Global Litigator: Leave Me Alone! Europe’s “Right to Be Forgotten”

Mario Costeja González, a Spanish national, lodged a complaint with the Agencia Española de Protección de Datos (AEPD), the Spanish data protection authority, against the newspaper La Vanguardia, Google Spain, and Google Inc. González alleged that people who “googled” him retrieved links to two pages of La Vanguardia published in 1998 referring to attachment proceedings for the recovery of certain debts. Evidently chagrined, he sought an order compelling the paper to remove or alter those pages, so the personal data relating to him would no longer appear, or to use tools possessed by search engines to protect the data from recovery by others. He also asked that Google be required to remove or conceal personal data about him. According to González, the attachment proceedings unearthed by the online searches had been fully resolved several years earlier.

Although it cleared La Vanguardia, the AEPD upheld González’s complaint against Google Spain and Google Inc. It decided that operators of search engines are subject to Europe’s data protection legislation because they carry out data processing. It also concluded that it can require search engine operators to withdraw and preclude access to data in order to safeguard requesters’ fundamental rights. This obligation is owed directly by search engine operators, regardless of whether websites continue to maintain the objectionable content.

Google Spain and Google Inc. brought separate actions challenging the AEPD decision before the Audiencia Nacional (Spain’s national high court). That court, in turn, referred the matter to the ECJ and asked that body to interpret the European Data Protection Directive of 1995 in the context of the new search engine technologies. The directive aims to protect certain fundamental rights, including privacy for personal data. In addition to asking the ECJ whether the activities of search engines are tantamount to “data processing” and whether Google, as the operator of a search engine, should be regarded as the “controller” of the personal data in the webpages it indexes, the court posed the following further questions:

(1) In protecting the rights embodied in the directive, may European data protection authorities require search engine operators to withdraw information published by third parties?

(2) Does the directive empower a “data subject” to ask search engines to prevent indexing of information published on third parties’ webpages?

The ECJ responded with a landmark ruling. See Google Spain SL et al. v. AEPD et al., No. C-131/12 (May 13, 2014), available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=152065. The ECJ decided that Google must be regarded as the “controller” of the personal data it indexes. Further, the directive requires controllers like Google to process personal data fairly and lawfully, to ensure personal data are accurate and up to date, and to keep data “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” Data not meeting these requirements must be expunged.

Search Engines and Privacy

Critically, the ECJ recognized that search engines can significantly affect fundamental privacy rights because they can pull up vast amounts of personal data that would otherwise remain inaccessible. At the same time, it acknowledged the need to balance the rights of data purveyors with the legitimate interests of Internet users. While privacy rights take precedence, the balance in specific cases may depend on the nature of the information in question, its sensitivity, and the public’s interest in seeing it—particularly considering the subject’s role in public life. Rejecting Google’s position, the ECJ noted the ease with which information online can be replicated on other websites—for example, a “Like” by a Facebook user could have an exponential ripple effect—and the fact that those responsible for publication are not always subject to European Union law. Therefore, search engine operators must remove links to webpages concerning the objectionable personal data even if maintenance of the data on the webpages is lawful.

Finally, the ECJ agreed that González’s fundamental right to privacy encompasses a “right to be forgotten.” The processing of personal data must be compatible with the directive, and lawful processing of accurate data may, over time, transgress the directive where data are no longer necessary to fulfill the purposes for which they were collected or processed. If information found in search results appears to be inadequate, irrelevant, or excessive in relation to the purposes of the processing at issue, it must be erased. The ECJ also ruled that the duty to erase information does not depend on harm to the requester. Thus, in González’s case, links had to be removed because the material had been published 16 years ago and no public interest required continued accessibility. The case will head back to the Spanish courts for final resolution.

Since the ECJ’s ruling, many have commented on the historically divergent views of privacy in the United States and Europe. The ECJ ruling also comes at a time of deep mistrust of American technology and on the heels of the revelations about the U.S. government’s mass surveillance programs. One wonders what an American court’s response would be if a U.S. citizen asserted a right to be forgotten? Is there such a right here?

Maybe so. Consider the 1931 California case, Melvin v. Reid, 112 Cal. App. 285, 297 P. 91 (Cal. Dist. Ct. App. 1931). Melvin sued the defendants to vindicate her “right of privacy.” Id. at 286. She had been a prostitute and was tried for murder. But following her acquittal, she married and lived “an exemplary, virtuous, honorable and righteous life,” making friends with people who were unaware of her checkered past. Id. at 286–87. Years later, the defendants released a movie entitled The Red Kimono, shown in several states. Id. at 287. They claimed it was the true story of Melvin’s life, and her maiden name was used in the film. She maintained that the movie caused her to lose friends and suffer mental and physical anguish.

Reviewing the dismissal of the case on a demurrer, the California intermediate appellate court ruled:

The right to pursue and obtain happiness is guaranteed to all by the fundamental law of our state. This right by its very nature includes the right to live free from the unwarranted attack of others upon one’s liberty, property, and reputation. Any person living a life of rectitude has that right to happiness which includes a freedom from unnecessary attacks on his character, social standing or reputation.

Id. at 291.

Siding with Melvin, the court concluded that the filmmakers had invaded her “inalienable right guaranteed to her by our Constitution, to pursue and obtain happiness.” Id. at 292. What is more important, considering the ECJ’s recent ruling, the court held that “[t]he right of privacy has been defined as the right to live one’s life in seclusion, without being subjected to unwarranted and undesired publicity. In short it is the right to be let alone.” Id. at 289.

Was the California court far from creating a right to be forgotten almost a century ago? Or was its “right to be let alone” actually Europe’s new derecho al olvido?