.jpg)
This article, "Google Spain v. AEPD and Mario Costeja Gonzalez," sometimes referred to as the "Right to be forgotten case," is a case study of a ruling made by the CJEU.
The Court ruled that an internet search engine operator is accountable for the processing of personal data that appears on third-party websites.
I. The case's facts
Announcements about a forced sale of houses were issued in the Spanish daily La Vanguardia in 1998.
The Spanish Ministry of Labor and Social Affairs ordered the publication of these announcements, which were intended to draw in several bidders for the sale. The two announcements were first published in print, and then they were made available online.
Mario Costeja Gonzalez owned one of the properties mentioned in the announcement. Mario complained to La Vanguardia in November 2009 about his name being redirected to the announcements when it was searched on Google.
Since the forced sale occurred years ago and the information was no longer pertinent, he asked that it be removed from their end. However, La Vanguardia declined to remove the information off the webpage because the announcements were made at the Ministry of Labor's request.
Mario asked Google Spain to remove the announcement links in February 2010, but his request was unsuccessful. This request was then sent by Google Spain to Google Inc., which is based in the United States. Mario simultaneously filed a complaint with the Spanish Data Protection Agency (henceforth referred to as "AEPD"), requesting that Google and the newspaper take down the data linkages.
The complaint against La Vanguardia was rejected by the AEPD Director in July 2010, however the complaint against Google was upheld, and they were requested to remove the links that were the subject of the complaint in order to prevent access to the data.
Google Inc. and Google Spain then filed separate lawsuits against the Director's ruling, arguing that Google Inc. was not covered by the EU's Data Protection Directive and that Google Spain was not accountable for the search engine alone.
Additionally, they asserted that this search tool did not handle any personal data. Furthermore, neither Google Spain nor Google Inc. could be considered the data controller even in the event that personal data was processed.
The last argument put forth was that Mario, as the data subject, lacked the authority to remove anything that had been legally published. In accordance with their preliminary decision procedure, the Spanish High Court sent the case to the CJEU.
II. Problems
In order to give a single hearing to resolve all the problems, the National High Court of Spain combined the actions and claims of Google and AEPD and sent them to the CJEU.
The following concerns were brought up:
Does Google's search result compilation process fall under the purview of the Data Protection Directive?
Does Google process data in accordance with the Directive's provisions? Furthermore, is Google a controller of data?
Does Google's activity fall under the territorial application of the Data Protection Directive?
Does Mario, the data subject, have the right to ask search engines to delete or remove personal information?
III. Guidelines for Problems
Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, sometimes known as the "Data Protection Directive" or "Directive," was passed by the European Council in 1995.
In order to resolve the disagreements between the parties, the suggested issues go to the Data Protection Directive's requirements for guidance.
IV. Case Analysis
All EU states are required by Directive 95/46 to safeguard natural persons' fundamental freedoms and rights, including their right to privacy with the processing of personal data. Additionally, it forbids limitations on the unrestricted exchange of personal data among EU members.
The directive defines personal data as information about a natural person who is identified or identifiable and is referred to as the data subject. This specifically refers to an identification number or to one or more characteristics unique to his social, cultural, economic, physiological, mental, or physical identity.
Therefore, according to the Directive, "processing" such personal data encompasses a variety of actions taken on it, such as gathering, organizing, distributing, altering, and so forth.
Furthermore, the legislation defines a "controller" of personal data as any natural or legal person, public authority, agency, or other body that decides how and why to treat personal data, either alone or in conjunction with others.
The CJEU's initial goal was to determine whether an internet search engine's actions alone qualified as processing of personal data under the Directive's definition. Furthermore, does the operator of a search engine become a controller who performs such processes of processing personal information if it is said to be the processing of personal data?
According to the Court, search engines index and keep some or all of the information related to identifiable natural persons, which falls under the definition of "personal data" as stated. Additionally, an operator of a certain search engine will unavoidably gather personal information through a continuous search for information online. This information is then saved, indexed, and made accessible to users on the internet.
As a result, the CJEU determined that Google's actions of gathering, storing, indexing, and releasing personal data are to be regarded as "processing" of such information within the terms of the Directive.
Whether Google should then be considered the "controller" of processing personal data was still up for debate. In response, the Court determined that in order to effectively protect data subjects, the Directive's definition of the controller must be read broadly.
The Court further declared that it would be against the Directive's goals to exclude search engines since they are crucial to the overall distribution of personal data.
The issue of geographical jurisdiction arose after the CJEU claimed that Google was a controller of processing personal data.
According to court documents, Google Inc. founded Google Spain in 2003 to serve as a business agent in Spain. This agent's responsibilities included marketing, promoting, and facilitating the sale of goods and services to third parties through online advertising.
In order to assert that Google is subject to the Directive's provisions, the Court considered this goal and read it in conjunction with Article 4(1)(a) of the Directive. This is because Google's subsidiary, Google Spain, is an establishment in Spain that aims to market and sell the advertising space provided by the search engine in Spain, which helps to make the engine's service profitable.
The CJEU then discussed the scope of Google's liability as a simple online search engine with regard to personal data that was published by third-party websites and later requested to be deleted or changed by Mario, the data subject.
According to the Directive, each individual who is the subject of personal data has the right to request from the controller the rectification, erasure, or blocking of any data whose processing violates the Directive's provisions, particularly if the data is inaccurate or incomplete.
Furthermore, unless otherwise specified by national law, the Directive gives the data subject the right to object to the processing of his personal data on strong, valid grounds related to this specific circumstance. The processing that the controller initiated may no longer involve such data if there is a valid objection.
Google responded by saying that the website that initially published the material and made it accessible to the public should be held accountable for the removal of personal information. As a result, the publisher is in the greatest position to determine whether the information is legal.
But the Court went on to say that everyone has the right to have their personal information protected, citing the fundamental rights outlined in the EU Charter. Additionally, these data may be processed with the individual's consent and for certain purposes.
Everyone also has the right to see the data that is gathered about them and to have it corrected. Based on these principles and the Directive's provisions, the Court determined that when a search is conducted using an individual's name, search engines may have an impact on their basic rights to privacy and the protection of personal data.
The CJEU then decided that a search engine operator must remove links to third-party websites that include information on an individual from the list of results that appear after a search based on that individual's name.
The Court further held that individuals whose personal data is publicly accessible may request that the information in question be removed from public access due to its inclusion in a list of results because their rights to privacy and protection of personal data take precedence over both the search engine's financial interest and the public's desire to access the information upon a search pertaining to the name of the specific data subject.
However, the ability to start a request for erasure may disappear if the personal data supplied is legitimate.
The Advocate General took into consideration issues pertaining to a right to be forgotten, even if the ruling did not expressly provide one. He maintained that the freedom of expression and information will supersede the right to erasure.
A right to be forgotten was proposed in the GDPR, but it was altered to a right to seek erasure for particular circumstances between the draft and final versions of the regulation. Nonetheless, the Court did rule that processing data that is insufficient, unnecessary, or excessive may potentially violate the directive.
The information and links in the list of results must be removed in situations where the data in issue is incompatible with the data quality requirements of Articles 6(1)(e–f).
However, the information does not have to be detrimental to the data subject.
Google did declare in 2015 that it would erase links to non-consensual pornography upon request, but experts pointed out that since the business already had a policy in place to handle sensitive personal data, this was not equivalent to enacting a right to be forgotten. However, a number of consumer advocacy organizations filed complaints regarding commissions, urging Google to grant US customers the right to be forgotten.
V. Final Thoughts
The European Court of Justice held in the Google v. Spain case that European citizens have the right to ask commercial search companies that collect personal data for financial gain, such as Google, to remove links to private information when requested, as long as the information is no longer relevant.
Instead of requesting that newspapers take down the items, the Court determined that search engines' activities violated the basic rights of data subjects.
As the European Commission contemplates reforming the Directive in the impending General Data Protection Regulation, a number of experts assert that this decision is crucial for public discourse. Other experts, however, claim that the ruling is fundamentally detrimental to the functioning of the internet and, in essence, a betrayal of Europe's tradition of defending free speech.
However, the Harvard Law Review offers insight by pointing out that the Court's legitimate interpretation of the Directive's text and its privacy values is overlooked by those who disagree with the ruling. The case's results are still regarded as a milestone ruling in cyberlaw and privacy throughout all of Europe, despite the fact that the ongoing debate still cannot decide which side to support.
