Skip to content

Right to be forgotten and global delisting

December 17, 2017

Miquel Peguera [Cross posted to Stanford CIS]

In a recent ruling, the Spanish Audiencia Nacional – the high court that referred the Google Spain case to the Court of Justice of the European Union (CJEU) – has somehow expressed opposition against imposing global delisting obligations on search engines.

The debate about global delisting is a well-known one. May search engines be required to delist results globally based on EU data protection laws? This would mean removing the data not only from the European versions of the search engine’s website but also from any other version, including those under the .com domain and any non-European country-code domain. The CJEU didn’t expressly address this question in its 2014 Google Spain judgment, which recognized the so-called right to be forgotten. The French Data Protection Authority, the CNIL, strongly supports the view that removals must be global. Last July, the French highest administrative court, the Conseil d’Étatasked the CJEU for clarification on this point, and an answer is expected in the coming months.

In Spain, the Data Protection Authority seems to follow a more cautious approach. It appears to accept that it would be enough for the search engine to block access to the contested results by means of IP geo-blocking in searches carried out, in any domain, from computers located in Spain.

The Spanish Audiencia Nacional (AN) has now ruled in a case where a Paraguayan citizen requests the delisting of some links to information published in Paraguay. In December 2015, the Spanish DPA dismissed the claim on the grounds that the claimant is not an EU citizen, nor a resident of any EU Member State, and that he lacks any relevant link to the EU. The claimant appealed the decision before the AN, explicitly requiring the world-wide delisting of the search results. In its ruling – delivered on October 31st and not yet publicly reported –, the AN dismisses the appeal and upholds the DPA decision.

The claimant contended that, since data protection is recognized in the EU Charter of Fundamental Rights, the Data Protection Directive, and thus the right to be forgotten, must apply to any citizen, even to those lacking any relationship with the EU. To that effect, the claimant pointed to the Guidelines on the implementation of the Google Spain ruling, issued by the Art. 29 Working Party (WP29).

On the one hand, the Guidelines favor global delisting (though it is not clear if geo-blocking might suffice):

“20. Although concrete solutions may vary depending on the internal organization and structure of search engines, de-listing decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com.”

On the other hand, the Guidelines limit “in practice” the right to be forgotten to data subjects with clear links with the EU:

“19. Article 8 of the EU Charter of Fundamental Rights, to which the ruling explicitly refers in a number of paragraphs, recognizes the right to data protection to “everyone”. In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.”

The Audiencia Nacional is not particularly clear in its ruling. It mixes the discussion about global delisting with that about claimant’s standing. While the reason for dismissing the appeal was the lack of standing for not having links with the EU, the AN does include some dicta that might reveal its opposition to global delisting obligations. But again, I find even those dicta hardly conclusive.

The AN states that it cannot accept either the claimant’s view that the protection covers any citizen in any country or his interpretation of the Guidelines in the sense that the protection must be carried out globally. This is the closest reference to rejecting the global delisting approach. To support that stance, the court says that while the Guidelines accepted delisting in the .com, that was in a case where the claimant was a European citizen, and that the Guidelines did not mean that the blocking should affect users of the search engine outside the territorial scope of competence. By “users” the court seems to mean data subjects, that is, affected individuals requesting the removal. So much for the opposition to global delisting. The argument of the court is again that the territorial scope of the Directive excludes the admissibility of claims where the claimant lacks relevant links with the EU. (It certainly does not discuss whether a claim from a non-EU citizen could be acceptable if the initial processing — that carried out by the newspapers — had taken place in the EU, as this was not the case before it).

The AN moves on to say that this is the interpretation followed by all European DPAs, and points to a decision by the Spanish DPA, which purportedly acknowledges that the Guidelines only encompass searches carried out in Spain (or in an EU Member State, for that matter). Here the AN probably tries to convey that, in that decision, the Spanish DPA was only concerned about ensuring that the contested results can’t be easily accessed in searches carried out in Spain. The implication would be that the protection should not extend to searches carried out in other countries, such as in Paraguay, which was clearly the aim of the claimant.

The AN then states that holding otherwise (which now seems to mean granting protection for searches carried out outside the EU) would entail a clear interference in the sovereignty of other States, which would run afoul of International Law — an argument that can be interpreted as dicta against global delisting, as it appears to mean that the DPA can’t order the removal on a non-European version of the search engine.

Summing up, the ruling is far from being clear regarding of global delisting, even though it may reflect the court’s reluctance to impose global obligations. We should wait for a case where the claimant is a citizen of the EU and see whether, in that scenario, the AN clearly rejects the imposition of global removal. In any event, the discussion may be moot in a few months, when the CJEU hands down its judgment on the CNIL v Google case.

The Recommendation on Measures to Safeguard Fundamental Rights and the Open Internet in the Framework of the EU Copyright Reform

October 18, 2017

pexels-photo-97077 (1)I’m glad to share this Recommendation, which we have just published today.  It already has more than fifty signatories!

I hope it may help to reorient the policy choices within the EU Copyright Reform, particularly regarding the monitoring obligations that the current draft imposes on hosting service providers. A big thanks to Martin Senftleben for inviting me to participate in the drafting group.

Here’s the short abstract:

Article 13 of the Proposed EU Directive on Copyright in the Digital Single Market and the accompanying Recital 38 are amongst the most controversial parts of the European Commission’s copyright reform package. Several Members States (Belgium, the Czech Republic, Finland, Hungary, Ireland, the Netherlands and Germany) have submitted questions seeking clarification on aspects that are essential to the guarantee of fundamental rights in the EU and to the future of the Internet as an open communication medium. The following analysis discusses these questions in the light of the jurisprudence of the Court of Justice of the European Union. It offers guidelines and background information for the improvement of the proposed new legislation.

The Recommendation is available at

The Application of the Right to Be Forgotten in Spain

July 3, 2017
By Miquel Peguera


Spain is an interesting country when it comes to the so-called ‘right to be forgotten’ (RTBF). After all, the famous CJEU judgment recognizing this right in relation to search engines stemmed from a request for a preliminary ruling made by a Spanish court (the Audiencia Nacional, AN) following a procedure initiated before the Spanish Data Protection Authority (DPA) by a Barcelona citizen, Mario Costeja González. Likewise, the reasoning which was eventually endorsed by the CJEU – though with a slightly different reach – was a construction put forward by the Spanish DPA.

Now that three years have passed since the ruling was handed down, Google reports it has received requests to delist more than 170,000 URLs by individuals related to Spain, which makes it the fourth EU country by number of requests. Around 38% of the URLs – out of all of those which have been already fully processed – have been delisted by Google.

Interestingly, a fair amount of decisions has been issued in Spain, both by the DPA and by courts. The DPA has handed down more than five hundred decisions. Typically, they arise from petitions by individuals whose removal requests were denied by Google or other search engines. Some of those decisions were subsequently appealed before the AN, which has delivered close to eighty rulings. In addition, a few cases brought directly before civil courts have also dealt with the right to be forgotten.

Some of the most interesting elements of the way the right is being implemented in Spain may be summarized as follows:

The standing of the Spanish subsidiary. Most of the cases that were pending before the AN when it made the referral to the CJEU were directed against the Spanish subsidiary of Google Inc (Google Spain, SL). In a dramatic move, some sixty AN judgments were reversed and voided by the Administrative Chamber of the Supreme Court on the grounds that Google Spain SL lacks standing to be sued, as the actual controller is only the American company. Unfortunately, the Supreme Court did not deal with the underlying merits of the cases, and thus the value of the material criteria put forward by the AN in all those rulings remains uncertain. More strikingly, a different Chamber of the Supreme Court – the Civil one –disagrees with the Administrative Chamber, and holds that the Spanish subsidiary does have standing.

Geo-blocking. The Spanish DPA considers that the delisting from the European domains of Google is not enough to fully comply with the CJEU judgment, as any user located in Spain could easily resort to the version to find the delisted link. However, the DPA appears to accept that geo-blocking would be enough, that is, blocking the access to the link in any domain, when the search is carried out by someone from a computer located in Spain.

Communication with the publisher. Once the search engine has decided to delist a link to a piece of content, may Google inform the publisher about the delisting –  a usual practice when the webmaster has registered with the tool called “search console”? The Spanish DPA found that it can’t, and fined Google for such a communication, holding that it violates the duty of secrecy set forth in the Data Protection Act. The decision is under appeal.

Individuals with no relationship to the EU. Data subjects requesting URLs removals must bear some link to EU countries. In several decisions, the DPA has rejected requests from data subjects residing in Latin American countries, noting that the individuals had no meaningful link with the EU territory.

Are hosts also controllers? The Costeja case related to search engines, and concluded that they are controllers of the personal data that shown in the results and in the content to which they link. May the same conclusion be held for providers of hosting services, though they are arguably in a very different situation? The DPA – following the AN’s criteria – considers that a hosting platform such as Blogger is not a data controller. However, it deems YouTube a data controller, though holding that it may rely on the hosting safe harbour provided by the eCommerce Directive. In this vein, the DPA holds that while YouTube is not liable for the challenged content, it must remove it once it is notified of its illegal nature by a competent authority such as the DPA itself.

Damages for failing to delist. In a civil lawsuit, finally decided by the Supreme Court, Google was ordered to pay damages to the claimant for failing to remove a link to a notice of pardon published on the Official Gazette, which revealed an old crime committed by the data subject.

Further removal denied for Mr. Costeja. The now famous lawyer requested the delisting of a blog post criticizing him. The DPA rejected, noting that the facts of the Costeja case have now become a matter of public interest – and moreover he had conceded multiple interviews in the media, thus allowing public discussion on the case.

Burden of proof about data accuracy. When the accuracy of the data is challenged, decisions by the DPA are not fully consistent as to whether it is the data subject who must prove the inaccuracy, or it is the search engine that must prove the accuracy to be able to reject the delisting request.

Exclusion protocols. The Supreme Court has held that while an individual has no right to supress content from a newspaper’s historic archive, the publisher must implement exclusion protocols such as robots.txt or metatags so that the content is not indexed by search engines. Failing to do so amounts to an illegal processing by the publisher.

Websites’ internal search tools. While a data subject may obtain the delisting from search engines, requests that the links are also delisted from the internal search tools of a website – such as that of a newspaper – are rejected, on the grounds that this would affect freedom of expression.

To conclude, while RTBF requests are decided on a case by case basis, in most cases both the DPA and the courts offer little justification on why a particular case deserves the requested delisting or not – beyond the most obvious situation of public figures involved –, and thus legal certainty is still far from being achieved.

Originally published on blogdroiteuropéen

UPDATE [18 October 2017]:

Some grounds for denying RTBF requests. The DPA issued a decision granting the delisting in relation to negative comments about the professional conduct of a medical doctor. Nonetheless, the Audiencia Nacional reversed that decision in May 2017 noting that in that case the interests of the public must prevail, as current and prospective patients of that doctor have the right to know about the experiences and opinions expressed by former patients. Similarly, the Audiencia Nacional, in June 2017, reversed a DPA decision regarding electoral information. The AN held that the list of the candidates of a 2011 municipal election is still of public interest, which must prevail over the interest of the data subject who requests the delisting.


Linking and secondary liability for copyright infringement. A look into the Spanish approach.

May 18, 2016

In the pending and closely watched GS Media case, the CJEU is asked to further clarify whether linking to copyrighted content may in some instances constitute a primary copyright infringement.

It is not the first time the CJEU addresses the nature of links under copyright law. It already tackled the question in Svensson, where it held that “the provision on a website of clickable links to works freely available on another website does not constitute an ‘act of communication to the public’,” under the meaning of Article 3(1) of the InfoSoc Directive. The CJEU reached that conclusion by reasoning that while a link constitutes an ‘act of communication,’ links to works freely available on another website do not communicate those works to a new public, i.e. a public that was not taken into account by the copyright holders when they authorised the initial communication. That conclusion was held again by the CJEU in the Bestwater case, explicitly mentioning the “new public” criterion in the operative part of the order.

In both cases, the Court tried to find a balanced outcome by allowing the provision of links to copyrighted works as long as the links do not circumvent any access restriction established on the website to which they point. However, those cases didn’t directly address the key question of whether a link, even if it does not circumvent any access restriction, may amount to a communication to the public when the content linked to was posted without authorization. In other words, whether linking to freely available pirate content constitutes a primary infringement of the communication to the public right. And this is in essence what the Court must clarify now in GS Media.

In his Opinion on the case, Advocate General Wathelet suggests the CJEU to answer the question in the negative. According to the AG, a hyperlink to a work which is freely available on another website does not amount to an ‘act of communication’ under the Directive in the first place, “since the intervention of the operator of the website which posts the hyperlink, in this case GS Media, is not indispensable to the making available of the photographs in question to users.” That is, there would not be an act of communication to the public regardless of whether or not the works linked to were posted with the rights holders authorization.

The AG holds as well that in any event, the ‘new public’ criterion would not be applicable to that case, since it only applies where the rights holder authorised the initial communication. And furthermore, even if the Court would find that criterion applicable, the ‘new public’ requirement is not satisfied because the intervention of the link setter was not indispensable for the making the works available.

As to the question, also raised by the national court, of whether there is a communication to the public where a hyperlink greatly facilitates the finding of the work, the AG proposes to answer in the negative, noting that “it is not sufficient that the hyperlink facilitates or simplifies users’ access to the work in question.”

It remains to be seen if and to what extent the Court will follow AG’s advice. Some have expressed fears that if the CJEU ends up declaring that links to freely available pirated content are non-infringing, websites of the likes of The Pirate Bay which deliberately provide links to clearly infringing files would be condoned and left out of reach of copyright enforcement.

Arguably, though, the question is not whether rights holders must have some remedies against those blatantly pirate sites, but whether those remedies should be based on the idea that they are infringing the communication to the public right, that is, that they are engaging in primary infringement. Expanding the notion of communication to the public to make sure those sites fit in it would have dramatic consequences for the use of hyperlinks on the internet  – as the AG noted, “as a general rule, internet users are not aware and do not have the means to check whether the initial communication to the public of a protected work freely accessible on the internet was effected with or without the copyright holder’s consent.”

A more careful approach would be to deal with those sites and other bad actors under theories of secondary or accessory liability, which allow for better consideration of the elements that characterize their activity, such as facilitation, knowledge, intent, volume of works affected, contempt for copyrights and ultimately fault.

Secondary or accessory liability in the field copyright is not harmonized as of yet in the EU – though some proposals for harmonization have been put forward. It thus turns on national law. In this regard, it might be interesting to briefly look at the case of Spain, where some legislative measures have been taken to tackle the activity of websites aiming to foster infringement, while at the same time carefully leaving out neutral linking activities.

The Spanish approach

Before Svensson, courts in Spain were wrestling on whether websites providing catalogues of links to pirate content were themselves infringing the public communication right. Many courts – particularly in criminal cases but also in civil ones – found that they don’t . Those courts held that while the linking websites greatly facilitate access to the infringing content, such facilitation does not amount to an act of communication.

Having that case law in mind, a number of legislative measures were passed, which aimed to strengthen copyright enforcement against such websites. Those reforms neither amended the definition of the public communication right, nor sought to ensure that links constitute acts of “communication to the public,” – which after all is a harmonized concept in EU law.  Rather, they sought to allow the enforcement of copyright against those websites and similar bad faith business models even if it turns out that their activity can’t be considered a communication to the public – which would be the case if the CJEU follows the AG’s approach.

In particular, in 2014, a system of indirect liability was introduced for the first time in the Copyright Act (LPI). A new paragraph in art. 138 LPI holds liable those who knowingly induce an infringement; those who, knowing or having reason to know about the infringing conduct, cooperate with it; and those who, having a direct economic interest in the results of the infringement, have the capacity to control the infringer’s conduct. The provision expressly states that this will not affect the e-Commerce intermediary safe harbours, as long as their conditions are met.

The same 2014 reform modified the legal regime of the Second Section of the Intellectual Property Commission (aka Sinde-Wert Commission), an administrative enforcement body created in 2011, which limits its scope of action to information society service providers. The 2014 reform decided that Commission’s activity should focus on the big copyright infringers. Hence, in order to decide whether or not to initiate a case, the Commission will consider the audience share of the service in Spain, the number of apparently unauthorized works and performances which can be accessed from the service, and its business model. In addition, the relevant provision states that the Commission will act against providers that infringe copyright in the said way (thus considering their audience share, number of works, or business model) “by facilitating the description or the location of works and performances apparently offered without authorization, carrying out to that end an active and non neutral task, without limiting themselves to activities of mere technical intermediation. In particular, those who offer arranged and classified lists of links to those works and performances, regardless of whether the said links might have been initially provided by the recipients of the service.”[1]

In 2015, two relevant changes were made to the Criminal Code. Before the reform, the conduct for the basic copyright criminal offence (art. 270.1) consisted of reproducing, plagiarizing, distributing, or communicating to the public, wholly or in part, a protected subject matter without authorization (when carried out for profit and to the prejudice of a third party). The reform added the language “or in any other way economically exploiting” the protected work or performance. In addition, the “for profit” element is now the intent to obtain an economic benefit “directly or indirectly”.

On the other hand, in addition to this basic conduct, the reform of the Criminal Code added a specific offence (art. 270.2) which refers to “the one who, when providing information society services, with the aim of obtaining a direct or indirect economic benefit, and to the prejudice of a third party, facilitates in an active and non neutral way, without limiting himself to a merely technical processing, the access to, or the location on the internet of, works or performances subject to copyright without the authorization of the holders of the corresponding rights or their assignees, in particular by offering arranged and classified lists of links to the works and contents referred above, even if the said links had been initially provided by the recipients of their services.”

This is an autonomous offence, which does not require the conduct to fall under the notion of communication to the public. The preamble to the Law that introduces this new felony notes that it leaves out the case of “those who carry out activities of mere technical intermediation, such as, for instance, a neutral activity of a search engine, or those merely providing occasionally links to those contents.”

We will see how these reforms will play out in practice.  In any event, this legislative approach aims at ensuring that even if the CJEU finds that linking to freely available infringing content does not amount to a communication to the public, the activity of those bad-actor websites will give raise to administrative injunctions, secondary civil liability, and even criminal liability as the case may be.


[1] The legislator envisioned that this activity would constitute in any event a violation of the “general exploitation right” which Spanish law confers to rights holders. Nonetheless, it could always be considered a form of secondary liability under the new wording of Art. 138.

Clash between different chambers of the Spanish Supreme Court on the right to be forgotten.

April 11, 2016

The right to be forgotten – which can be best described as a right to be delisted – was recognized by the CJEU on the assumption that the search engine operator, Google Inc., is a data controller of the personal data included in the search results.

However, is also the local subsidiary of Google Inc., Google Spain SL, a data controller? The answer to this question is by no means irrelevant. After the 2014 CJEU judgment, the Audiencia Nacional (AN)—the court that made the reference for a preliminary judgment—handed down 60+ rulings upholding DPA delisting orders that had been appealed before it. All of them, with the only exception of the Costeja case itself, were directed exclusively against Google Spain SL, not against Google Inc. Now, if Google Spain SL is not a data controller, all those rulings, along with the original DPA decisions they affirm, could be declared void by the Supreme Court for lack of standing of the defendant.

And that’s exactly what happened last month. The 60+ AN rulings had been appealed by Google Spain SL before the Supreme Court claiming lack of standing. And the Supreme Court agreed, handing down five rulings holding that Google Spain SL is not a controller and declaring the DPA decisions null and void. Similar rulings in the remaining cases are expected to follow soon.

(It must be noted that this refers to old decisions of the DPA. Since August 2014, the DPA no longer directs its decisions against Google Spain, but against the Google Inc., and thus no problem of lack of standing should appear).

That came as a big surprise for many. But the news didn’t end there. There was another RTBF ruling appealed by Google Spain SL before the Supreme Court. Unlike all the others, this one was not an appeal against a decision issued by the DPA and further upheld by the AN. Rather it was an appeal against a ruling issued by the Barcelona Court of Appeals in a civil lawsuit sentencing Google Spain SL to pay 8,000 Euros in moral damages for failing to delist a link.

There is a crucial difference. The DPA is an administrative body, and thus the appeals against its decisions are ultimately decided by the Administrative Chamber of the Supreme Court (Third Chamber), whereas appeals in civil lawsuits correspond the Civil Chamber of the Supreme Court (First Chamber).

Only a few days after the Administrative Chamber of the Supreme Court issued the said five rulings, the Civil Chamber ruled on the civil appeal. In essence, the ruling held that Google Spain is in fact a controller, no matter what the other Chamber may say. The case was decided by the Civil Chamber in full, which attaches more relevance to the judgment.

So now we have the following puzzle regarding the local subsidiary: the DPA can’t order Google Spain SL to delist a link – such a decision would be immediately voided on appeal. However, if a data subject requests Google Spain SL to delist a link and this company rejects the request, that individual might bring a civil action for damages against Google Spain SL and this company could not claim lack of standing.

How could the two Chambers of the Supreme Court come to such a diverging conclusion?

Under the Data Protection Directive, a controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.” The Administrative Chamber of the Supreme Court noted that being a controller thus hinges on the actual intervention in the determination of purposes and means of the processing. The processing at issue, as described by the CJEU [¶ 28], consisted of a number of activities carried out by the operator of a search engine “in exploring the internet automatically, constantly and systematically in search of the information which is published there”, namely “the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results.” The operator of the search engine, who carries out those activities, is Google Inc., and the AN remarked that “it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites.” [¶ 46]

The Administrative Chamber of the SC held that for Google Spain SL to be considered a joint controller, it must participate in the determination of the means and purposes of the processing, and this was not demonstrated in any way in the procedure. In addition, it stressed that the CJEU clearly assumed that the processing was carried out only by Google Inc. The CJEU conclusion the activities of both entities were ‘inextricably linked’ was only to the effect of finding that Google Inc.’s processing was carried out ‘in the context of the activities’ of Google Spain SL., which entails that the Data Protection Directive is applicable to Google Inc. All the discussion about the territorial application would have been unnecessary if Google Spain would have been considered a controller of processing carried out by the search engine.

On the other hand, the Civil Chamber did not directly discuss the arguments of the Administrative Chamber—it simple noted that their decisions are not binding for the Civil Chamber. The Civil Chamber holds that the CJEU supports the finding that Google Spain is also a controller. It admits that the CJEU did not seek to determine whether this company was a controller. However, the Civil Chamber believes that the CJEU ruling provides elements enough to come to this conclusion, as that ruling (i) refers to the broad definition of the concept of controller in the Directive; (ii) finds that the operation of the search engine by Google Inc. is inextricably linked with Google Spain’s marketing activities; and (iii) holds Google Inc.’s processing is carried out ‘in the context of the activities’ of Google Spain SL. According to the SC Civil Chamber:

“Google Spain may also be considered, in a broad sense, controller of the processing carried out by the search engine Google Search in its Spanish version (, jointly with its parent company Google Inc.”.

It added that holding otherwise would frustrate in practice the aim of “ensuring effective and complete protection” of the rights to privacy and data protection sought by the Directive and the EU Charter of Fundamental Rights, as data subjects would need to litigate with a company located in the US, which might entail huge costs. The Civil Chamber argues that it would be inconsistent to give the Directive a very broad territorial scope and then frustrate in practice this protection by obliging the data subject to litigate against a company located in the US, with the costs and delays attached to this.

Of course, though, this does not seem comport with the practice experience in Europe, where Google Inc is delisting results by the thousands. Further, one may wonder what the situation would be should Google Inc. decide to dispense with its local subsidiary and simply work with a local establishment without legal personality.

Whatever you may think about considering the local subsidiary a controller, this radical disparity of conclusions within the Supreme Court looks far from desirable.

Trademarks as Keywords: Spanish Supreme Court finds no infringement

March 6, 2016

[Cross posted on the Stanford CIS Blog]

The Spanish Supreme Court (TS) has recently ruled on the legality of using someone else’s trademark as a keyword to trigger sponsored ads in Google Adwords. The case is Maherlo v Charlet (pdf, in Spanish).

The claimant, Maherlo Ibérica S.L., commercializes elevator shoes for men—shoes with raised insoles that make people look taller. It owns two Community Trade Marks which bear the words “Masaltos” and “” The defendant, Charlet S.A.M., is also in the business of selling elevator shoes, under a different trademark—Bertulli. The defendant selected the trademarked words “Masaltos” and “” to trigger ads in Google Adwords. The text of the ads, however, did not include those words. The commercial link in the ads pointed to the defendant’s website, where the plaintiff’s trademarks where not used, either.

Both the first instance court and the court of appeals (pdf, in Spanish) found that such a use was not a trademark infringement. In its ruling, the Supreme Court affirms.

Just like the court of appeals, the Supreme Court follows the case law from the EU Court of Justice (CJEU), particularly the well known cases Google France (2010) and Interflora (2011). In Interflora the CJEU held that

the proprietor of a trade mark is entitled to prevent a competitor from advertising – on the basis of a keyword which is identical with the trade mark and which has been selected in an internet referencing service by the competitor without the proprietor’s consent – goods or services identical with those for which that mark is registered, where that use is liable to have an adverse effect on one of the functions of the trade mark. Such use:

–      adversely affects the trade mark’s function of indicating origin where the advertising displayed on the basis of that keyword does not enable reasonably well-informed and reasonably observant internet users, or enables them only with difficulty, to ascertain whether the goods or services concerned by the advertisement originate from the proprietor of the trade mark or an undertaking economically linked to that proprietor or, on the contrary, originate from a third party;

–      does not adversely affect, in the context of an internet referencing service having the characteristics of the service at issue in the main proceedings, the trade mark’s advertising function; and

–      adversely affects the trade mark’s investment function if it substantially interferes with the proprietor’s use of its trade mark to acquire or preserve a reputation capable of attracting consumers and retaining their loyalty.

The assessment of the facts corresponds to national courts. Therefore, the CJEU case law does not prevent the finding by a national court that, in a particular case, the challenged use of the trademark adversely affects a trademark function. In fact, the Inteflora case was finally decided in favor of the plaintiff by the national UK judge, finding that there was a likelihood of confusion.

In Maherlo v Charlet, the Spanish Supreme Court upholds the lower court’s ruling that the use at issue use was not liable to have an adverse effect on any of the functions of the trademark. In particular, the TS upholds the conclusion that there was no risk of confusion or association (and thus no adverse effect to the origin function) because the text of the ad did not include the claimant’s trademarks. The plaintiff had argued that 63 internet users, out of 5,051 who googled the trademarked words, eventually purchased goods from the defendant. According to the claimant, this would indicate that they were misled into thinking that they were buying the goods from the plaintiff. The court of appeals rejected that contention, and noted that the absence of the trademark in the text of the ads clearly showed to the users that the advertiser was in fact a competitor, and thus the origin function was not jeopardized.

While there have been a number of rulings dealing with the use of trademarks as keywords by first instance courts and courts of appeals in Spain, this is the first time the Supreme Court tackles the issue. It must be noted that the same plaintiff has also sued other merchants on these issues, and lower courts have sometimes granted its claims, though on somewhat different factual situations.


No more right-to-be-forgotten for Mr. Costeja, says Spanish Data Protection Authority

October 11, 2015

[Cross posted to the Center for Internet and Society at Stanford Law School]

The man who won the right-to-be-forgotten case in the Court of Justice of the European Union (CJEU) has now been denied the right to suppress links to comments about that case by the Spanish Data Protection Authority (DPA). Given the relevance of the CJEU’s ruling, comments discussing the case and the facts behind it must be considered of public interest, according to the DPA’s decision.

Since the CJEU handed down its landmark ruling in May 2014 – and even before that – the circumstances of the case were widely publicized in the media. The irony was immediately apparent. While the claimant sought to have some old unpleasant information forgotten – and he actually succeeded to have the links to it delisted – all the details ended up being brought to the public eye. He even gave numerous interviews, sometimes being depicted in the media as the man who won the battle against Google.

Of course, some negative comments were also published. Eventually, Mr. Costeja requested Google to delist one of those, which Google rejected. He then addressed himself to the Spanish DPA, which in its recent decision dismisses the claim.

In the case before the CJEU, Mr. Costeja had complained that Google showed links to obsolete information available in a newspaper’s digital archive – a 1998 notice of real estate auction following attachment procedures for the recovery of Social Security debts. The CJEU found that individuals may request the delisting of links showing up in searches for their name pointing to information which is “inadequate, irrelevant, no longer relevant or excessive”. Nonetheless, the CJEU noted that such a right does not apply where there is a preponderant right of the public in accessing the information – for instance when the claimant has a role in public life.

Now the DPA finds that there is indeed a preponderant interest of the public in the comments about the famous case that gave rise to the CJEU judgment of May 13, 2014 – and expressly reminds that the claimant itself went public about the details.

While the decision does not mention the particular piece of information the claimant was complaining of, it may in all probability be a blog post titled “The unforgettable story of the seizure to the defaulter Mario Costeja González that happened in 1998”, available both in English and Spanish, which is currently the first result in in a search for the claimant’s name. In his claim before the DPA, Mr. Costeja complained that the content was also defamatory. However, the DPA answers that claims for defamation must be brought before the civil courts, not before the DPA.

All in all – as it was easy to anticipate from the beginning – this seminal right-to-be-forgotten case appears to have ended up in a big Streisand effect.

Spain: The Right to Be Forgotten Does Not Apply to Blogger

March 5, 2015

Note: Cross posted to the Center for Internet and Society at Stanford Law School

In a recently reported ruling, the Spanish National High Court held that Google is not responsible for the processing of personal data on blog hosted on Google’s owned Blogger, and therefore, that the so called “right to be forgotten” established by the Court of Justice of the European Union (CJEU) in the Google Spain case does not extend to a blogging platform.

The ruling reverses a decision issued by the Spanish Data Protection Authority (DPA) which had ordered Google to remove personally identifiable information from a blog hosted on Blogger. The claimant was a Spanish citizen who found that when typing his name on Google Search, the results included a link to a blog with information about a crime he had committed many years ago. While the official criminal records had already been cancelled, the information was thus still findable on the internet.

On the one hand, the DPA ordered Google to remove the information from its search engine. This was upheld by the National High Court, albeit ordering more precisely that Google remove the link from the search results – thus applying the criteria set out by the CJEU in Google Spain.

On the other hand, the DPA considered Google, as the owner of the blogging platform, to be the “controller” of the processing. Interestingly, the DPA found that while Google was not liable for the content of the blog, as it was shielded by the hosting safe harbor, the DPA has the power to order Google to remove the information from the blog.

The National High Court reversed that and held that the responsible for the processing is not Google but the blog owner. It further held that the DPA cannot order Google to remove the content within a procedure for the protection of the data subject’s right to erasure and to object.

Arguably, under the rationale that the platform is not the controller of the processing, other user generated content sites such as YouTube or social networking sites might also fall outside the scope of the right to be forgotten.

Spanish Court rules that links to infringing content are copyright infringements

December 19, 2014

In a recent ruling (PDF), a Spanish appellate court (Audiencia Nacional) has upheld the decision of the Spanish agency for the administrative enforcement of copyright — the Intellectual Property Commission (IPC).

The IPC had ordered that a torrent linking website (elitetorrent) remove some of its torrent links to protected works.

This is the first case where the Audiencia Nacional deals with an appeal against an order issued by the ICP and tackles the substance of the legal question at issue, i.e., whether the challenged links constituted a copyright infringement.

It concludes that the links were indeed a copyright infringement, and thus rejects the appeal brought by the webmaster.

The ruling holds that a link to non-authorized content amounts to an act of making available, and thus require the authorization of the rights holder. The court reaches this conclusion on the basis of the CJEU judgment in Svensson. There, the CJEU held that a link constitutes an act of communication to “a public”, albeit it does not need to be authorized where it points to a work which the right holders had made freely available on the Internet, as in that case the link does not target a “new public”, different than that already taken into account by the rights holders when they authorized the initial communication.

The Spanish Audiencia Nacional states that the Svensson criteria fully apply to the case at issue and concludes that the linking website carried out an act of communication to the public which did required the right holders’ authorization, as they “had not authorized the exploitation free of restrictions of their work on the Internet”.

Text of the ruling (in Spainsh) available here (PDF).

Right to Be Forgotten: Google Sentenced to Pay Damages in Spain

December 17, 2014

(Cross posted to the Stanford’s Center for Internet & Society Blog)

The CJEU judgment on the right to be forgotten, Google Spain v. Mario Costeja, hit the search engine on an unexpected front – damages. On the basis of the CJEU’s judgment, the Barcelona Court of Appeals ordered Google to pay damages to an individual who, like Costeja, sought the removal of links to some old, damaging information from the search results.

In 1981, the plaintiff of this case was criminally charged for violating “public health” regulations. He was finally convicted by the Spanish Supreme Court in 1990. Nine years later, he was granted pardon. The Royal Decree granting this pardon was subsequently published in the Boletín Oficial del Estado (Official Gazette), as is required by the law. When typing plaintiff’s name in Google, links to the Official Gazette would appear, thus revealing that this person had committed a crime about thirty years ago.

In 2009, he filed a complaint against Google Spain SL before the Spanish Data Protection Authority (DPA). The DPA ordered Google Spain SL to adopt the measures necessary to withdraw the data from its index and to prevent access to the data in the future. Like in many other similar cases – including the Costeja’s case – Google appealed this decision to the Audiencia Nacional, where it is still pending.

On March 22, 2011, long before the CJEU rendered the Google Spain ruling, the plaintiff brought also a civil lawsuit asking for damages. This is the case now decided by the Barcelona Court of Appeals. The complaint asked for the removal of the links, and for damages. However, at an initial stage of the proceedings, the plaintiff acknowledged that the contested links had already been removed, and thus only the claim for damages survived in the lawsuit.

Initially, the first instance court rejected the complaint, and the plaintiff appealed. On July 17, 2014 (albeit only recently reported), the court of appeals handed down its ruling granting the plaintiff’s claim and awarding damages, although dramatically reducing the exaggerated amount demanded. The court relied heavily on the CJEU Google Spain judgment and held that Google infringed the subject’s data protection rights by failing to remove the links when requested to do so. The plaintiff was awarded moral damages for the period of time the links were accessible.

The Data Protection Directive (95/46) orders Member States to “provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.” This provision was transposed into art. 19 of the Spanish Data Protection Law, which is the basis for the complaint.

Google successfully claimed that the safe harbor for search engines (art. 17 of the Law on Information Society Services) applied to it. However, according to the court, Google lost the safe harbor when it obtained the actual knowledge of the offending links, at the time it knew about the DPA decision. While this claim for damages is independent from any administrative proceeding, the court came to the conclusion that Google was liable from the moment it was notified about the DPA decision, and up to the moment the links were removed – a time span of about ten months.

As noted, the defendant in this case was not Google Inc., but its Spanish subsidiary, Google Spain SL – along with some other entities. The court rejected the defendant’s contention that because the search engine is operated by Google Inc. – a different entity – Google Spain SL cannot be held liable.

The text of the ruling, which has been appealed before the Supreme Court, is available here (in Spanish). Please note that the names of individual parties are anonymized.