The recent decision of the Court of Justice of the European Union, in Google Spain SL v. Agencia Espanola de Proteccion de Datos (“AEPD”), C-131/12 (May 13, 2014), available at www.curia.europa.eu, has received extensive media coverage, with commentators suggesting that the ruling is “ground-breaking,” “astonishing,” and “upsetting.” Those descriptions may greatly overstate the significance of the ruling, especially for U.S. businesses.
The decision grows out of a complaint by a Spanish citizen against a Spanish newspaper and Google Spain, claiming that a 12-year-old story about his former financial troubles should be removed from the internet and links to the story extinguished. AEPD, the Spanish data protection authority, denied the request as to the newspaper (which had lawfully published the story), but granted the request as to Google. The Court of Justice affirmed, on both points. The decision turns on the conclusion that Google Spain is subject to European Union (“EU”) regulation, and that its service “retrieves, records or organizes” data (within the meaning of the EU Data Protection Directive), such that Google is thus a “controller” of data, subject to regulation under the Directive. The Directive, moreover, establishes fundamental rights of privacy, including the right to expungement of information that no longer serves its original purpose.
What the decision does not do is establish a broad and unequivocal “right to be forgotten.” First, the territorial coverage of the ruling is limited. Because the case involved a Spanish citizen, Spanish newspaper, and Spanish internet operation (a Google subsidiary in Spain), the decision on jurisdiction was relatively easy. Whether European data protection authorities would seek to extend jurisdiction to other cases with weaker connections to Europe remains for further development.
Second, the Court did not suggest that validly-created news content must ever be altered. Quite the opposite. The Spanish newspaper was permitted to display its original story via its website. The removal of Google links to the story, moreover, does not absolutely prohibit access to the story. As to future cases, moreover, the Court suggested that a balancing process must apply, in which the interests of internet users may override the interests of data subjects in protection of data concerning their private lives. Thus, where the data subject plays a role in public life, or other public interests arise, such interests may tend to decrease the data subject’s right to claim protection for sensitive information and the removal of internet links that may not be required.
Finally, the ruling is not self-enforcing. To obtain similar relief from Google or any other web operator, the data subject must make a request to the company. The company must evaluate the request (conducting the “balancing” test suggested by the Court), and determine whether relief appears required. Only if the data subject is unsatisfied with the results, and only if the data subject can convince data protection authorities that the result is improper, might there by additional rulings directing similar relief. Because data protection authorities vary in their views from country to country the availability of the remedy may also vary greatly.
The Google Spain decision is surprising in at least one regard. The EU has under consideration revisions to its Data Protection Directive (adopted in 1995). The general purpose of the revisions is to update the data protection regime, in light of new technologies and practices, and to make more uniform the treatment of data protection across the national systems in Europe. One feature of the revisions under consideration is recognition of a “right to be forgotten.” These and other revisions have been the subject of intense political in-fighting, as well as lobbying efforts from foreign companies potentially affected by more stringent regulations. The recent Snowden/NSA revelations have only added fuel to the controversy. In that context, the European Court’s decision to wade into a controversial area, which arguably could be better settled through the political process, appears unusually bold.
The stakes are high in this arena. The Data Directive reform proposal includes significant enforcement procedures, including (potentially) fines of up to five percent of a company’s global turnover for violations of the law. The proposed revisions also seek to clarify that EU data protection law may apply to any services directed at EU citizens, regardless of where the service controller is located. Thus, even though most US businesses may conclude that they are not immediately affected by the Google Spain decision, they should pay careful attention to European developments that may affect their operations.
The author is a partner at Park Jensen Bennett LLP, in New York City. The views expressed are solely those of the author, and should not be attributed to the author’s firm, or its clients.