The right to be forgotten – which can be best described as a right to be delisted – was recognized by the CJEU on the assumption that the search engine operator, Google Inc., is a data controller of the personal data included in the search results.
However, is also the local subsidiary of Google Inc., Google Spain SL, a data controller? The answer to this question is by no means irrelevant. After the 2014 CJEU judgment, the Audiencia Nacional (AN)—the court that made the reference for a preliminary judgment—handed down 60+ rulings upholding DPA delisting orders that had been appealed before it. All of them, with the only exception of the Costeja case itself, were directed exclusively against Google Spain SL, not against Google Inc. Now, if Google Spain SL is not a data controller, all those rulings, along with the original DPA decisions they affirm, could be declared void by the Supreme Court for lack of standing of the defendant.
And that’s exactly what happened last month. The 60+ AN rulings had been appealed by Google Spain SL before the Supreme Court claiming lack of standing. And the Supreme Court agreed, handing down five rulings holding that Google Spain SL is not a controller and declaring the DPA decisions null and void. Similar rulings in the remaining cases are expected to follow soon.
(It must be noted that this refers to old decisions of the DPA. Since August 2014, the DPA no longer directs its decisions against Google Spain, but against the Google Inc., and thus no problem of lack of standing should appear).
That came as a big surprise for many. But the news didn’t end there. There was another RTBF ruling appealed by Google Spain SL before the Supreme Court. Unlike all the others, this one was not an appeal against a decision issued by the DPA and further upheld by the AN. Rather it was an appeal against a ruling issued by the Barcelona Court of Appeals in a civil lawsuit sentencing Google Spain SL to pay 8,000 Euros in moral damages for failing to delist a link.
There is a crucial difference. The DPA is an administrative body, and thus the appeals against its decisions are ultimately decided by the Administrative Chamber of the Supreme Court (Third Chamber), whereas appeals in civil lawsuits correspond the Civil Chamber of the Supreme Court (First Chamber).
Only a few days after the Administrative Chamber of the Supreme Court issued the said five rulings, the Civil Chamber ruled on the civil appeal. In essence, the ruling held that Google Spain is in fact a controller, no matter what the other Chamber may say. The case was decided by the Civil Chamber in full, which attaches more relevance to the judgment.
So now we have the following puzzle regarding the local subsidiary: the DPA can’t order Google Spain SL to delist a link – such a decision would be immediately voided on appeal. However, if a data subject requests Google Spain SL to delist a link and this company rejects the request, that individual might bring a civil action for damages against Google Spain SL and this company could not claim lack of standing.
How could the two Chambers of the Supreme Court come to such a diverging conclusion?
Under the Data Protection Directive, a controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.” The Administrative Chamber of the Supreme Court noted that being a controller thus hinges on the actual intervention in the determination of purposes and means of the processing. The processing at issue, as described by the CJEU [¶ 28], consisted of a number of activities carried out by the operator of a search engine “in exploring the internet automatically, constantly and systematically in search of the information which is published there”, namely “the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results.” The operator of the search engine, who carries out those activities, is Google Inc., and the AN remarked that “it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites.” [¶ 46]
The Administrative Chamber of the SC held that for Google Spain SL to be considered a joint controller, it must participate in the determination of the means and purposes of the processing, and this was not demonstrated in any way in the procedure. In addition, it stressed that the CJEU clearly assumed that the processing was carried out only by Google Inc. The CJEU conclusion the activities of both entities were ‘inextricably linked’ was only to the effect of finding that Google Inc.’s processing was carried out ‘in the context of the activities’ of Google Spain SL., which entails that the Data Protection Directive is applicable to Google Inc. All the discussion about the territorial application would have been unnecessary if Google Spain would have been considered a controller of processing carried out by the search engine.
On the other hand, the Civil Chamber did not directly discuss the arguments of the Administrative Chamber—it simple noted that their decisions are not binding for the Civil Chamber. The Civil Chamber holds that the CJEU supports the finding that Google Spain is also a controller. It admits that the CJEU did not seek to determine whether this company was a controller. However, the Civil Chamber believes that the CJEU ruling provides elements enough to come to this conclusion, as that ruling (i) refers to the broad definition of the concept of controller in the Directive; (ii) finds that the operation of the search engine by Google Inc. is inextricably linked with Google Spain’s marketing activities; and (iii) holds Google Inc.’s processing is carried out ‘in the context of the activities’ of Google Spain SL. According to the SC Civil Chamber:
“Google Spain may also be considered, in a broad sense, controller of the processing carried out by the search engine Google Search in its Spanish version (www.google.es), jointly with its parent company Google Inc.”.
It added that holding otherwise would frustrate in practice the aim of “ensuring effective and complete protection” of the rights to privacy and data protection sought by the Directive and the EU Charter of Fundamental Rights, as data subjects would need to litigate with a company located in the US, which might entail huge costs. The Civil Chamber argues that it would be inconsistent to give the Directive a very broad territorial scope and then frustrate in practice this protection by obliging the data subject to litigate against a company located in the US, with the costs and delays attached to this.
Of course, though, this does not seem comport with the practice experience in Europe, where Google Inc is delisting results by the thousands. Further, one may wonder what the situation would be should Google Inc. decide to dispense with its local subsidiary and simply work with a local establishment without legal personality.
Whatever you may think about considering the local subsidiary a controller, this radical disparity of conclusions within the Supreme Court looks far from desirable.
[Cross posted on the Stanford CIS Blog]
The Spanish Supreme Court (TS) has recently ruled on the legality of using someone else’s trademark as a keyword to trigger sponsored ads in Google Adwords. The case is Maherlo v Charlet (pdf, in Spanish).
The claimant, Maherlo Ibérica S.L., commercializes elevator shoes for men—shoes with raised insoles that make people look taller. It owns two Community Trade Marks which bear the words “Masaltos” and “Masaltos.com.” The defendant, Charlet S.A.M., is also in the business of selling elevator shoes, under a different trademark—Bertulli. The defendant selected the trademarked words “Masaltos” and “Masaltos.com.” to trigger ads in Google Adwords. The text of the ads, however, did not include those words. The commercial link in the ads pointed to the defendant’s website, where the plaintiff’s trademarks where not used, either.
Both the first instance court and the court of appeals (pdf, in Spanish) found that such a use was not a trademark infringement. In its ruling, the Supreme Court affirms.
Just like the court of appeals, the Supreme Court follows the case law from the EU Court of Justice (CJEU), particularly the well known cases Google France (2010) and Interflora (2011). In Interflora the CJEU held that
the proprietor of a trade mark is entitled to prevent a competitor from advertising – on the basis of a keyword which is identical with the trade mark and which has been selected in an internet referencing service by the competitor without the proprietor’s consent – goods or services identical with those for which that mark is registered, where that use is liable to have an adverse effect on one of the functions of the trade mark. Such use:
– adversely affects the trade mark’s function of indicating origin where the advertising displayed on the basis of that keyword does not enable reasonably well-informed and reasonably observant internet users, or enables them only with difficulty, to ascertain whether the goods or services concerned by the advertisement originate from the proprietor of the trade mark or an undertaking economically linked to that proprietor or, on the contrary, originate from a third party;
– does not adversely affect, in the context of an internet referencing service having the characteristics of the service at issue in the main proceedings, the trade mark’s advertising function; and
– adversely affects the trade mark’s investment function if it substantially interferes with the proprietor’s use of its trade mark to acquire or preserve a reputation capable of attracting consumers and retaining their loyalty.
The assessment of the facts corresponds to national courts. Therefore, the CJEU case law does not prevent the finding by a national court that, in a particular case, the challenged use of the trademark adversely affects a trademark function. In fact, the Inteflora case was finally decided in favor of the plaintiff by the national UK judge, finding that there was a likelihood of confusion.
In Maherlo v Charlet, the Spanish Supreme Court upholds the lower court’s ruling that the use at issue use was not liable to have an adverse effect on any of the functions of the trademark. In particular, the TS upholds the conclusion that there was no risk of confusion or association (and thus no adverse effect to the origin function) because the text of the ad did not include the claimant’s trademarks. The plaintiff had argued that 63 internet users, out of 5,051 who googled the trademarked words, eventually purchased goods from the defendant. According to the claimant, this would indicate that they were misled into thinking that they were buying the goods from the plaintiff. The court of appeals rejected that contention, and noted that the absence of the trademark in the text of the ads clearly showed to the users that the advertiser was in fact a competitor, and thus the origin function was not jeopardized.
While there have been a number of rulings dealing with the use of trademarks as keywords by first instance courts and courts of appeals in Spain, this is the first time the Supreme Court tackles the issue. It must be noted that the same plaintiff has also sued other merchants on these issues, and lower courts have sometimes granted its claims, though on somewhat different factual situations.
[Cross posted to the Center for Internet and Society at Stanford Law School]
The man who won the right-to-be-forgotten case in the Court of Justice of the European Union (CJEU) has now been denied the right to suppress links to comments about that case by the Spanish Data Protection Authority (DPA). Given the relevance of the CJEU’s ruling, comments discussing the case and the facts behind it must be considered of public interest, according to the DPA’s decision.
Since the CJEU handed down its landmark ruling in May 2014 – and even before that – the circumstances of the case were widely publicized in the media. The irony was immediately apparent. While the claimant sought to have some old unpleasant information forgotten – and he actually succeeded to have the links to it delisted – all the details ended up being brought to the public eye. He even gave numerous interviews, sometimes being depicted in the media as the man who won the battle against Google.
Of course, some negative comments were also published. Eventually, Mr. Costeja requested Google to delist one of those, which Google rejected. He then addressed himself to the Spanish DPA, which in its recent decision dismisses the claim.
In the case before the CJEU, Mr. Costeja had complained that Google showed links to obsolete information available in a newspaper’s digital archive – a 1998 notice of real estate auction following attachment procedures for the recovery of Social Security debts. The CJEU found that individuals may request the delisting of links showing up in searches for their name pointing to information which is “inadequate, irrelevant, no longer relevant or excessive”. Nonetheless, the CJEU noted that such a right does not apply where there is a preponderant right of the public in accessing the information – for instance when the claimant has a role in public life.
Now the DPA finds that there is indeed a preponderant interest of the public in the comments about the famous case that gave rise to the CJEU judgment of May 13, 2014 – and expressly reminds that the claimant itself went public about the details.
While the decision does not mention the particular piece of information the claimant was complaining of, it may in all probability be a blog post titled “The unforgettable story of the seizure to the defaulter Mario Costeja González that happened in 1998”, available both in English and Spanish, which is currently the first result in Google.es in a search for the claimant’s name. In his claim before the DPA, Mr. Costeja complained that the content was also defamatory. However, the DPA answers that claims for defamation must be brought before the civil courts, not before the DPA.
All in all – as it was easy to anticipate from the beginning – this seminal right-to-be-forgotten case appears to have ended up in a big Streisand effect.
Note: Cross posted to the Center for Internet and Society at Stanford Law School
In a recently reported ruling, the Spanish National High Court held that Google is not responsible for the processing of personal data on blog hosted on Google’s owned Blogger, and therefore, that the so called “right to be forgotten” established by the Court of Justice of the European Union (CJEU) in the Google Spain case does not extend to a blogging platform.
The ruling reverses a decision issued by the Spanish Data Protection Authority (DPA) which had ordered Google to remove personally identifiable information from a blog hosted on Blogger. The claimant was a Spanish citizen who found that when typing his name on Google Search, the results included a link to a blog with information about a crime he had committed many years ago. While the official criminal records had already been cancelled, the information was thus still findable on the internet.
On the one hand, the DPA ordered Google to remove the information from its search engine. This was upheld by the National High Court, albeit ordering more precisely that Google remove the link from the search results – thus applying the criteria set out by the CJEU in Google Spain.
On the other hand, the DPA considered Google, as the owner of the blogging platform, to be the “controller” of the processing. Interestingly, the DPA found that while Google was not liable for the content of the blog, as it was shielded by the hosting safe harbor, the DPA has the power to order Google to remove the information from the blog.
The National High Court reversed that and held that the responsible for the processing is not Google but the blog owner. It further held that the DPA cannot order Google to remove the content within a procedure for the protection of the data subject’s right to erasure and to object.
Arguably, under the rationale that the platform is not the controller of the processing, other user generated content sites such as YouTube or social networking sites might also fall outside the scope of the right to be forgotten.
(Cross posted to the Stanford’s Center for Internet & Society Blog)
The CJEU judgment on the right to be forgotten, Google Spain v. Mario Costeja, hit the search engine on an unexpected front – damages. On the basis of the CJEU’s judgment, the Barcelona Court of Appeals ordered Google to pay damages to an individual who, like Costeja, sought the removal of links to some old, damaging information from the search results.
In 1981, the plaintiff of this case was criminally charged for violating “public health” regulations. He was finally convicted by the Spanish Supreme Court in 1990. Nine years later, he was granted pardon. The Royal Decree granting this pardon was subsequently published in the Boletín Oficial del Estado (Official Gazette), as is required by the law. When typing plaintiff’s name in Google, links to the Official Gazette would appear, thus revealing that this person had committed a crime about thirty years ago.
In 2009, he filed a complaint against Google Spain SL before the Spanish Data Protection Authority (DPA). The DPA ordered Google Spain SL to adopt the measures necessary to withdraw the data from its index and to prevent access to the data in the future. Like in many other similar cases – including the Costeja’s case – Google appealed this decision to the Audiencia Nacional, where it is still pending.
On March 22, 2011, long before the CJEU rendered the Google Spain ruling, the plaintiff brought also a civil lawsuit asking for damages. This is the case now decided by the Barcelona Court of Appeals. The complaint asked for the removal of the links, and for damages. However, at an initial stage of the proceedings, the plaintiff acknowledged that the contested links had already been removed, and thus only the claim for damages survived in the lawsuit.
Initially, the first instance court rejected the complaint, and the plaintiff appealed. On July 17, 2014 (albeit only recently reported), the court of appeals handed down its ruling granting the plaintiff’s claim and awarding damages, although dramatically reducing the exaggerated amount demanded. The court relied heavily on the CJEU Google Spain judgment and held that Google infringed the subject’s data protection rights by failing to remove the links when requested to do so. The plaintiff was awarded moral damages for the period of time the links were accessible.
The Data Protection Directive (95/46) orders Member States to “provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.” This provision was transposed into art. 19 of the Spanish Data Protection Law, which is the basis for the complaint.
Google successfully claimed that the safe harbor for search engines (art. 17 of the Law on Information Society Services) applied to it. However, according to the court, Google lost the safe harbor when it obtained the actual knowledge of the offending links, at the time it knew about the DPA decision. While this claim for damages is independent from any administrative proceeding, the court came to the conclusion that Google was liable from the moment it was notified about the DPA decision, and up to the moment the links were removed – a time span of about ten months.
As noted, the defendant in this case was not Google Inc., but its Spanish subsidiary, Google Spain SL – along with some other entities. The court rejected the defendant’s contention that because the search engine is operated by Google Inc. – a different entity – Google Spain SL cannot be held liable.
The text of the ruling, which has been appealed before the Supreme Court, is available here (in Spanish). Please note that the names of individual parties are anonymized.
Martin Husovec and I have just finished a paper titled Privately litigated disconnecting injunctions, which is available at the ssrn website. It deals with a particular type of injunctions that rights holders might apply for against intermediaries on the basis of Art. 8(3) of the InfoSoc Directive, which consist of enjoining an ISP from providing internet access to one of its users, allegedly engaging in copyright infringement. A case already decided in Spain granting the disconnecting injunction serves us as a study case to assess the problems this type of injunctions face. We deal particularly with the serious problems these injunctions raise regarding their compatibility with the EU Charter of Fundamental Rights.
We conclude as follows:
Privately litigated disconnecting injunctions requiring ISPs to cease providing internet access to one of its subscribers raise serious concerns from the standpoint of their compatibility with the EU Charter of Fundamental Rights and the European Convention of Human Rights. For these injunctions to be compatible with the Charter and the Convention, they should respect a number of key requirements. First, as discussed in Part III(1), the concerned individual should be granted the opportunity to defend his or her rights in court. To this end, the plaintiffs would need to previously identify that user, so that he or she could be included in the lawsuit. Second, as shown in Part III(2), some injunctions, particularly those without time limits, those targeting all national ISPs, or blocking also legitimate communications, might qualify as a criminal sanction and hence be unavailable due to the requirement of a stricter legal basis for criminal charges. Third, as explored in Part III(3), the test of proportionality seems difficult to be complied with. At the very least, the injunction should be narrowly tailored and show a sufficient degree of effectiveness. Moreover, not only courts, but also Member States themselves are limited by the Charter in the discretion they enjoy with regards to the way of implementing Art. 8(3) InfoSoc Directive. Whether they provide for disconnections against intermediaries as an administrative or judicial instrument of injunctive nature, Union law is implemented and thus also EU Charter constrains their actions. These problems make it extremely complicated that these injunctions are granted if courts, as they must, demand that the injunction applied for complies with the principles enshrined in the Charter and the Convention. In any event, obtaining such an injunction would be costly and slow for the plaintiff, and the outcome would hardly be effective in bringing to an end the user’s infringing activity. While some right holders may be inclined to explore this injunctions on the basis of the national transpositions of Art. 8(3) InfoSoc Directive, it seems unlikely that this form of relieve may end up being an attractive and effective tool to curb online infringement.
Any comment or suggestion will be welcome!