These slides explore how EU and UK data protection as applied to search engine indexing has evolved in the nine years following the Google Spain (2014) judgment. This judgment has provided a very real and valuable remedy for hundreds of thousands of data subjects but the working out of its rather ad hoc limitations concerning “significant and additional” rights effect and action only in the context of “responsibilities, powers and capabilities” have raised many questions as regards legal certainty, the role of courts as opposed to legislatures and whether “effective and complete protection” is really being secured (an issue which is especially heightened in jurisdictions such as the UK given limited action by the UK DPA in a number of areas). The slides are based my book chapter in Peter Coe and Paul Wragg (eds.), Landmark Cases in Privacy Law (Hart, 2023).as well as talks given at the Universities of Belfast, Cambridge, Leeds, Manchester and Public Service Budapest.
2. Google Spain 2014: An Unequivocal Victory for DP?
“Today’s Court Judgment is a clear victory for
the protection of personal data of Europeans! …
The data belongs to the individual, not to the
company”
Viviane Reding, European Commission V-P
Application against global actor (via “inextricable link”)
Demonstration that law can apply to sensitive context
Practical Impact: Google – +1.4m claims (+160K UK) about c.
5.4m URLS (+750K UK); Bing – only c. 54k claims & 186k URLs in
total; c. 50% URLs removed in each case.
World Economic Forum
3. Google Spain: Empowering & Constraining?
Inasmuch as the activity of a search engine is … liable to affect
significantly and additionally compared with that of the publishers of
websites, the fundamental rights to privacy and to the protection of
personal data, the operator of the search engine … must ensure, within the
framework of its responsibilities, powers and capabilities, that the activity
meets the requirements of Directive 95/46 in order that the guarantees
laid down may have full effect and that effective and complete protection
of data subjects, in particular of the right to privacy, may actually be
achieved. (at [38])
However, journalistic derogation was excluded (at [85])
4. Substantive Full Effect? Sensitive Data
NT1 NT2: UK DPA argued for disapplication (citing EU Charter)
C-136/17 GC et. al. held that
A 9.2.g (NB narrowed in UK GDPR) allows processing where:
“[T]he operator must … ascertain, having regard to the reasons of
substantial public interest referred to in … Article 9(2)(g) of Regulation
2016/679 and in compliance with conditions laid down in those
provisions, whether the inclusion of that link in the list of results
displayed following a search on the basis of the data subject’s name is
strictly necessary for protecting the freedom of information of internet
users” (at [68])
“necessary for reasons of substantial public interest, on the basis of
Union or Member State law which shall be proportionate to the aim
pursued and provide for suitable and specific measures to safeguard the
fundamental rights and interests of the data subject.”
5. Criminal Data & Timeliness
NT1 NT2: Warby focused on “made public” vires in UK DPA 1998.
CJEU still focused on A 9.2.g despite A 10 stating:
On timeliness (A 5.1.d) found no absolute need to delete but rather
to
“Processing of personal data relating to criminal convictions and
offences or related security measures based on Article 6(1) shall be
carried out only under the control of official authority or where the
processing is authorised by Union or Member State law providing for
appropriate safeguards for the rights and freedoms of data subjects.”
“adjust the list of results in a such a way that the overall picture it gives
to the internet user reflects the current legal position, which means in
particular that links to web pages containing information on that point
must appear in first place on the list.”
6. Inaccuracy (A. 5(1)(d)) & Adequacy (A 5.1.c)
Vital issue C-460/20 TU, RE v Google (2022) N.B. not binding on UK
Inaccuracy: Proved and non-minor Remove
Adequacy: Admin. or Judicial Proceedings Flag if Known
“where, at the very least, a part – which is not minor in relation to the
content as a whole – of the information referred to in the request for de-
referencing proves to be inaccurate… the right to inform and the right to
be informed cannot be taken into account, since they cannot include the
right to disseminate and have access to such information.” (at [64])
“where administrative or judicial proceedings … brough tto the attention
of the operator of the search engine concerned, it is for that operator, for
the purposes, inter alia, of providing internet users with information
which continues to be relevant and up-to-date, to add to the search
results a warning concerning the existence of such proceedings” (at [76])
7. Unacknowledged Role of A 23.1 GDPR
Union or Member State law to which the data controller or processor is
subject may restrict by way of a legislative measure the scope of the
obligations and rights provided for in Articles 12 to 22 [transparency and
subject rights] and Article 34 [data breach notification], as well as Article
5 in so far as its provisions correspond …when such a restriction respects
the essence of the fundamental rights and freedoms and is a necessary
and proportionate measure in a democratic society to safeguard:
…
(e) … important objectives of general public interest …
…
(i) the protection of … the rights and freedoms of others [freedom of
information seen as engaged since C-136/18 GC et. al.]
8. But Note Requirements of A 23.2
Relevant
specific
provisions
Processing
Purposes
Data
Categories
Restrictions
Scope
Controller
specification
Risks to data
subjects
Safeguards
against abuse
Transparency
for data
subject
9. Unsafeguarded Website Notification
Analysis:
Data subject gives no true consent to this
Sensitive context of exercise of core data protection right
Exposes data in a way which risk severely undermining this
Purpose limitation is thereby directly & seriously violated.
EU Outcomes:
A29 Working Party (2014, p 10); EDPB (2020, p 6): Held illegal
Spanish DPA: 2016 €150K fine & injunction (process challenge 2019)
Swedish DPA: 2020 c €5M, fine & injunction (became final 02/2023)
However, in practice still going on (outside Sweden)
10. Unsafeguarded Notification in UK
UK Courts: No consideration.
UK ICO: No concrete action (except for reindexing info in 09/2015)
Striking given widespread republishing including systematically
(+2,000 entries so far) by BBC:
11. Responsibilities: GC et. al.- Just Ex Post?
Sensitive data rules:
Timeliness principle:
“can apply to that operator only by reason of that reference and thus via a
verification under the supervision of the competent national authorities,
on the basis of a request by the data subject.” (at [47])
“the operator is … required, at the latest on the occasion of the request for
de-referencing, to adjust the results” (at [78])
12. TU, RE – Ex Post & No Active Investigation
Ex Ante:
No Active Investigatory Duty:
N.B. A-G had different opinion and no discussion of right to restriction
which talks explicitly about verification duties (A 18)
“the prohibitions and restrictions laid down by … the GDPR can apply to
that operator only by reason of that referencing and thus via a
verification, under the supervision of the competent national authorities,
on the basis of a request by the data subject.” (at [53])
“operator cannot be required to play an active role in trying to find facts
which are not substantiated by the request for de-referencing.” (at [ 70])
13. Significant & Additional Rights Risk
Even less clear how justified under the DP or e-Commerce law
Parameters even less explored in case law as all CJEU involved
name searches (though interim cases in UK e.g. Mosley wider)
CJEU case law has emphasised conceptual test & EDPB
(2020, p 5) held right was only “mainly based” on name search
Italian DPA 2019: Applied right to search on job title
Logic also applies to phone numbers, photographs etc.
UK DPA: Narrow understanding of name-search only (Harker)
14. Geographical Scope of Action
C-507/17 Google v CNIL found robust geo-blocking to be required.
Left open orders for global action based on national standards:
Italy: DPA global deindexing order upheld by courts (Nov. 2022)
UK: No action taken to require action beyond geo-blocking.
“[M]easures must … have the effect of preventing or, at the very least,
seriously discouraging internet users in the Member States from gaining
access to the links in question using a search conducted on the basis of
the data subject’s name.” (at [70])
“[A] supervisory or judicial authority of a Member States remains
competent to weigh up, in light of national standards … [and] to order,
where appropriate, the operator of that search engine to carry out a de-
referencing concerning all versions of that search engine. (at [72])
15. Taking Stock
Courts trying to play a legislative role establishing restrictions but
very ad hoc and sometimes without forensic scrutiny
Substantively, GDPR restrictions clauses set useful guideposts &
are intended to be followed-up with law from (Union or) States
Limits based on risk threshold and limitation responsibilities conflict
with ex ante processing model & so reform of GDPR itself needed
In absence, might hope for:
(1) some parliamentary intervention to establish clear balance,
(2) more sustained, systematic oversight from DPAs, &
(3) more care from courts in how conduct their analyses.