Data Cases

Right to be forgotten on the Internet

European Union (EU) legislation on personal data protection is designed to balance two aims: to respect the fundamental right to protect personal data and to remove obstacles from the free flow of data.

Case C-131/12: Judgment of the Court (Grand Chamber) of 13 May 2014 – Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González. Reference for a preliminary ruling: Audiencia Nacional – Spain. Personal data – Protection of individuals with regard to the processing of such data – Directive 95/46/EC – Articles 2, 4, 12 and 14 – Material and territorial scope – Internet search engines – Processing of data contained on websites – Searching for, indexing and storage of such data – Responsibility of the operator of the search engine – Establishment on the territory of a Member State – Extent of that operator’s obligations and of the data subject’s rights – Charter of Fundamental Rights of the European Union – Articles 7 and 8 (OJ C 212 of 7.7.2014, pp. 4-5).

SUMMARY

European Union (EU) legislation on personal data protection is designed to balance two aims: to respect the fundamental right to protect personal data and to remove obstacles from the free flow of data.

The right to data protection needs to be reconciled with other rights, such as freedom of expression and media freedom.

The European Court of Justice gave a landmark ruling on 13 May 2014, in a case involving Google. It sets out ways the specific aspects of the right to data protection, such as the right to erasure, should be exercised. The ruling empowers individuals to take control of their personal data.

KEY POINTS

The Court stated that an internet search engine operator is responsible for processing the personal data which appear on web pages published by other sources. Operating a search engine is a different activity to that of publishing content on a website, and search results can undermine a person’s right to privacy. Thus, the operator acts as a processor of personal data and must comply with legislation that protects individuals in this regard (Directive 95/46/EC).

The Court ruled that the search engine operator could, in some circumstances, be obliged to remove links to certain web pages from the list of results that appear when a search is conducted for a particular name. That obligation may exist even if the person’s name or information has not been erased from the website.

According to the Court, the right of data subjects to be excluded from results displayed following a search made on the basis of their name applies where the information is inaccurate, inadequate, irrelevant, no longer relevant or excessive for the purposes of data processing.

The assessment of individual requests for removal, made on a case-by-case basis by search engine operators, must balance the interests of the person involved and the public interest to have access to the information via name-based search queries.

Different factors must be taken into account when deciding whether the public interest prevails over an individual’s interests, in particular the role that the individual plays in public life. The ruling does not give the all-clear to people or organisations to have search results removed from the web simply because they find them inconvenient.

Independent national data protection authorities oversee the assessments carried out by search engine operators.

BACKGROUND

In 2010, Mario Costeja González, a Spanish citizen, requested that Google remove or conceal in search results the personal data on him printed in the newspaper La Vanguardia in January and March 1998. These related to social security debts. He maintained the proceedings had been resolved for several years and that reference to them had become irrelevant.

The case was referred to the Court of Justice by a Spanish court.

Further information is available from the European Commission’s Directorate-General for Justice and Consumers’ factsheets on myth-busting and on the right to be forgotten ruling.

RELATED ACT

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281 of 23 November 1995, pp. 31-50).

Balancing public security with data protection

In its judgment, the Court of Justice of the European Union declared as invalid Directive 2006/24/EC on the retention of data generated or processed in connection with the supply of publicly available electronic communications services or networks.

KEY POINTS

The Court notes that the directive permits the retention of data that may provide very precise information on the private lives of the persons whose data are retained (e.g. on their daily routine, permanent or temporary places of residence, movements, activities, relationships and the social environments frequented).

The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access them, the directive interferes in a particularly serious manner with the fundamental rights to respect private life and to protect personal data.

While not disputing the aim of the directive, the Court recalls that it must be taken into account that measures must be proportionate with what is strictly necessary to protect the general interest from serious threats (such as the fight against terrorism or organised crime).
In particular, the Court criticises the fact that the directive:
covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime;
imposes a period of at least 6 months, without making any distinction between the categories of data based on the persons concerned or their possible usefulness in relation to the objective pursued;
does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access or use;
does not require that the data be retained within the EU and does not fully ensure the control of compliance on the basis of EU law.

BACKGROUND

The High Court (Ireland) and the Verfassungsgerichtshof (Constitutional Court, Austria) asked the Court of Justice to examine the validity of the Data Retention Directive, in particular in the light of 2 fundamental rights under the Charter of Fundamental Rights of the EU: to respect private life and to protect personal data.

DOCUMENT

Joined Cases C-293/12 and C-594/12: Judgment of the Court (Grand Chamber) of 8 April 2014 (requests for a preliminary ruling from the High Court of Ireland (Ireland) and the Verfassungsgerichtshof (Austria)) — Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General, and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and Others (C-594/12) (Electronic communications — Directive 2006/24/EC — Publicly available electronic communications services or public communications networks services — Retention of data generated or processed in connection with the provision of such services — Validity — Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union) (OJ C 175, 10.6.2014, pp. 6-7)

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ L 105, 13.4.2006, pp. 54-63)

Charter of Fundamental Rights of the European Union (OJ C 326, 26.10.2012, pp. 391-407)