In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.
The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had disagreed about. The Article 29 Data Protection Working Party has now released a Guideline addressing these controversial issues.
The Guideline is important in a number of respects. First, it provides a summary of how the DPAs interpret the decision of the CJEU. The summary will likely be looked to in future cases involving duties of search engines that include, but will not necessarily be limited to, the type of case that was before the CJEU. In the view of the Working Party:
- Search engines are controllers of personal information they collect. Hence, all of the duties of controllers of personal information can be expected to apply to them.
- The legal basis search engines rely on to process personal information without consent is to be found in Article 7(f) of Directive 95/46/EC, the necessity for the legitimate interest of the controller or of the third parties to which data is disclosed.
- The processing carried out by search engines can significantly affect the privacy rights of individuals. When a balancing is done taking those interests into account against the freedoms of speech of search engines and the rights of individuals to access information, in many cases, the privacy rights of individuals will prevail.
- Search engines, as independent controllers of personal information, have duties to act to de-list links to data, even if the information remains accessible from other sources.
- Search engines are not required to completely de-list information about a data subject. The obligation focuses on search results based on the name of the individual.
- Individuals have rights to go directly to search engines to request de-listings. If their requests are rejected, they can either go to the local DPA or to court to have their request adjudicated.
- Individuals have a choice as to how to enforce their rights. They are not required to request all search engines to act. Presumably, this enables individuals to approach only Google, given its dominant share of the search engine market.
The Working Party also provided guidance in interpreting the scope of the obligations of search engines under the decision.
- The ruling applies to general purpose search engines such as Google, Bing and Yahoo. It does not apply to search tools available on websites such as newspapers.
- The decision applies to “everyone”. The literal wording of the Guideline suggests that it applies to citizens located anywhere in the world. This would extend to personal information about Canadians, collected in Canada, showing up in links in search results in the EU. In practice, it said that “DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.”
- De-listing decisions must be implemented in a way that guarantees the effective and complete protection of the privacy rights of individuals and in a manner that prevents circumvention of EU law. Thus, contrary to the position that Google had taken after the decision was released, to comply with the decision “limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com.” This interpretation of the decision is consistent with the decision of the CJEU and with other decisions in the EU intended to protect the privacy of individuals such as Mosley v. Google where a de-listing order was made against Google that extended to all search domains (e.g. google.com) from which information could be accessed.
- Contrary to the practice of some search engines, it is not appropriate to inform users of search engines that hyperlinks have been de-listed if it would suggest that an individual had made a request for the de-listing. Nor should search engines inform webmasters of the sites that are partially de-listed or contact them unless required to do so to get a better understanding of the circumstances of the case.
The Working Party also published a comprehensive annotated list of non-exclusive criteria to be taken into account in deciding whether to make de-listing orders.
The decision in the Gonzales case raises the question about whether Canadian courts will similarly recognize that search engines must comply with privacy laws such as PIPEDA. When the issue comes before the Office of the Privacy Commissioner and the courts, as it eventual will, they will be forced to determine important questions such as
- do search engines have consents, express or implied, to collect, use, and disclose the personal information they process in providing their services in Canada;
- what exemption, if any, can search engines in Canada rely on to provide their services;
- if they do not have the necessary consents and no exemption exists, would PIPEDA be found to violate the Charter of Rights and Freedoms as did Alberta’s PIPA in the United Food case;
- how will Canadian courts balance the privacy rights of individuals against the interests protected by the Charter;
- what is the scope of any obligation and when would the obligation to de-list links to personal information arise;
- what criteria would be considered appropriate in deciding whether links to information should be de-listed; and
- the territorial reach of PIPEDA to search engines that collect, use, and disclose personal information on a global basis.
Just as it seems inevitable that this issue will arise in Canada, it also seems inevitable that the Gonzales decision and the Article 29 Working Party Guideline will be referred to when it does. This makes recent privacy developments in the EU related to the “right to be forgotten” all the more relevant to Canadians.
1. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014). Google had disputed that the de-listing order is global in scope. However, paragraphs 2 and 88 of the decision state:
Para 2 “The request has been made in proceedings between, on the one hand, Google Spain SL (‘Google Spain’) and Google Inc. and, on the other, the Agencia Española de Protección de Datos (Spanish Data Protection Agency; ‘the AEPD’) and Mr Costeja González concerning a decision by the AEPD upholding the complaint lodged by Mr Costeja González against those two companies and ordering Google Inc. to adopt the measures necessary to withdraw personal data relating to Mr Costeja González from its index and to prevent access to the data in the future.”
Para. 88 “In the light of all the foregoing considerations, the answer to Question 2(c) and (d) is that Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”
2. Mosley v. Google (Case No. 11/07970, Tribunal de Grand Instance de Paris, decision of November 6, 2013) Google Inc. ordered to filter photos that had been taken in violation of Max Mosley’s privacy rights from search results retrieved using any of Google’s search engines including google.com.
3. Another de-indexing order was made against Google in Germany also at the request of Max Mosely. See, D. Crossley, “Case Law, Hamburg District Court: Max Mosley v Google Inc”, online: Inforrm’s Blog”
First published on barrysookman.com.