Search Engines under Attack: Examining the European Union’s Right to Be Forgotten (Part I)

By Tisunge (Sunga) Mkwezalamba*

Introduction

Personal data provides a legitimate business interest to an online global market.  For instance, personal data is needed for basic functions of a website operation, such as registering, retrieving individualized preferences, or making payments.  The use of personal data also improves user experience.  By collecting and storing personal data, a website can recognize visitors and respond to their preferences.  Moreover, personal data generates revenue by offering opportunities to third parties using the personal data to increase their customer base.  Generally, this is done through direct marketing.  Data privacy rights (sometimes referred to as data protection regulation) are in place to protect personal data because individuals have no control of their data after it is collected.

The European Union (EU) affords its citizens some of the strongest data privacy rights in the world.  EU citizens enjoy privacy rights so strong that they have the option to have their data disappear from the Internet.  This disappearing power is known as the “right to be forgotten”.

This paper will argue that the EU’s interpretation of the right to be forgotten is bad policy and results in bad law that burdens search engines.  Part I introduces the pieces and functions of European Union (EU) data privacy law and some underlying policies.  This section also introduces pending data privacy legislation.  The pending data privacy legislation introduces a very broad and vague right to be forgotten, which can be interpreted through Google Spain v. González, the only case precedent interpreting the right.

Part II analyzes Google Spain v. González.[1]  In González, Mario Castejo González, a Spanish citizen, sued Google to have unfavorable personal data removed from search results pursuant to EU data privacy law.  The case began in Spanish high court, but the court referred questions to the Court of Justice of the European Union (CJEU) because it was unsure whether EU data privacy law applied to search engines that provide links to lawfully published personal data.  The CJEU held that it did, and ordered Google to remove all links to González’s unfavorable information from its search results.  In its analysis, the court defined the right to be forgotten so broadly that it now covers any personal information that an individual simply considers embarrassing.  The court also reasoned search engines, such as Google, are responsible for personal data wherever it was located on the server, regardless of how it was obtained.  As a result, this decision enlarged unforeseeable costs for search engines associated with enforcing the right to be forgotten.

Part III argues that the EU’s right to be forgotten is bad policy and bad law for four primary reasons.  First, the EU’s interpretation of the right to be forgotten does not remove access to the personal data that has been requested for removal.  Second, broadening the type of data that may be removed such as a history of bad debts is likely to lead to instability in capital markets where investments and extensions of credit are based on personal data, whether or not it is unfavorable.  In addition, removal of unfavorable personal data hurts the democratic process, which relies on such information when appointing individuals to high positions of society.  Third, as currently interpreted, the right compels large search engines to enforce the international right at their burden.  This is significant because search engines then have to create a judiciary to judge EU law where only one precedent stands and many variables exist when determining whether to remove personal data.  And lastly, the CJEU’s interpretation of the law disregards guaranteed freedoms, mainly the freedom of expression, for the right to be forgotten.

Part IV offers alternative policy and legal solutions for the EU’s interpretation of the right to be forgotten.  The first recommendation encourages online anonymity on the Internet, such as anonymous posting.  Anonymity would move information provided voluntarily outside of the EU’s definition of personal data since the definition requires that the information relate back to an individual in such a way that it identifies them.

The second recommendation discusses a draft of a right to be forgotten that would limit the right to individuals whom society and the law have a strong interest to forgive.  An example of such an individual is a minor.  This is important because a majority of requests to remove personal data is embarrassing in nature, and most individuals would prefer their past mistakes be forgiven.  However, forgiveness of past mistakes should not be afforded to every individual who is embarrassed by their past.

The concluding recommendation suggests that the EU should place the burden of determining when to afford the right to be forgotten on EU data authorities because the determination of most of the request requires a subjective test, which would lead to inconsistent application by search engines.

Part I: The European Union on Data Privacy Law

The EU provides its citizens some of the strongest data privacy and protection rights, particularly when compared with the United States.  In the EU, protection of personal data is a fundamental right to privacy provided by Article Eight of the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2]  On the other hand, in the US, the specific right to privacy protection is not a fundamental right guaranteed to citizens by the Constitution.  In addition, the strength of EU data privacy law is highlighted in the policy underlying its promotion of the movement of personal data in the online global market where the collection and use of personal data generates revenue opportunities through online activities such as target advertising.  In the EU, the movement of personal data in the online global market is promoted by ensuring that processors are secure and individuals are given access to their personal data to verify, change, or erase their information.  The rationale for promoting security and access rights is based on a belief that individuals will be more willing to offer their personal data to online operators if they are confident that their privacy is secure and they are afforded access to their personal data.  In the US, in contrast, the movement of personal data in the online global market is promoted by limiting the amount of government regulation on the online market.  Thus, American laws are less voluminous than EU data privacy laws and individuals rarely have access to their personal data.  The rationale for the American style of governance is based on the belief that overregulation of markets stifles economic growth.

EU Directives on Data Privacy

In the EU, data privacy rights and the protection of personal data are governed by Directive 95/46/EC[3] and e-Privacy Directive 2002/58/EC.[4]  Collectively, they outline how an individual or entity can legally collect personal data from EU residents, the obligations that exist when using and storing the personal data, and the rights individuals have to access their personal data after it has been collected.

a. Directive 95/46/EC

In 1995, the EU enacted Directive 95/46/EC, its first directive on the protection of individuals with regard to the privacy and protection of their personal data.[5]  Directive 95/46/EC set out to follow the Organization for Economic Co-operation and Development’s (OECD) seven principles on the protection of Transborder Flows of Personal Data.  These principles ensure individuals are given notice that their personal data is being collected and for what purpose it is collected; individuals consent before their personal data is collected; data is kept secure; and subjects are given access to their personal data under certain circumstances.[6]  The underlying principle for access rights is that data subject are in the best position to determine whether their personal data is being misused.  Thus, they should be given access to make such an evaluation.

EU data privacy law applies to an individual or legal body that determines the processing of personal data, also known as the data controller.[7]  Directive 95/46/EC defines personal data as any information that relates to a natural person, known as a “data subject.”[8]  Information relates to a data subject when it can be used to identify an individual, such as an identification number, or his or her economic, cultural, or social identity.[9]

Directive 95/46/EC applies to the automated processing of personal data and other processing of personal data that form a part of a filing system.[10]  Processing of personal data is a broad term, and is essentially “any operation performed . . . upon personal data” such as collecting, storing, altering, or erasing the personal data.[11]  A filing system is the function that controls how the personal data is stored and retrieved.[12]  A controller is the operator of the filing system.  Therefore, controllers determine the purposes for processing and must uphold the certain OECD principles adopted by Directive 95/46/EC such as data security and access rights.

Article 12(b) of Directive 95/46/EC states that controllers are to provide data subject access to “erasure” or “block” access to their personal data when “it does not comply with the provisions of the Directive, particularly because of the inaccurate or incomplete nature of the data.”  The González case discussed below narrates how the CJEU recently interpreted Directive 95/46/EC access rights to have personal data blocked or deleted into a right to be forgotten.  However, the court found that the Directive compelled search engines to delete any disfavoring personal data that has been lawfully collected, regardless of whether it is incorrect or incomplete in nature.

b. E-Privacy Directive 2002/58/EC

In 2002, the EU enacted E-Privacy Directive 2002/58/EC (“E-Privacy Directive”). E-Privacy Directive was later amended by Directive 2009/136/EC.[13]  The E-Privacy Directive was enacted to address developments in technology since the enactment of Directive 95/46/EC.  The directive provides similar coverage as Directive 95/46/EC by extending the OECD principles to the field of telecommunications.  Further, the rule acknowledges developments in the means by which controllers are able to collect and process personal data through outlining the rights and obligations with regard to the use of cookies, location data, spam, and spyware.[14]

c. The future of European Union Data Privacy Law: General Data Protection Regulation

Directive 95/46/EC and the E-Privacy Directive are expected to merge under a new EU data privacy regulation in December 2017.[15]  The proposed regulation is called the General Data Protection Regulation (GDPR).[16]

In accordance with the underlying policy for the promotion of the movement of personal data in the online global market, the new set of rules gives citizens more control over their personal data and aims to simplify the regulatory environment for businesses through unification of the current data privacy regime.[17]

Though the GDPR intends to simplify the regulatory environment for businesses while providing more control to its citizens, some provisions in the draft are already drawing a lot of attention by those who argue that the data privacy and protection laws of the EU are already constraining on the online global market.[18]  Those who take a position against strengthening EU data privacy laws believe in a free market system, free from government oversight.  This position is similar to the policy underlying the U.S. data privacy regulation discussed above.

For instance, GDPR will mandate that processors hire a data protection officer.[19]  Currently, the average salary for a data protection officer is $75,899.[20]  This rule will greatly impact small business that cannot afford the additional costs during their developmental stages.  In addition, the rule disregards the communication costs for controllers who will be subject to new compulsory notification and access rights for which each data subject must have access to information that they can read.[21]  The EU recognizes 24 different languages, any of which EU citizens are to have access to documents in.[22]  Ensuring that communications regarding personal data is given in any of the 24 forms creates several additional costs to controllers.

However, the most unique addition to the GDPR, and perhaps also one of the most troublesome, is Article 17’s right to be forgotten.  This provision was included to clarify the right of erasure in Article 12(b) of Directive 95/46/EC.[23]  As was previously mentioned, Article 12(b) of Directive 95/46/EC affords EU citizens a right to erasure, interpreted in González as a right to be forgotten, regardless of whether the personal data is inaccurate or incomplete in nature.

In its clarification, Article 17 of GDPR provides a definition of the right to be forgotten that is similar to the CJEU’s interpretation in González.  In González, the court held that the right to be forgotten should be afforded to data subjects when such removal is pursuant to the principles of Directive 95/46/EC.  Similarly, Article 17 states that the right to be forgotten may be exercised in several situations, including when the personal data is no longer necessary, when the data subject withdraws consent or objects, or when processing does not comply with the principles of GDPR.

Further, GDPR’s right to be forgotten includes an obligation to the controller to inform third parties who have obtained the personal data as a result of the controller’s publication or processing, or third parties whose personal data the controller has obtained as a result of the controller’s processing mechanisms.  This language is similar to the effect of the decision in González, which held that search engines were obligated to de-link access to personal data it obtained through its processing mechanics (the storing and filing of websites containing personal data) from third parties.

An analysis of the landmark case of Google v. Mario Costeja González illustrates how the EU’s interpretation of a right to be forgotten is improper and requires large search engine operators, such as Google, to decide when to enforce EU citizen’s privacy rights.

 


*Tisunge (Sunga) Mkwezalamba. University of Illinois College of Law, J.D. candidate, Class of 2016. Data privacy focus. Many thanks to Maxwell and Hilda Mkwezalamba.

[1] Case C-131/12, Google Spain v. González, 2014 EUR-Lex CELEX-LEXIS 317 (May 13, 2014).

[2] 2000 O.J. (C 364) 1, available at http://www.europarl.europa.eu/charter/pdf/text_en.pdf.

[3] Council Directive 95/46, art. 25, 1995 (L 281) 31 (EC) [hereinafter “Directive 95/46/EC”], available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en.

[4] Directive 2002/58, 2002 O.J. (L 201) 37, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0047:en:PDF.

[5] Id.

[6] Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013), OECD, http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf. (Last visited Feb. 5, 2016). The seven principles are (1) Notice, (2) Purpose, (3) Consent, (4) Security, (5) Disclosure, (6) Access, and (7) Accountability. Data subjects should be given notice when their data is being collected; data should only be used for the purpose stated and not for any other purposes; data should not be disclosed without the data subject’s consent; collected data should be kept secure from any potential abuses; data subjects should be informed as to who is collecting their data; data subjects should be allowed to access their data and make corrections to any inaccurate data; data subjects should have a method available to them to hold data collectors accountable for not following the above principle. Id.

[7] Id. at art. 2(d).

[8] Id. at art. 2(a).

[9] Id.

[10] Directive 95/46/EC, supra note 3, at art. 2(c).

[11] Id. at art. 2(b).

[12] Id. at art. 2(b)(c).

[13] Directive 2002/58/EC, supra note 4.

[14] Id. See paragraph 53 discussing traffic data; paragraphs 65, 66, and 70 addressing spyware; paragraph 68 discussing spam; and paragraph 66 for cookies. See Article 2(a)(c) of Directive 95/46/EC for more information on location data.

[15] Hunton & Williams, Hunton Releases Guide to the Proposed EU General Data Protection Regulation, HUNTON PRIVACY BLOG, (May 5, 2015), https://www.huntonprivacyblog.com/2015/05/05/hunton-releases-guide-proposed-eu-general-data-protection-regulation.

[16] Proposal for a Regulation Of The European Parliament And Of The Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012) [hereinafter GDPR], available at. http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:52012PC0011, (last visited Feb. 6, 2016).

[17] Id.

[18] Ardi Kolah, British Government Delays Progress on GDPR as EU Pressure Mounts, BRANDREPUBLIC (Jan. 10, 2015), http://guruinabottle.brandrepublic.com/2015/01/10/british-government-delays-progress-on-gdpr-as-eu-pressure-mounts; Jeremy Whitaker, The Cost of the EU Data Law, DIGITAL MARKETING MAG. (Aug. 10, 2015), http://digitalmarketingmagazine.co.uk/digital-marketing-features/the-cost-of-the-eu-data-law/2334.

[19] GDPR, supra note 16, at art. 30.

[20] Data Security Analyst Salary, SALARY.COM, http://www1.salary.com/Data-Security-Analyst-Salary.html (last visited Feb. 5, 2016).

[21] GDPR, supra note 16, at art. 12.

[22] Official Languages of the EU, EUROPEAN COMM’N, http://ec.europa.eu/languages/policy/linguistic-diversity/official-languages-eu_en.htm (last visited Feb. 5, 2016).

[23] GDPR, supra note 16 at art. 17.