The Court of Justice of the European Union creates precedent according to which Google must erase personal data subsequent to a request by the person concerned

By Konstantinos Kakavoulis

The case Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (referred to as Google Spain v. Costeja Gonzalez) was decided before the Court of Justice of the European Union. The decision was issued on 25 June 2013. It constitutes a landmark for human rights in the digital age.

– Case history

On 5 March 2010, a Spanish citizen, Mario Costeja Gonzalez, filed a claim before the Spanish Authority for Personal Data Protection (AEPD) against a Spanish newspaper, Google Spain SL and Google Inc. The applicant complained that any Internet user, who typed his name in the Google search engine, would receive as a result two publications by some Spanish newspaper regarding a confiscation order for his house. The applicant requested that the newspaper erased his name from the publications and that Google removed his personal data in issue from the results it provides to its users. He argued that the confiscation procedure against his house had long been terminated and that any reference to it was totally irrelevant at present.

The Spanish Data Protection Authority dismissed the claim regarding the newspaper, but approved it regarding Google. According to the Authority, the newspaper was not obliged to repeal the publications, since they were lawfully published during the date on which they had been issued. On the contrary, it found that search engines are personal data processors and consequently Google Spain and Google Inc. had to erase the personal data, subsequently to the application filed by Mr. Costeja Gonzalez. The Authority based its decision on EU Directive 1995/46/EU.

Subsequently, Google Spain and Google Inc. appealed, against the aforementioned decision before the High Court of Spain. The latter referred a series of questions to the Court of Justice of the European Union (CJEU) regarding the correct implementation of the Directive. The questions concerned whether Google is subject to the notion of the processor of personal data and also whether, as an EU corporation, is subject to the provisions of the Directive. In case of a negative response, the High Court requested from the CJEU to determine Google’s liability as a data processor and assess whether a citizen has the right to request from Google to erase his personal data, namely the right to be forgotten.

– The CJEU decision

The CJEU found that Google is indeed a processor of personal data, since it “collects such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results” and since it determines the purposes and means of this processing. The Court also found that Google Spain is an affiliated company of Google Inc. and therefore, Google Inc. is subject to the EU Directive.

One of the main points of the decision concerns the legal obligations which search engines, such as Google, have, according to the Directive. The Court found that search engines have the right to process personal data, when this is necessary in order for the legitimate interest of the data holder or third parties to be served. This right is not absolute. It may be limited when it contests the interests or the fundamental rights of the data subject –especially its right to privacy. The Court underlined that the economic interests of the search engine are not enough to impose limitations on the right to privacy. The Court also reminded that the right to privacy in principle prevails over the right of the public to gain access to personal data of a non-public figure.

The Court decided that the data subject has undoubtedly a legitimate interest to deny the disclosure of its personal data, even if such disclosure is not harmful to it. This right is founded on its right to privacy. Consequently, the data subject –in the present case Mr. Costeja Gonzalez- can request the erasure of his data, if the information disclosed are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine”. In such an event, not only the data subject has the pertinent right, but also the data controller has the obligation to erase the data.

With this decision, the Court found that Mario Costeja Gonzalez had the right to request the erasure of his personal data from Google, while the latter had the obligation to erase them. Thus, this decision acknowledged the right to be forgotten for data subjects and the pertinent obligation for the data controller.

– Commentary on the decision

This decision is of great significance. It created precedent upon which subsequent rulings of the Court may be justified. Furthermore, national courts’ judgements may be based upon its reasoning or the opinions of the minority. We already see that the General Data Protection Regulation (GDPR) institutionalizes the right to be forgotten, in a way which constitutes a logical continuation of the decision at issue. It is therefore very important for the decision to be analysed and commented.

It must be underlined that the decision does not seem to distinguish between the consequences of removing data from a search engine and removing them from a website. The publication of data in a single website has significantly fewer consequences for the right to privacy and personal data protection than the disclosure of the same data in a search engine. The capability of the search engine to collect information, to aggregate them, to publish them as a whole and therefore create a whole profile for the user is something which may not be done by a single website. Thus, the data published in a search engine can be accessed by a wider public and can create a whole digital personality for a person. This reasoning was used by the Court in its judgement.

According to the same way of thinking, the removal of data from a search engine has much more important consequences than the removal of data from a website. The first influences in a much more substantial way the right to be informed. When someone searches for information regarding a person, it is much more probable that he searches for this information by typing the name of the said person in a search engine rather than searching for it in every single website, in which he considers that this name is possibly mentioned. Therefore, if the personal data of a person are removed from a search engine, the right to privacy of the said person and his personal data are more adequately protected than if such data are removed from a website. The right of the public to be informed is correspondingly affected. The latter is safeguarded under the Charter of Fundamental Rights of the EU Article 11. Although the Court noted the difference between the data processing by a search engine and a website, it did not deal with the right to be informed in the same way, despite the fact that the latter is influenced in a different fashion in the two cases.

Furthermore, the Court seems to consider only public interest reasons as capable of imposing limitations to the right to privacy and personal data protection. The right to be informed should be mentioned and used as a reason for delimiting the aforementioned rights. The protection of personal data is of great importance. However, it cannot be absolute. There are cases in which other rights –and not only public interest reasons- prevail and should be taken into account in the attempt to strike a fair balance. Thus, the Court should have included the right to be informed as a right, which should be weighted with the right to be forgotten. The outcome of this case would not have been different. However, this judgement may have serious implications in future cases. For this reason, the Court should have included this thought and should have referred to the EU Charter 11 in a more detailed fashion. The right to privacy and personal data protection prevail over the right to be informed. In any case, the two rights should be weighted by the Court, which should take into account the circumstances of the specific case.

Another very important point which was not clarified by the decision is the geographical implementation of the right to be forgotten, namely whether the right is implemented beyond the EU boundaries. Very strong arguments exist for both options. The issue will probably be clarified in the case Google v. France, pending before the same Court.

Much criticism has also been raised regarding the extended definition the Court gave to the notion of “personal data controller”. According to this criticism, not only search engines, but also their users, might be considered to be personal data controllers. This criticism has fallen short of substance, since the General Data Protection Regulation seems to define adequately the notion of “personal data controller”. Certainly, the implementation of the Regulation by the Court in cases to come is anticipated with great interest.

The judgement in the case Google Spain v. Mario Costeja Gonzalez constitutes a point of reference in the protection of personal data in the European, but also the international level. Google, which constitutes one of the most prominent personal data controllers, has established a procedure for the fast and easy access of its users to the right to be forgotten (you can have access to the pertinent application form by clicking here). Furthermore, the right to be forgotten is safeguarded under the GDPR. All personal data processors are obliged to respect it and all data subjects may enjoy it, with certain limitations. Mr. Costeja Gonzalez –intentionally or not- assisted in the establishment of a right, which will play an important role in the digital age in which we live in.

By Konstantinos Kakavoulis

Those who were born after 1990 are very likely to have left traces of their underage life in the Internet. The younger the user, the better the chances for that. Particularly for those who have been born just before 2000, the question is not if they have left traces, but how many traces they have left. According to UNICEF, 2 children use the Internet for the first time in their lives every second that passes. Nowadays, we see children who have just learned to walk and still face difficulties in kicking a ball, using a smartphone or a tablet with ease. Children and teenagers are so familiar with technology, that often even their parents have a hard time monitoring and supervising their activities –especially if the parents themselves do not have a good relationship with technology.

Easy access to the Internet has undoubtedly a positive impact to children and adolescents. The screen of their mobile phone, their tablet or their computer is transformed to a window to the world for them. Adolescents do not only have their school, their family, their private courses and the team in which they play as a source of information. With just a few “clicks” or touches on their screens, they enjoy access to information and images, which were unconceivable for past generations. This creates an additional need for them: to be part of this digital world. It is unusual to meet a teenager without an account in at least one social media.

Adolescents seem ready to make a part of their private life public, in order to feel liked and accepted by others, and, consequently, part of the digital reality. This said part is often very big –maybe bigger than it should be. Thus, we frequently see photos of drunk or provocatively dressed teenagers, photos from their love life and posts with particularly acid content, which may contain insults, describe illegal actions for this age or may constitute bullying.

Minors seem to start recognizing that from the moment that some of their personal data go online, they can never disappear. Even if their public profile is deleted, the personal data remain in the databases of the social media companies. This fear is likely to have led to the great success of Snapchat and Instagram stories within teenagers. These two social media promise temporariness in the public exposure of their posts, which lasts from 3 seconds to 24 hours.

The question is what happens when adolescents realize the consequences of the imprudent use of social media and wish to erase the personal data, which they have publicly shared. The answer to this question is given by the right to be forgotten. GDPR Article 17 explicitly provides that in case “personal data have been collected in relation to the offer of information society services to children”, the person of concern has the right to ask for their erasure from the data controller –in most cases this will be Facebook, Instagram or some other social media. It is important to note that the Regulation stipulates that the maximum applicable age for a person to be considered a “minor” is 16 years. The Member States may regulate differently, but under no circumstances this age might be less than 13 years. It remains to be seen what the Greek legislation will determine as a “child” age, during which data protection is absolute. The right to be forgotten does not end, when child or adolescent life ends. The persons maintain it during their whole life, regarding the data which they shared, while they were still children.

The right to be forgotten provides that the mistakes someone has made during his youth, do not stigmatize him forever. Teenage memories are undoubtedly some of the most important memories a person makes during his life. Nonetheless, they are also some of the most personal ones. Many of these memories constitute sensitive personal data. Persons tend to keep these memories well-guarded and permit only to certain persons –if to anyone- to have access and knowledge of their teenage and child cheatings and everyday activities. GDPR Article 17 is here to give them back the opportunity to safeguard their memories and to permit them to manage their personal memories, which they shared during the age of “innocence”- if it can still be named so.

Erasing the past

By Konstantinos Kakavoulis

Article 17 of the new General Data Protection Regulation institutionalizes the right to erasure, the so-called “right to be forgotten”. According to this article, a person has the right to request the erasure of his personal data and the controller has the obligation to erase the personal data without undue delay. The right to be forgotten is not established for the first time with the entry into force of the new Regulation. It has been established at the European level by the Directive EU/95/46. The Court of Justice of the European Union has ruled in favour of the existence of the said right in the case Google Spain v AEPD and Mario Costeja González.

According to Article 17 of the new Regulation, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. 1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
   2. the data subject withdraws consent on which the processing is based and their processing cannot be based on another legal ground;
   3. the data subject objects to the processing, which is made for public order reasons or the exercise of an official authority or in the interest of the data controller or third parties, and there are no overriding legitimate grounds for the processing;
   4. the data subject objects to the processing which is made for the direct commercial promotion of products;
   5. the personal data have been unlawfully processed;
   6. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
   7. the personal data have been collected in relation to the offer of information society services to a child

Therefore, it can be concluded that the right to be forgotten is not absolute. The mere fact that a person requests the erasure of his personal data from the Internet does not necessarily result in their erasure. According to data from Google, the company has received 720,000 requests for personal data erasure during the past 3 years and has accepted 43% of them.

For instance, in the case of a house confiscation for debts, which has taken place some years ago, the request for erasure is likely to get approved. In the case of a criminal conviction for a grave crime, this is highly unlikely; besides, the latter will always appear in the criminal record of the perpetrator.

But what is going to happen in the case of an old allegation for a serious crime, which has never been proven?

Or in the event of a recent bankruptcy?

Or in the event that someone has publicly expressed political views, which he now wants to withdraw?

In all the aforementioned circumstances there must be a weighting of the right to be forgotten with the freedom of expression, the economic interest of the data processor, as well as the public interest to gain access to this information according to the right to get informed. This weighting shall always be made taking into account the circumstances of the specific case and under no occasion may its results be predetermined. It must be noted that according to the jurisprudence of the Court of Justice of the European Union, the right to be forgotten in principle prevails over the economic interest of the data processor, as well as the right of the public to get informed.

Another very important case is pending before the Court of Justice of the European Union; the case of France versus Google. The most significant issue of concern raised before the Court is the universality of the right to be forgotten. The Court has to determine whether the pertinent right extends beyond the European Union. France’s argument in favour of the extension is that, without it, the right to be forgotten is void. Even if Google is forced to delete or edit the results of some search within the European plane, these results will still be publicly available in the rest of the world. On the contrary, Google points to freedom of expression, which will be substantially curtailed, if the Court decides that the right is to be extended. The company argues that in such an event, authoritarian regimes will be able to enforce their laws in a way that will universalize the restrictions they impose.

For instance, Thailand will be able to enforce its legislation, which prohibits any insult against its king, universally. Google argues that there must be room for every State to strike a fair balance between the right to privacy and freedom of expression. According to the company, no State must be in a position to impose its legislation on another State.

It is undisputable that both sides have very strong arguments. No matter what the outcome of the case will be, it is sure that the right to be forgotten has been established and is here to stay. This is because it guarantees something very important: the right to live without a flawless past; in other words, the right to live a normal life.

By Konstantinos Kakavoulis

Digital rights are human rights. More specifically, they are the human rights which provide persons with access to digital means of communication and the chance to use them, as well as access to computers, other electronic devices and communication networks with the respective opportunity to use them. The most significant and most well-known of these communication networks is the Internet, which, as illustrated by its name, constitutes the “network of networks”.

Which are the digital rights?

Digital rights are all the human rights, which are related to the aforementioned activities in the digital age, in which we live in. The most important digital rights, at the moment these lines are written, are the right to privacy, the personal data protection, the freedom of expression, the right to information, the right to property – material and intellectual- the right to judicial review and the prohibition of discrimination. This list is not exhaustive. The technological evolution and the pertinent extension of human activity is likely to create new digital rights.

When were digital rights created?

Digital rights are the expansion of the fundamental human rights, which were already guaranteed in the Universal Declaration of Human Rights, in international and European law, but also in the Greek Constitution. The evolution of technology and the entrance in the digital age created a new digital world, which exists in parallel with the real world. The vested rights took a new dimension, in order to regulate the new space of human activity.

Are digital rights protected?

As already mentioned, digital rights constitute the expansion of the vested fundamental human rights. Therefore, they enjoy the same protection with the vested rights. Certainly, the adoption of new legislation is imperative, in order to regulate thoroughly the particularities of the new situation.

Why are digital rights important?

All of us use the Internet and electronic devices on a regular basis: we purchase products and services, we exchange opinions and information, we get informed. It is not exaggerated to state that apart from the real world, we also live and operate in a digital one. As our real self needs to be safeguarded, so does our digital self. In order to be able to safeguard our digital rights, we must firstly get informed on them. We must learn how are personal data are used by corporations, States and other persons. We must learn where our freedom of expression in the Internet begins and where it ends. We must learn how to protect our Internet transactions. We must learn where and when is the surveillance of our actions by cameras permitted and in which cases it is not.