The Google ‘right to be forgotten’ ruling and its wider implications for the financial services sector
August 2014 | EXPERT BRIEFING | RISK MANAGEMENT
In a landmark judgment on 13 May 2014, the Court of Justice of the European Union (the Court) ruled that an individual has the ‘right to be forgotten’ under the Data Protection Directive 95/46/EC (the Directive). The Court held that, in certain circumstances, search engines such as Google will be obliged to remove from their search results links to webpages which contain “inadequate, irrelevant or no longer relevant or excessive” information about individuals.
The case has attracted worldwide attention because of its ramifications for Google and other search engines. Indeed, since the case was first publicised, Google alone has received more than 12,000 requests to be forgotten. However, what has attracted relatively little attention are the wider implications for business generally. In summary, this ruling is not just relevant for search engines. Its implications for our understanding of the territorial scope of the Directive and, arguably, our understanding of individuals’ rights will be relevant to all types of business and the financial services sector, in particular.
What was the case about?
The dispute dates back to 1998 when a Spanish newspaper mentioned an individual’s name (Mr Gonzalez) in relation to an auction for the recovery of debts. A digital copy of the article was placed on the newspaper’s website and indexed by Google’s search engine. In 2009 Mr Gonzales asked the newspaper to remove the publication. After the newspaper refused to do so, Mr Gonzalez asked Google to remove the publication from its search engine results, which Google also refused to do.
In March 2010, Mr Gonzalez lodged a complaint against both the newspaper and Google with the Spanish data protection authority, the Agencia Espanola de Proteccion de Datos (AEPD). In July 2010, the AEPD rejected the complaint relating to the Spanish newspaper. The AEPD found that the newspaper was legally justified in publishing the auction. However, the AEPD upheld the complaint against Google and ordered that the publication’s link to the search engine be removed.
Both Google’s Spanish company (Google Spain) and its US company (Google Inc.) appealed against the AEPD decision to the Audiencia Nacional (the Spanish Court). The Spanish Court stayed the proceedings and referred its legal questions to the Court for a ruling.
What was the Court asked to rule on?
In brief, the Court was asked to rule on the following three important legal questions: (i) does the Directive apply to search engines such as Google (i.e., is a search engine a data controller); (ii) does the Directive apply to Google Spain (even though the data processing servers are based in the US); and (iii) does an individual have a right under the Directive to request data be removed from accessibility by a search engine (i.e., does the Directive contain a ‘right to be forgotten’)?
Does the Directive apply to search engines?
The Court ruled that the Directive did apply to search engines as data controllers (i.e., legal entities that determine the manner and purposes of the processing of personal data). This is important as this means that a search engine is legally responsible for its processing being compliant with the Directive – provided that such processing comes within the Directive’s territorial scope.
Does the Directive apply to Google Spain (given that the data processing servers are based in the US)?
The Court’s ruling on this question is highly relevant to all international organisations. The Directive’s territorial scope is limited to “processing …carried out in the context of the activities of an establishment of the [data] controller on the territory of the Member State” (emphasis added). The recitals to the Directive clarify that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements” and that “the legal form of such an establishment, whether simply [a] branch or a subsidiary with a legal personality, is not the determining factor”.
Both Google Spain and Google Inc. argued that the processing of personal data by the Google search engine is carried out “exclusively” by Google Inc. in the US and, therefore, not subject to the Directive. They argued that Google Spain’s role was limited to providing support to the Google group’s advertising activity.
The Court disagreed. The Court found that Google Inc.’s processing of personal data is being carried out “in the context of the activities of Google Spain”. This is because Google Spain promotes and sells advertising space offered by Google Inc. The Court noted that the activities of the two entities are “inextricably linked”. The Court also noted that it was clear from the Directive that a broad territorial scope was intended to help prevent individuals being deprived of their rights.
Does the Directive contain a ‘right to be forgotten’?
The Court found that the Directive already contains the principle commonly known as the ‘right to be forgotten’. Under the Directive, data controllers have an obligation to process personal data fairly and lawfully and individuals have a right to obtain from the data controller, “the rectification, erasure or blocking of data the processing of which does not comply with the provisions of the Directive”.
The Court further ruled that an individual could exercise this right without having to demonstrate prejudice. An individual’s rights under the Directive override not only the economic interest of the search engine but also the interest of the general public in having access to that information. This ruling is both important and hugely controversial. A similar express right to be forgotten in the draft General Data Protection Regulation (the Draft Regulation), which is expected to replace the Directive, has been the subject of intense discussion.
What are the wider implications for the financial services sector?
Firstly, the ruling has broadened our understanding of the territorial scope of the Directive. This will have important implications for international financial services’ institutions that set up branches or companies in an EU Member State but consider that their data processing is carried out outside of the EU. This part of the ruling is not specific to search engines but comes from the wide interpretation given to the meaning of the following words “in the context of the activities of an establishment”. We would encourage financial services’ institutions which consider they might be in this situation to seek legal advice on this point.
Secondly, the ruling has clarified that the Directive already contains a ‘right to be forgotten’. Although this particular ruling relates to that right in the context of a search engine, this interpretation of the Directive is, arguably, applicable to all data controllers. What is particularly worrying is that this new right to be forgotten has been found to exist by a court without any democratic discussion about its wider implications. This is the reason why the right to be forgotten in the Draft Regulation has been, quite rightly, the subject of such intense discussion.
There are real concerns about how this new right will be interpreted and implemented. Firstly, is this right even feasible in today’s digital age? Whilst the Court recognises that this is not an absolute right, the Court’s wording does set a high bar for data controllers. The Court’s ruling states “the controller must take every reasonable step to ensure that data which do not meet the requirements of that provision are erased or rectified” (emphasis added). What will this mean in practice? Secondly, how will this right be balanced against other parties’ legitimate interests? Financial institutions rely on processing a history of personal data for important legitimate interest purposes such as anti-money laundering purposes and the identification of politically exposed persons. How will conflicts between these interests be managed? These concerns must, as a priority, be clarified in the draft Regulation. The right to be forgotten must not become the ‘freeway to fraud’.
Belinda Doshi is a partner at Nabarro LLP. She can be contacted on + 44 (0)20 7524 6200 or by email: firstname.lastname@example.org.
© Financier Worldwide