with was pertaining to a newspaper article discussing his involvement in a real estate auction and recovery of social security debts. Mr. Gonzalez believed that this personal data which would appear on Googling his name, was no longer relevant and therefore requested both the publishing entity as well as the search engine to remove or conceal the data relating to him.

Now, some of us might be of the opinion that information once in the public domain should remain in the public domain, while another camp may argue that only ‘public information’ and not ‘private information’ should be available in the public domain. Mr. Gonzalez’s unique case cuts through the question of ‘public vs. private’ information and instead answers another question: Should an individual have the right to remove any information relating to them from the internet? Article 17 of the General Data Protection Regulation (“GDPR”) (European Parliament and Council of European Union, 2016) which encompasses the ‘Right to be Erasure (right to be forgotten)’, is the answer to the question asked, however we will look at how this right came into existence with the help of this case.

Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos (“AEPD”), Mario Costega Gonzalez

Brief Facts:

The Complainant, Mr. Gonzalez lodged a complaint with the AEPD against La Vanguardia Ediciones SL (a publishing company), Google Spain and Google Inc. to remove information regarding him. As per the Complainant, when conducting a Google search of his name, information of his involvement in a real estate auction connected with attachment proceedings, would appear in two links to the newspaper on Google results. The Complainant finds, that as the attachment proceedings were settled, the information is irrelevant and should no longer be displayed when doing a google search of his name.

Issues:

I. Scope of ‘Right to Erasure’: May the data subject directly address the search engine regarding objection to processing of personal data?

II. Whether the process locating, indexing, storing and making available data by search engines from third parties to internet users falls under “processing of …data” in Article 2(b)?

(a) If yes – then would the undertaker of such activity be regarded as “controller” of the data?

(b) If yes to (a) – then can AEPD impose on the controller a condition to withdraw the information published by third parties without informing the third party?

III. Can the right to erasure be extended to the data subject, so as to allow them to address the search engine directly in order to prevent processing of information published on third parties’ webpages relating to the data subject, which may be (in the opinion of the data subject) prejudicial?

Rule:

Directive 95/46/EC (Official Journal of European Communities, 1995) on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

• Article 6(1)(c) – data must be adequate, relevant and not excessive for the purpose it was collected.
• Article 6(1)(d) – data must be accurate and where necessary, kept up to date
• Article 6(1)(e) – kept in a form which allows identification of the data subject, no longer than necessary for the purpose it was collected.
• Article 12(b) ‘Right to access’ – Data subject can obtain from the controller, appropriate rectification, erasure or blocking of data not complying with provisions of the Directive.
• Article 14(a) – Read with Article 7(e) &(f), Data subject can object to processing of data on compelling legitimate grounds.
  • Article 7(e) – processing of data is necessary for performance of task carried out in public interest.
  • Article 7(f) – processing is necessary for legitimate interests pursued by controller or third party.
  • Article 7 states the situations in which personal data can be processed, read with 14(a), 7(e) & (f) are two situations of personal data processing where the data subject may have cause to object.

Analysis:

Issue I

In answering the matter of the obligations on a search engine in situations where the data subject requests erasure of information concerning them, published lawfully by third parties, the Court looks at the requirements laid down in Article 12(b) along with 6(1)(c) to (e) of the Directive. It determined that even if the initial publication was lawful, over time, the information relating to the data subject may not only become inaccurate but also inadequate, irrelevant or excessive for the purpose it was published. Therefore if such a situation occurs, then the continued processing of the data can be said to be incompatible with the Directive. As the information relating to the Complainant in the present case was no longer relevant, he may (as the data subject) and in light of his fundamental rights under article 7 ‘Respect for personal & family life’ and article 8 ‘Protection of Personal Data’, of the EU Charter of Fundamental Rights (Official Journal of the European Union, 2012) , request that the information no longer be made available to the general public. Further since no case was made out for public interest in having access to such information, the request for removal of concerned information should be granted.

Issue II

Article 2(b) of the Directive defines ‘processing of personal data’ as ‘any operation or operations performed on personal data including collection, recording, organisation, storage…erasure or destruction’. In the case of Lindqvist (Bodil Lindqvist vs. Åklagarkammaren i Jönköping, 2003),  it was already decided by the Court that the operation of loading personal data on an internet page must be considered to be ‘processing’ within the meaning of article 2(b). A search engine operates in such a manner that it collects, retrieves, records and organises data. As these operations are expressly mentioned in article 2(b) the process must be classified as ‘processing’.

Issue II(a)

Under article 2(d) of the Directive, a ‘controller’ is a natural or legal entity which alone or jointly determines the purposes and means of processing of personal data. As a search engine processes data it determines the purposes and means of that activity, thus they must be regarded as ‘controller’ of the data. The role of search engines in dissemination of data and allowing it accessible to the internet shows the close nexus they have with the activity of processing. A search engine, within the framework of its responsibilities, has the ability to significantly affect the fundamental rights to privacy and protection of personal data – just as much as the publishers of the information.

Issue II(b)

With regard to issue 2(b), it was submitted by Google that any request to seek the removal of information must be made to the publisher of the website concerned and not the search engine itself, as the publisher is the one with the responsibility of making the information public. Article 12(b) of the Directive, requires the Member States to guarantee every data subject the right to obtain from the controller – the rectification, erasure or blocking of data in the event the processing of said data does not comply with the provisions of the Directive.

• Article 6 of the Directive states that the controllers task is to ensure that the personal data is processed ‘fairly and lawfully’, collected for legitimate purposes and are not further processed in a way incompatible with those purposes.
• Further Article 7 of the Directive permits the processing of personal data for those purposes mentioned in Article 6, except where the interest or fundamental rights & freedoms of the data subject are being hampered. Essentially, Article 7 emphasises the need of balancing the opposing rights of the controller, third party sites (publishers) and the data subjects themselves.
• Under Article 14(a) of the Directive, the data subject has the right to object to processing of data relating to them on the basis of legitimate grounds. Thus requests under Article 12(b) and 14(a) enables the data subject to directly address the controller, who then has an obligation to examine the merits of the case and decide to end processing of the data. In the event the controller does not grant the request, the data subject can raise the matter before the supervisory authority. Hence, AEPD under Article 28(3) and (4) of the Directive, may hear claims lodged by the data subject concerning the protection of their rights and freedoms with regard to the processing of personal data. The supervisory authority further has investigative powers and effective powers of intervention, enabling it to order the blocking, erasure or destruction of the concerned data.

Conclusion:

The Court concluded with a ruling in favour of the Complainant. It found that in light of Article 12(b) and 14(a) of the Directive, the operator of a search engine is obliged to remove from list of results displayed, information pertaining to the data subject which is published by third parties, in the event that the information hampers to fundamental rights of privacy and to protection of personal data, even if the publication is lawful. The authority reviewing applications for such requests to erasure must ensure that the information in question should be irrelevant, inadequate, no longer relevant or excessive for the purpose thus allowing the rights of the data subject under Article 7 and 8 of the Charter to override the economic interest of the operator as well as interest of general public in having access to said information.

Takeaways

This landmark case in the EU was a crucial step in determining the extent of privacy and data protection laws in the EU. We see from this case that even search engines were subject to data protection laws and not just the publisher of sites. We also saw that the classification of the information in question relating to the data subject is an important factor for the controller and authorities to consider before granting the request. A key principle that arose from this case was that the rights of an individual superseded the rights of the general public. By placing the right to privacy and data protection over the right of the public to information (so long as the relevant criteria are fulfilled), the Court highlights that in the realm of privacy and data protection – an individuals rights are to be placed on a higher threshold.

Going back to the question raised earlier in this article, “Should an individual have the right to remove any information relating to them from the internet?”, this case paved the path for individuals who wished to no longer have their information displayed in public sites, with fulfilment of certain strict criteria.

Bibliography

1. Bodil Lindqvist vs. Åklagarkammaren i Jönköping, C-101/01 (Court of Justice of European Union November 6, 2003).

2. Official Journal of European Communities. (1995, October 24). Directive 95/46/EC. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en

3. Official Journal of the European Union. (2012, October 26). Charter of Fundamental Rights of the European Union. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012P/TXT&from=EN

4. European Parliament and Council of European Union. (2016, April 14). Retrieved from Intersoft Consulting : https://gdpr-info.eu/art-17-gdpr/