Note: Cross posted to the Center for Internet and Society at Stanford Law School
In a recently reported ruling, the Spanish National High Court held that Google is not responsible for the processing of personal data on blog hosted on Google’s owned Blogger, and therefore, that the so called “right to be forgotten” established by the Court of Justice of the European Union (CJEU) in the Google Spain case does not extend to a blogging platform.
The ruling reverses a decision issued by the Spanish Data Protection Authority (DPA) which had ordered Google to remove personally identifiable information from a blog hosted on Blogger. The claimant was a Spanish citizen who found that when typing his name on Google Search, the results included a link to a blog with information about a crime he had committed many years ago. While the official criminal records had already been cancelled, the information was thus still findable on the internet.
On the one hand, the DPA ordered Google to remove the information from its search engine. This was upheld by the National High Court, albeit ordering more precisely that Google remove the link from the search results – thus applying the criteria set out by the CJEU in Google Spain.
On the other hand, the DPA considered Google, as the owner of the blogging platform, to be the “controller” of the processing. Interestingly, the DPA found that while Google was not liable for the content of the blog, as it was shielded by the hosting safe harbor, the DPA has the power to order Google to remove the information from the blog.
The National High Court reversed that and held that the responsible for the processing is not Google but the blog owner. It further held that the DPA cannot order Google to remove the content within a procedure for the protection of the data subject’s right to erasure and to object.
Arguably, under the rationale that the platform is not the controller of the processing, other user generated content sites such as YouTube or social networking sites might also fall outside the scope of the right to be forgotten.
(Cross posted to the Stanford’s Center for Internet & Society Blog)
The CJEU judgment on the right to be forgotten, Google Spain v. Mario Costeja, hit the search engine on an unexpected front – damages. On the basis of the CJEU’s judgment, the Barcelona Court of Appeals ordered Google to pay damages to an individual who, like Costeja, sought the removal of links to some old, damaging information from the search results.
In 1981, the plaintiff of this case was criminally charged for violating “public health” regulations. He was finally convicted by the Spanish Supreme Court in 1990. Nine years later, he was granted pardon. The Royal Decree granting this pardon was subsequently published in the Boletín Oficial del Estado (Official Gazette), as is required by the law. When typing plaintiff’s name in Google, links to the Official Gazette would appear, thus revealing that this person had committed a crime about thirty years ago.
In 2009, he filed a complaint against Google Spain SL before the Spanish Data Protection Authority (DPA). The DPA ordered Google Spain SL to adopt the measures necessary to withdraw the data from its index and to prevent access to the data in the future. Like in many other similar cases – including the Costeja’s case – Google appealed this decision to the Audiencia Nacional, where it is still pending.
On March 22, 2011, long before the CJEU rendered the Google Spain ruling, the plaintiff brought also a civil lawsuit asking for damages. This is the case now decided by the Barcelona Court of Appeals. The complaint asked for the removal of the links, and for damages. However, at an initial stage of the proceedings, the plaintiff acknowledged that the contested links had already been removed, and thus only the claim for damages survived in the lawsuit.
Initially, the first instance court rejected the complaint, and the plaintiff appealed. On July 17, 2014 (albeit only recently reported), the court of appeals handed down its ruling granting the plaintiff’s claim and awarding damages, although dramatically reducing the exaggerated amount demanded. The court relied heavily on the CJEU Google Spain judgment and held that Google infringed the subject’s data protection rights by failing to remove the links when requested to do so. The plaintiff was awarded moral damages for the period of time the links were accessible.
The Data Protection Directive (95/46) orders Member States to “provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.” This provision was transposed into art. 19 of the Spanish Data Protection Law, which is the basis for the complaint.
Google successfully claimed that the safe harbor for search engines (art. 17 of the Law on Information Society Services) applied to it. However, according to the court, Google lost the safe harbor when it obtained the actual knowledge of the offending links, at the time it knew about the DPA decision. While this claim for damages is independent from any administrative proceeding, the court came to the conclusion that Google was liable from the moment it was notified about the DPA decision, and up to the moment the links were removed – a time span of about ten months.
As noted, the defendant in this case was not Google Inc., but its Spanish subsidiary, Google Spain SL – along with some other entities. The court rejected the defendant’s contention that because the search engine is operated by Google Inc. – a different entity – Google Spain SL cannot be held liable.
The text of the ruling, which has been appealed before the Supreme Court, is available here (in Spanish). Please note that the names of individual parties are anonymized.
Martin Husovec and I have just finished a paper titled Privately litigated disconnecting injunctions, which is available at the ssrn website. It deals with a particular type of injunctions that rights holders might apply for against intermediaries on the basis of Art. 8(3) of the InfoSoc Directive, which consist of enjoining an ISP from providing internet access to one of its users, allegedly engaging in copyright infringement. A case already decided in Spain granting the disconnecting injunction serves us as a study case to assess the problems this type of injunctions face. We deal particularly with the serious problems these injunctions raise regarding their compatibility with the EU Charter of Fundamental Rights.
We conclude as follows:
Privately litigated disconnecting injunctions requiring ISPs to cease providing internet access to one of its subscribers raise serious concerns from the standpoint of their compatibility with the EU Charter of Fundamental Rights and the European Convention of Human Rights. For these injunctions to be compatible with the Charter and the Convention, they should respect a number of key requirements. First, as discussed in Part III(1), the concerned individual should be granted the opportunity to defend his or her rights in court. To this end, the plaintiffs would need to previously identify that user, so that he or she could be included in the lawsuit. Second, as shown in Part III(2), some injunctions, particularly those without time limits, those targeting all national ISPs, or blocking also legitimate communications, might qualify as a criminal sanction and hence be unavailable due to the requirement of a stricter legal basis for criminal charges. Third, as explored in Part III(3), the test of proportionality seems difficult to be complied with. At the very least, the injunction should be narrowly tailored and show a sufficient degree of effectiveness. Moreover, not only courts, but also Member States themselves are limited by the Charter in the discretion they enjoy with regards to the way of implementing Art. 8(3) InfoSoc Directive. Whether they provide for disconnections against intermediaries as an administrative or judicial instrument of injunctive nature, Union law is implemented and thus also EU Charter constrains their actions. These problems make it extremely complicated that these injunctions are granted if courts, as they must, demand that the injunction applied for complies with the principles enshrined in the Charter and the Convention. In any event, obtaining such an injunction would be costly and slow for the plaintiff, and the outcome would hardly be effective in bringing to an end the user’s infringing activity. While some right holders may be inclined to explore this injunctions on the basis of the national transpositions of Art. 8(3) InfoSoc Directive, it seems unlikely that this form of relieve may end up being an attractive and effective tool to curb online infringement.
Any comment or suggestion will be welcome!
Cross posted on The Center for Internet and Society at Stanford Law School
In a recent ruling issued by the 15th Section of the Barcelona Court of Appeals – a Section specializing on IP – the Spanish ISP R Cable y Telecomunicaciones Galicia has been ordered to suspend, immediately and for good, the Internet connection of a user who engaged in copyright infringing file sharing. The text of the ruling (in Spanish) is available here (PDF). This is the first ruling of this kind in Spain.
The action was brought by Promusicae, an association of Spanish music producers, along with the main music labels operating in Spain. Aided by DtecNet, an anti-piracy firm, Promusicae learned of an internet user who was making available more than five thousand music files in his hard drive shared folder, using the P2P network Direct Connect. The investigative firm actually downloaded three files which corresponded to copyrighted songs owned by the plaintiffs. The user was identified by his nickname and IP address only. It was not possible to find out the user’s real identity as ISPs in Spain are not obliged to reveal the identity of their users for purposes of civil lawsuits.
Not knowing the identity of the file sharer, the plaintiffs brought the case directly and exclusively against the ISP, asking for an injunction under articles 138 and 139.1.h) of the Spanish Copyright Act which allow right holders to seek injunctions against intermediaries whose services are used by a third party to infringe copyright. The requested injunction consisted of suspending the provision of internet access to the infringer. The possibility of asking for injunctions against intermediaries is contemplated in art. 8(3) and Recital 59 of the EU Copyright Directive, though the specific modalities of such injunctions are left to Member States’ national law.
Strikingly enough, the ISP chose not to answer the complaint and didn’t intervene at all in the lawsuit.
The court of first instance dismissed the claim, holding that the user’s conduct was not infringing. The Court of Appeals reversed and held that the user’s acts were indeed infringing as they constituted unauthorized acts of reproduction and making available to the public. It held therefore that plaintiffs were entitled to the sought injunction.
Some difficult questions arise from this case – I will highlight just a few.
First, the user was not a party in the proceedings, as the lawsuit was filed only against the ISP. This poses the question of whether the infringement could be found without summoning the allegedly infringer – though it is of course unlikely that the user could have successfully invoked a defense against the finding of infringement.
Second, articles 138 and 139.1.h) of the Spanish Copyright Act require the injunction to be objective, proportionate and non-discriminatory. The court, however, did not assess at all whether such a radical measure satisfied the required proportionality.
Third, and closely linked to the question of proportion, an IP address does not necessarily identify a single individual as it could have been shared by different people.
Finally, the real effect of the injunction is rather dubious, as the infringer can easily shift to a different access provider.