Mark Watts and Hannah Crowther of Bristows discuss the nuances behind the European Union’s ruling and the finer points of EU data protection law.
"From worrying about what information the government or Google may hold, the focus has shifted to what anyone and everyone can find out – one’s family, peers, and current and future employers – from entering a few keystrokes online."
If we are to believe everything we’ve read in the media over the past few months, we now have the “right to be forgotten”. The right, on request, to have our past misdemeanours and embarrassing moments cast into oblivion, and to emerge squeaky clean – a blank slate (albeit in an online world where paper, never mind slate, may soon become an outdated metaphor).
The reality is, of course, somewhat more nuanced. The right granted by the Court of Justice of the European Union’s (CJEU’s) ruling in Google v Costeja in May 2014 is limited to removing the link to certain URLs produced when your name is entered into an online search engine. It is not a general right to have your personal data deleted by anyone, nor to have the information removed from a search engine altogether. Moreover, this right will not apply in all circumstances: in some cases, the requestor’s privacy rights will not override the interests of internet users to receive information, and so the link can remain.
Despite its more limited application from a strictly legal perspective, however, the Costeja judgment is still hugely significant in terms of the development of privacy rights in the EU. There are three trends that emerge from the judges’ decision which, even if you are not a search engine or someone who is unhappy with their online image, are relevant to anyone with an interest in privacy.
First, it is further evidence of the “long arm” of EU data protection law; for several years now, the regulators have been increasingly uncomfortable with non-EU companies collecting data about EU nationals, but maintaining they are not subject to EU data protection laws. Second, it demonstrates a new level of “activism” on the part of the CJEU in the field of privacy rights. Third, it can be seen as both a cause and effect of an increasing awareness among individuals of data protection and their rights.
TERRITORIAL APPLICATION: THE “LONG ARM” OF EU DATA PROTECTION LAW
As consumer services (and the personal data processing that goes with them) increasingly move online, a company’s physical location has less and less of an impact on the location of its customer base. With so many of the leading tech companies based in the US, but providing services to EU citizens, the application of the EU Data Protection Directive (the Directive) to non-EU organisations has increasingly been an area of concern for the EU Data Protection Authorities and the EU legislators.
In the Costeja case, the CJEU held that Google Inc is subject to the requirements of the Directive under Article 4(1)(a), through the presence in the EU of subsidiaries acting as sales agents for its online advertising service. The Court held that the personal data in Google Inc’s search engine was being processed “in the context of” the activities of its Spanish subsidiary, because the sale of advertising space by Google Spain was the means by which its search engine was rendered economically viable. The Court spoke of an “inextricable link” between the two activities.
In reaching this conclusion, the CJEU emphasised the need to prevent individuals in the EU being denied the protection guaranteed by the Directive or allow those protections to be circumvented – and that this justified prescribing a particularly broad territorial scope to the Directive. Perhaps unsurprisingly, the Court did not want Google to be able to avoid being subject to EU data protection laws simply by being domiciled in the US, and so used an arguably somewhat strained interpretation of Article 4(1)a) to reach the desired outcome. In spite of the fact that Google Spain had never had any contact with the personal data in question, the CJEU held that its purely economic contribution to Google Inc was sufficient to justify imposing jurisdiction.
Although concrete evidence of an increased appetite to interpret the territorial scope of the Directive broadly it is, however, important to remember that the Costeja judgment is limited to the specific circumstances of search engines and online advertising revenue. The CJEU noted that the link between the search engine and Google Spain was strengthened by the fact that the adverts were displayed on the same page as the search results – and indeed are often influenced by the search terms used. Although subsequent referrals may seek to extrapolate the Court’s reasoning further and apply it to analogous circumstances, at present the Costeja ruling does not mean that all non-EU organisations with an EU sales office will be subject to the Directive.
Much like tax, questions of jurisdiction in data protection law quickly become a political issue as well as a legal one. The proposed Data Protection Regulation, currently moving its way through the EU legislative process, provides further evidence of this trend towards extraterritorial application of EU laws. Once (if!) the current draft Regulation becomes law, it will apply where the processing activities relate to “the offering of goods or services... to such data subjects in the Union”. The EU legislators intend that EU residents should have the protection of EU data protection law, no matter where the services they access are based. There is a concern that this provision effectively gives worldwide application to the Regulation, causing inevitable ‘conflict of law’ problems for foreign operators. What will this new territorial condition mean for websites that are generally available worldwide (as indeed most are), but with no specific-country bias? Taking this further, what if these websites are aimed at a specific non-EU country, but still technically available in the EU – are they still “offered” in the Union?
We note, however, that the wording in the new Regulation does not necessarily make the Costeja decision obsolete. The test in the Regulation refers to offering goods and services to the data subjects in the Union. In the case of the “right to be forgotten” from a search engine, the relevant data subjects are not those who are using the search engine, but those who feature in it (except, of course, that Google’s search engine is offered to everyone).
All of these uncertainties suggest that, as services are increasingly globalised, the issue of territorial application will continue to be hotly contested – whether or not the new Regulation is passed.
ACTIVISM IN THE CJEU
As posited above, the Costeja case shows an appetite for the CJEU to take a more purposive approach to the application of EU law, at least in the area of privacy, rather than relying on strict construction of the text. In the judgment the Court frequently referred to the objective of the Directive and the need to ensure its effectiveness was not compromised.
The judgment certainly accords a high status to the right of privacy. One statement which garnered much attention is found at paragraph 97: that the rights in Article 7 (privacy) and 8 (data protection) of the EU Charter of Fundamental Rights will override, as a rule, not only the economic interests of the search engine operator but also the interests of the general public in finding information. This had led some to suggest that privacy may come to be viewed as a “super right” deserving enhanced protection.
The Costeja judgment came shortly after another surprising decision by the CJEU in April 2014, in relation to the Data Retention Directive. The Data Retention Directive required telecoms providers to retain certain categories of traffic and location data (but not the contents of those communications) for up to two years, and to make them available to law enforcement authorities. As with Costeja, the Court declined to follow the opinion of the Advocate-General; instead, it declared that the Data Retention Directive was invalid on the grounds that it did not provide sufficient safeguards for privacy.
Plenty more referrals which touch on the right to privacy are expected in the coming years – not least regarding the application of Costeja. The CJEU should therefore have plenty more opportunities to flex its recently developed muscles as the guardians of privacy.
INCREASING AWARENESS OF CONSUMER RIGHTS
It is undeniable that there has been a huge increase in the media coverage of data protection and privacy in the last few years. The Costeja case made headlines around the world and Google was flooded with tens of thousands of requests in the first few weeks after the judgment. Social media concerns, the phone-hacking scandal and the Leveson Report, and the revelations from Edward Snowden have all kept privacy firmly on the front pages.
The original focus of privacy and data protections laws, when these concepts were first developed, tended to be on what the state knew and what corporations knew. The dissemination of information online has added a new element to these concerns: individuals are now seeking protection from what can be discovered by the world at large. From worrying about what information the government or Google may hold, the focus has shifted to what anyone and everyone can find out – one’s family, peers, and current and future employers – from entering a few keystrokes online.
These privacy concerns about the impact of the internet were often entirely unexpected when the information was first generated. Early adopters of social media did not realise that what they posted could potentially follow them forever. With the uploading of newspaper archives, something that could once be dismissed as tomorrow’s dustbin liner can now reappear, easily retrievable via search engines. Protecting yourself online is now taught in schools, to discourage teenagers from posting photos they may later regret. All of this makes it inevitable that consumers will want to know about – and enforce – their privacy rights.
We certainly have not reached the peak of this consumer awareness; there is undoubtedly much further to go. Most people in the EU know they have an enshrined right to freedom of expression – but how many know they have a right to private and family life? And one suspects even fewer know the EU Charter enshrines a specific right to data protection in Article 8.
These three trends are closely interlinked. The broad interpretation of the territorial application of the Directive is evidence of the CJEU’s activism; both of these contribute to an increased awareness among individuals of their rights. Arguably, the first two are also caused by an increasing interest in privacy – as individuals look to the law and the courts to protect their rights. Mr Costeja was not the only individual who had asked Google to remove him from the index, but it was only when his case reached the Spanish High Court that the referral to the CJEU was made.
As individuals become increasingly concerned with their privacy, and aware of their rights, it seems inevitable that more referrals to the CJEU will follow, giving the Court further opportunity to strengthen individual privacy rights – generating more headlines and ensuring privacy remains a hot topic of discussion.