The so-called Right to Be Forgotten or right of erasure (RTBF) has been the subject of much debate and attention since the publication of the Court of Justice of the European Union (CJEU) opinion in May 2014, in the Costeja v. Google case. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him that is “inaccurate, inadequate, irrelevant, or excessive,” even if the information is truthful.
Since the publication of the CJEU opinion, search engines have been flooded by delisting requests. According to the Google Transparency Report, as of the end of February 2015, Google has received over 220,000 delisting requests, and has evaluated over 800,000 URLs.
The topic has also garnered the attention of the Article 29 Working Party (A29), which published Guidelines, in late November 2014, to explain the position of the EU Data Protection Authorities. Among other things, the Guidelines provide that delisting requests, when accepted, must be implemented on all domains operated, worldwide, by the entity receiving the delisting request, and not just only on its EU domains.
Interest in RTBF has also expanded outside the European Economic Area (EEA). Cases similar to the Costeja case have been brought in Asia and the Americas. It is clear that a strong current is building. The CJEU Costeja ruling and its aftermath are significant for businesses around the world in many respects. The genie is out of the bottle, and may be sneaking into, and disrupting many businesses.
Court of Justice of the European Union Ruling
The questions addressed in the Costeja v. Google case are not new. The Internet and search technologies have provided individuals with the ability to have immediate access to significant amounts of information. There is a dark side to the magic. The same search engine that allows the discovery of information for a research project may also unearth dark secrets that someone would rather see buried.
In the Costeja case, the CJEU found that Google, Inc., a US based company was subject to EU laws as a data controller and that EU laws required the removal of links to certain articles that had become “inaccurate, inadequate, irrelevant or excessive”. The court found that the interference with Mr. Costeja’s right to data protection could not be justified merely by Google, Inc.’s economic interest.
– Territorial Reach of EU Data Protection Laws
Jurisdiction was a major hurdle in the Costeja case. Google Inc. argued that it was not subject to EU laws because all processing was conducted in the United States, and its Spain subsidiary was only intended to promote and sell products. The CJEU found that Google, Inc. had an establishment in Spain through its subsidiary and that the processing was conducted in the context of the activities of that establishment. According to the CJEU, EU laws apply to the foreign entity responsible for that server if it has a branch or subsidiary in a Member State that promotes the sale of advertising space offered by the foreign entity.
This is an important ruling that significantly increases the probability that a foreign company operating in the EU through a domestic subsidiary might find itself subject to EU jurisdiction. A complex corporate structure with layers of subsidiaries may not shield US companies from EU laws.
– Search Engine as data controller
The CJEU found that a search engine is a data controller. The CJEU stated that the activity of a search engine consisting of finding information published on the Internet by third parties, indexing it automatically, storing it temporarily and making it available according to a particular order of preference must be classified as “processing of personal data” within the meaning of the 1995 EU Data Protection Directive and that the search engine operator must be regarded as the “controller” in respect of that processing.
This position is consistent with a trend in the European Union. EU agencies, data protection authorities, and the Article 29 Working Party (A29) are refining the concept of the data processor and data controller, and rather than a dichotomy, are defining a sliding scale. A company can be both a controller for certain activities and a processor for others. Two companies may be deemed joint data controllers.
This ruling has great significance. US companies, including cloud service providers, have vehemently argued that they are only data processors, and not data controllers. The Costeja ruling weakens this position.
Article 29 Guidelines on the Implementation of the CJEU Judgment
The A29 Guidelines take the CJEU ruling to the next stage and expand its scope. The Guidelines are especially relevant to American companies, which might find themselves caught unexpectedly in a quandary after receiving a RTBF delisting request.
– Not Just for Search Engines
The Guidelines expand the CJEU ruling to organizations other than search engines. The A29 advises that while the ruling is specially addressed to generalist search engines, that does not mean that it cannot be applied to other intermediaries. The de-listing right may be exercised whenever the conditions established in the ruling are met.
It is not clear which types of organizations might be affected. The Guidelines do not identify these other intermediaries and leave room for expansion as cases arise. Potential targets might include entities that process large amounts of data such as data brokers, credits reporting organizations and other companies specializing in background checks, archives, library, or research organizations that offer searchable databases. Anyone who processes data that affect an individual might become a target.
– Territorial Scope of De-Listing
The A29 also believes that limiting de-listing to EU domains would not satisfactorily guarantee the data subjects’ rights. De-listing decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights, and that EU Law cannot be circumvented. Thus, companies should expect that they might have to implement de-listing requests on all relevant domains that they use or operate. This requirement is likely to cause significant concern and create significant technical and legal hurdles for American companies. Google, for example, has vehemently argued that its implementation of RTBF requests should only cover EU based search engines, and not others.
A worldwide implementation is likely to encounter the significant conflicts between EU and the other countries’ laws and cultures. For example, the right of information and the freedom of expression are areas where EU and US laws differ. The First Amendment to the US Constitution protects the freedom of speech. European laws, on the other hand, restrict certain forms of expression that would be legal in the United States, such as hate speech. If publication of certain content might violate EU laws, the de-listing of the same content might violate some US laws.
American companies with operations in Europe that might receive de-listing requests may have to struggle to accommodate both viewpoints. At a minimum, they should be aware that de-listing might have to be implemented on all of their domains rather than in a specific region. Whether and how they will be able to accommodate the nuances of US and EU freedom of expression laws remains to be seen.
RTBF in the Rest of the World?
The geographic scope of application of the CJEU decision and the Guidelines is limited to the EU territory. According to A29, the EU Data Protection Authorities will focus on claims where there is a clear link between the data subject and the EU, such as where the data subject is a citizen or resident of an EU Member State.
Nevertheless, the CJEU ruling has been followed with great interest throughout the world, and similar cases being filed and adjudicated outside the EEA. The primary target has been Google, Inc. due to the popularity and widespread use of its search engine.
In October 2014, for example, Japanese Court ordered Google, Inc. to remove certain Internet results that suggested that an individual might have been involved in criminal activities. In January 2015, the Mexican Data Protection Authority ruled against Google on facts similar to those of the Costeja case. It found that Google Mexico is a data controller, and that it must remove the offending information.
Next Steps?
RTBF is still in development and needs to be refined to provide a more balanced approach. So many components remain to be evaluated. If different countries are faced with the same issue, the discussions might mature and better solutions might be found.
Many individuals hope to erase a portion of their past – an adolescent’s mistake, a petty crime for which they have paid, or articles about them that they find invasive – such as news regarding their health. The CJEU ruling, the A29 Guidelines, and the recent RTBF cases open the opportunity to request such masking, de-listing, or blocking and in some cases, to obtain it.
There are, however, significant ethical and societal implications in removing or not referencing data that can be unearthed only because of the extraordinary power of search technologies. Search engines may not be the best judges to decide whether and what information should be available to society at large. The United Kingdom and the United States are questioning the soundness of giving search engines this power.
Nevertheless, event though RTBF is still in its infancy, it has garnered great interest and generated much comment. Hopefully it will evolve and be refined. In the meantime, American companies that offer search capabilities or operate large databases should stay tuned and understand the likely implications of the CJEU and other cases, and the application of the A29 Guidelines.
Related Articles
Additional articles regarding the Right to be Forgotten can be found at:
http://www.francoisegilbert.com/2014/11/right-to-be-forgotten-guidelines-from-wp29/