Google Spain EL and Google Inc v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzales (C-131/12)
This is an important judgment with far-reaching consequences for how data controllers, and especially search engines, present information.
In March 2010 Mr Costeja Gonzales, a Spanish national resident in Spain, complained to his national regulator (AEPD) that when his name was entered into the Google search engine, a link to two regional newspaper articles appeared. Those articles alluded to Mr Costeja Gonzales’ historical debts. He requested that either the newspaper or Google be required to remove or conceal the personal data relating to him.
After AEPD upheld the complaint insofar as it related to Google, the company brought claims in the Spanish High Court. The Spanish High Court made a preliminary reference to the Court of Justice of the European Union (CJEU), asking it to consider, inter alia, whether the rights set out in the Data Protection Directive 95/46/EC enable a data subject to ask search engines to stop indexing information relating to him personally, published on the web pages of third parties, even where that data has been made available lawfully.
The Grand Chamber of the CJEU held that the Data Protection Directive provides that individuals should be able to apply to search engines for data to be removed where it is inaccurate, inadequate, irrelevant or excessive. Accordingly, initially lawful processing of accurate data may, in the course of time, become incompatible with the Directive where those data are no longer necessary in the light of the purposes for which they were collected or processed.
This judgment was handed down in the context of negotiations over forthcoming legislation in this area. Once adopted, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive, the legislation considered in Google v AEPD.
The text of the (GDPR) adopted by the European Parliament in March 2014 appears to have watered down the ‘right to be forgotten’ found in the text proposed by the European Commission, replacing it with a more limited ‘right to erasure’. This followed extensive and intensive lobbying by the industry.
It remains to be seen what text will be adopted after the conclusion of trilogues (a process of negotiation between the European Commission, the European Parliament and the Council), but the judgment of the Court of Justice in Google v AEPD may swing the momentum in favour of an approach emphasising the privacy of the individual.
Google will be immensely disappointed by this judgment, as will the other major internet companies, which will be concerned that the ruling will be extended to them in due course, either by the GDPR or further judicial decision.
The internet companies have identified technical problems with deleting personal data. Personal messages on social media accounts, for example, present a specific issue: to delete messages from one individual’s account requires interference with the accounts of others.
The compliance units that search engines (most notably Google) will need to establish in response to the judgment may need to be large to cope with the volume of requests they receive. They will also face a complex task: they may assume a quasi-judicial function, receiving competing submissions from parties on whether data should be removed.