The right to be forgotten and the global reach of EU data protection law
It is a pleasure to be a guest blogger on Concurring Opinions during the month of June. I will be discussing issues and developments relating to European data protection and privacy law, from an international perspective.
Let me begin with a recent case of the Court of Justice of the European Union (CJEU) that has received a great deal of attention. In its judgment of May 13 in the case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez, the Court recognized a “right to be forgotten” with regard to Internet search engine results based on the EU Data Protection Directive 95/46. This judgment by the highest court in the EU demonstrates that, while it is understandable that data protection law be construed broadly so that individuals are not deprived of protection, it is also necessary to specify some boundaries to define when it does not apply, if EU data protection law is not to become a kind of global law applicable to the entire Internet.
I have already summarized the case elsewhere, and here will only deal with its international jurisdictional aspects. It involved a claim brought by an individual in Spain against both the US parent company Google Inc, and its subsidiary Google Spain. The latter company, which has separate legal personality in Spain, acts as a commercial agent for the Google group in that country, in particular with regard to the sale of online advertising on the search engine web site www.google.com operated by Google Inc. via its servers in California.
The CJEU applied EU data protection law to the Google search engine under Article 4(1)(a) of the Directive, based on its finding that Google Spain was “inextricably linked” to the activities of Google Inc. by virtue of its sale of advertising space on the search engine site provided by Google Inc, even though Google Spain had no direct involvement in running the search engine. In short, the Court found that data processing by the search engine was “carried out in the context of the activities of an establishment of the controller” (i.e., Google Spain).
Since the Court applied EU law based on the activities of Google Spain, it did not discuss the circumstances under which EU data protection law can be applied to processing by data controllers established outside the EU under Article 4(1)(c) of the Directive (see paragraph 61 of the judgment), though the Court did emphasize the broad territorial applicability of EU data protection law (paragraph 54). Since the right to be forgotten has effect on search engines operated from computers located outside the EU, I consider this to be a case of extraterritorial jurisdiction (or extraterritorial application of EU law: I am aware of the distinction between applicable law and jurisdiction, but will use “jurisdiction” here as a shorthand to refer to both).
The Court did not limit its holding to claims brought by EU individuals, or to search engines operated under specific domains. An individual seeking to assert a right under the Directive need not be a citizen of an EU Member State, or have any particular connection with the EU, as long as the act of data processing on which his or her claim is based is subject to EU data protection law under Article 4. The Directive states that EU data protection law applies regardless of an individual’s nationality or residence (see Recital 2), and it is widely recognized that it may apply to entities outside the EU.
Thus, it seems that there would be no impediment under EU law, for example, to a Chinese citizen in China who uses a US-based Internet search engine with a subsidiary in the EU asserting the right to be forgotten against the EU subsidiary with regard to results generated by the search engine (note that Article 3(2) of the proposed EU General Data Protection Regulation would limit the possibility of asserting the right to be forgotten by individuals without any connection to the EU, since the application of EU data protection law would be limited to “data subjects residing in the Union”). Since only the US entity running the search engine would have the power to amend the search results, in effect the Chinese individual would be using EU data protection law as a vehicle to bring a claim against the US entity. The judgment therefore potentially applies EU data protection law to the entire Internet, a situation that was not foreseen when the Directive was enacted (as noted by the Court in paragraphs 69-70 of its 2003 Lindqvist judgment). It could lead to forum shopping and “right to be forgotten tourism” by individuals from around the world (much as UK libel laws have lead to criticisms of “libel tourism“).
It is likely that the judgment will be interpreted more restrictively than this. For example, the UK Information Commissioner’s office has announced that it will focus on “concerns linked to clear evidence of damage and distress to individuals” in enforcing the right to be forgotten. However, if one takes the position that Article 16 the Treaty on the Foundation of the European Union (TFEU) has direct effect, then the ability of individual DPAs to limit the judgment to situations where some “damage or distress” has occurred seems legally doubtful (see paragraph 96, where the Court remarked that the right to be forgotten applies regardless of whether inclusion of an individual’s name in search results “causes prejudice”). Google has also recently announced a procedure for individuals to remove their names from search results under certain circumstances, and the way that online services deal with implementation of the judgment will be crucial in determining its territorial scope in practice.
In any event, the Court’s lack of concern with the territorial application of the judgment demonstrates an inward-looking attitude that fails to take into account the global nature of the Internet. It also increases the need for enactment of the proposed Regulation, in order to provide some territorial limits to the right to be forgotten.