Academics, commentators, students and lawyers, including Google’s Senior Privacy Counsel, gathered at the University of Cambridge on 27 March 2015 at a conference entitled ‘EU Internet Regulation after Google Spain’.

The purpose of the conference was to assess the background, impact and future implications of what organiser Dr David Ergos described as ‘the most high profile data protection decision ever, which brings home to people in a new way many of the key issues we as a society need to discuss about personal information and its use’.

Ten months on from the 13 May 2014 ruling of the Grand Chamber of the European Court in Case C131-12 Google Spain SL, Google Inc v Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez, Google has received 234, 384 requests for removal of links and evaluated 850, 385 URLs. According to William Malcolm, Google’s Senior Privacy Counsel, Google has delisted in 41% of cases and declined to delist in 59% of cases, attempting to be ‘thoughtful and pragmatic’ adopt a nuanced criteria and apply a consistent pan-European approach.

Recent try-ons have included a footballer who wanted his career highlights removed, a TV personality requesting removal of articles about a recent sex scandal and a high profile scientist seeking removal of criticism of his scientific work. Unsurprisingly in the run up to a General Election, a member of the government has also been in touch seeking removal of online policy criticisms.  Complaints to Data Protection Authorities about Google’s decisions remain ‘relatively low’ although Google is in receipt of one request by a DPA to remove content.

But while Google gets on with the practicalities of responding to some 720 requests per day, the rest of us are left trying to figure out if the judgment really did come out of nowhere and what it all means.

We should have seen it coming

Some, including Dr Orla Lynskey of the London School of Economics, are unfazed, arguing that ‘We should have seen it coming’ because ‘the case law prior to Google Spain is entirely consistent with the court’s findings in the judgment’. Dr Lynskey sees the judgment as reflecting three main trends that have emerged from the preceding European case law:

1. an increasingly broad scope in the application of EU data protection laws, as demonstrated for example in (i) Case C-28/08 P brought by the Bavarian Lager Co Ltd, in which the Grand Chamber ruled that the company was not entitled to full meeting minutes including the names of the industry representatives present at a 1996 meeting; and (ii) the court’s very narrow interpretation of the ‘household exception’ within the meaning of Article 3(2) of Directive 95/46/EC in the case of Mr Rynes, who had installed a CCTV camera on the corner of his house, overlooking his front door and the public footpath opposite.
2. increased emphasis on the Charter of Fundamental Rights of the European Union, an in particular on Article 7, ‘Respect for private and family life’ and Article 8, ‘Protection of personal data’.
3. An emboldened Court of Justice – according to Dr Lynskey, prior to Google Spain the court had taken to acting boldly on a number of occasions, unhindered by practical implications or any concerns over political correctness. For example in Lindqvist the court essentially decided that a pensioner could be criminally prosecuted for uploading information about her colleagues’ hobbies during an IT course, and in Digital Rights Ireland struck down an entire piece of legislation on the basis it was not compatible with Charter rights.

A logical next step from the right to object

Professor Aremi Rallo Lombarte, a former director of the Spanish Data Protection Authority, revealed some of the more significant cases that had come before the Agencia Espanola de Proteccion de Datos prior to Mr Costeja’s case which with hindsight can be viewed as setting the scene for Super Mario to erase reference to his previous social security debts (a crusade which has obviously spectacularly back-fired, given that he is probably now the world’s most famous former debtor). Most of the preceding cases involved articles originally published in Spain’s Official Gazette, but led to orders against Google. In 2007 a man fined for urinating in public in the 1980s, by then a high school professor, objected to the ability of his tittering students to access this information in the Official Gazette on Google. The AEPD accepted the professor’s objection and ordered Google to erase the links and prevent future access.

The AEPD had also spared the blushes of a man pardoned for a crime against public health (drug trafficking) by ruling that the Pardon, the appearance of which on Google was causing more harm than good, should be delinked. In the same vein the AEPD ordered that a disciplinary sanction against a prison civil servant published in the Official Gazette should be delisted from Google lest he be vulnerable to attack. More recently a man suffering from paranoid schizophrenia managed to achieve the delisting from Google of a 1989 La Vanguardia article reporting allegations to the effect that he had killed his son, an offence of which he was subsequently acquitted, but the acquittal had never been reported. The AEPD was sympathetic to medical evidence that the continued availability of the article was exacerbating his serious mental illness. As years later in Google Spain, the original publishers, including the aptly named La Vanguardia, preserved their right to publish.

Fascinating, miserable and inexhaustable

For Julia Powles of the University of Cambridge, the point is not what the judgment decided but the fact that it is seriously unwise – and dangerous –  for society to be placing such huge reliance on ‘a privately owned black box defining public space’, especially given the inherent bias towards advertisers and lack of transparency over Google’s decision-making processes, all of which are having a crucial impact on truth, memory and history. Is it time for search engines to be made accountable like public utility companies?

An imperfect decision in an imperfect world

For Eduardo Ustaran, Partner at Hogan Lovells, whilst search engines are now the ‘Super Controllers’ of all of our personal data, and processing more personal data than any other type of entity, the search engine model is by its nature non-compliant  with data protection legislation. This was echoed by Hugh Tomlinson QC who suggested that it was difficult to see how Google could lawfully process sensitive personal data.

Implications for huge range of internet actors

According to Dr Erdos  the implications of the judgment are vast, not just for search engines but for a range of internet actors, in fact for all online operators including news archives, blogger, social networks, social networkers, ratings websites, and street mapping services. But despite the massive scale of those affected, the gross average budget for a European data protection authority is about 35 cents per capita within the relevant jurisdiction, leading to a ‘total mismatch between the level of task set for DP authorities and the reality of resources’. Consequently enforcement is extremely sporadic, with no sign that this will change.

“General direction of travel towards liability”

Unsurprisingly, David Smith, the UK Deputy Information Commissioner,  indicated that ‘life is getting more and more difficult for the ICO’ , with decisions on Google delinking proving ‘very difficult’, especially those relating to criminal and spent convictions. In view of the complexities involved, his admission that ‘We are making it up as we go along’ did not raise any eyebrows.

He sees the Google Spain judgment as symptomatic of a general direction of travel in the law in which search engines and social networks are failing to persuade the courts that they are neutral intermediaries and/or should evade liability for other reasons, as illustrated in the recent case of CG v  Facebook Ireland Ltd and Joseph McCloskey [2015] NIQB 11 where (albeit not on data protection principles but in misuse of private information and harassment) Facebook was (in addition to the profile page operator) held responsible for content posted by third parties and ordered to pay the claimant £15,000.

This trend towards accountability was conveniently illustrated on the day of the conference by the Court of Appeal’s judgment in Google Inc and Judith Vidal-Hall, Robert Hann, Marc Bradshaw [2015] EWCA Civ 311 (see Lorna Skinner’s recent post) which gave short shrift to Google’s attempts to evade liability, here on the grounds of jurisdiction.

The afternoon session on jurisdiction focused on the wide interpretation of the concept of ‘establishment’ in Article 4 (1) (a) of Directive 95/46/EC by the court in Google Spain, the effect of which is effectively that data controllers in non-EU countries cannot escape European data protection laws where the activities of the EU establishment are economically linked to the controller, even if not involved in processing

System failure?

Mr Tomlinson pointed out that, whilst it has brought comfort to some, the ‘Costeja procedure’, i.e. the reporting of individual URLs after they have appeared on Google, does little to address systematic problems, for example, such as where a determined poster repeatedly puts large amounts of the same personal data onto Facebook or Google Groups, a problem faced by recent claimant recently when an unidentified person repeatedly made thousands of online postings to the effect that he was a criminal, a Nazi and a paedophile.  At the outset Google was taking 58 days to respond, albeit a response rate which improved to 6 hours as the court hearing approached. As the case settled, the issue of whether Google can be compelled to introduce an automated procedure for detecting particular groupings of text or images and proactively block them, without notification of individual URLs, remains for now unanswered.

Mr Max Mosley has successfully obtained court orders from the French and German courts requiring Google to take proactive steps to remove online images of him which were initially extracted from a video taken by a person working undercover for the News of the World. Whilst the German case has gone to appeal, Mr Mosley has now brought proceedings against Google Inc following the Google Spain decision, seeking similar sorts of orders.

Publishers with nowhere to go

James Leaton Gray,  a former Data Protection Officer at the BBC, queried how Data Protection Authories  ‘which are there to enforce a fundamental right, can balance other rights which they have no responsibility for’ and also expressed concern about the lack of a procedure for publishers who find their material disappearing off Google to challenge the decision to ‘delist’. He is also concerned that Europe is having a conversation about search engines and data protection ‘only with itself’, leaving America and its First Amendment at a loss to understand where we are coming from, and of the risk that Google Spain could  lead to results akin to the removal by German Wikipedia in 2008 of the names of Wolfgang Werle and Manfred Lauber, 2 convicted murderers who had served their sentences following a German court order (later reversed by the German Constitutional Court).

The Gravely Delayed Potential Regulation

Long grass appears to be growing around the European Commission’s 25 January 2012 proposal for a new regulation to harmonise data protection in the European Union, i.e. the General Data Protection Regulation (‘GDPR’), for which no deadline was set but adoption was planned for 2015 with a further two years for implementation. Given that the current Directive took 5 years to produce when there were only 12 member states, the brave attempt at harmonisation of what are now the 28 member states, appears to be going nowhere fast. However faint signs of life did emerge on 12 and 13 March when the Council of Ministers reached a ‘partial general approach’ on the so-called ‘One Stop Shop’ which will enable data protection cases to be handled by a single regulator based in the EU country where the business has its ‘main establishment’, as opposed to the current situation whereby businesses operating across the trading block can be forced to answer to DPAs in each EU country, leading to multiple investigations and different conclusions and decisions on enforcement action. However, given that this was ‘on the understanding that nothing is agreed until everything is agreed’ it’s perhaps not worth the paper it is written on.

As legislators fail to keep pace with the huge behavioural and technological developments in contemporary society, law-making in this field has effectively been out-sourced to the courts, which in turn are showing no mercy to the bodies tasked with enforcement.