Skip to content

No more right-to-be-forgotten for Mr. Costeja, says Spanish Data Protection Authority

October 11, 2015

[Cross posted to the Center for Internet and Society at Stanford Law School]

The man who won the right-to-be-forgotten case in the Court of Justice of the European Union (CJEU) has now been denied the right to suppress links to comments about that case by the Spanish Data Protection Authority (DPA). Given the relevance of the CJEU’s ruling, comments discussing the case and the facts behind it must be considered of public interest, according to the DPA’s decision.

Since the CJEU handed down its landmark ruling in May 2014 – and even before that – the circumstances of the case were widely publicized in the media. The irony was immediately apparent. While the claimant sought to have some old unpleasant information forgotten – and he actually succeeded to have the links to it delisted – all the details ended up being brought to the public eye. He even gave numerous interviews, sometimes being depicted in the media as the man who won the battle against Google.

Of course, some negative comments were also published. Eventually, Mr. Costeja requested Google to delist one of those, which Google rejected. He then addressed himself to the Spanish DPA, which in its recent decision dismisses the claim.

In the case before the CJEU, Mr. Costeja had complained that Google showed links to obsolete information available in a newspaper’s digital archive – a 1998 notice of real estate auction following attachment procedures for the recovery of Social Security debts. The CJEU found that individuals may request the delisting of links showing up in searches for their name pointing to information which is “inadequate, irrelevant, no longer relevant or excessive”. Nonetheless, the CJEU noted that such a right does not apply where there is a preponderant right of the public in accessing the information – for instance when the claimant has a role in public life.

Now the DPA finds that there is indeed a preponderant interest of the public in the comments about the famous case that gave rise to the CJEU judgment of May 13, 2014 – and expressly reminds that the claimant itself went public about the details.

While the decision does not mention the particular piece of information the claimant was complaining of, it may in all probability be a blog post titled “The unforgettable story of the seizure to the defaulter Mario Costeja González that happened in 1998”, available both in English and Spanish, which is currently the first result in in a search for the claimant’s name. In his claim before the DPA, Mr. Costeja complained that the content was also defamatory. However, the DPA answers that claims for defamation must be brought before the civil courts, not before the DPA.

All in all – as it was easy to anticipate from the beginning – this seminal right-to-be-forgotten case appears to have ended up in a big Streisand effect.

Spain: The Right to Be Forgotten Does Not Apply to Blogger

March 5, 2015

Note: Cross posted to the Center for Internet and Society at Stanford Law School

In a recently reported ruling, the Spanish National High Court held that Google is not responsible for the processing of personal data on blog hosted on Google’s owned Blogger, and therefore, that the so called “right to be forgotten” established by the Court of Justice of the European Union (CJEU) in the Google Spain case does not extend to a blogging platform.

The ruling reverses a decision issued by the Spanish Data Protection Authority (DPA) which had ordered Google to remove personally identifiable information from a blog hosted on Blogger. The claimant was a Spanish citizen who found that when typing his name on Google Search, the results included a link to a blog with information about a crime he had committed many years ago. While the official criminal records had already been cancelled, the information was thus still findable on the internet.

On the one hand, the DPA ordered Google to remove the information from its search engine. This was upheld by the National High Court, albeit ordering more precisely that Google remove the link from the search results – thus applying the criteria set out by the CJEU in Google Spain.

On the other hand, the DPA considered Google, as the owner of the blogging platform, to be the “controller” of the processing. Interestingly, the DPA found that while Google was not liable for the content of the blog, as it was shielded by the hosting safe harbor, the DPA has the power to order Google to remove the information from the blog.

The National High Court reversed that and held that the responsible for the processing is not Google but the blog owner. It further held that the DPA cannot order Google to remove the content within a procedure for the protection of the data subject’s right to erasure and to object.

Arguably, under the rationale that the platform is not the controller of the processing, other user generated content sites such as YouTube or social networking sites might also fall outside the scope of the right to be forgotten.

Spanish Court rules that links to infringing content are copyright infringements

December 19, 2014

In a recent ruling (PDF), a Spanish appellate court (Audiencia Nacional) has upheld the decision of the Spanish agency for the administrative enforcement of copyright — the Intellectual Property Commission (IPC).

The IPC had ordered that a torrent linking website (elitetorrent) remove some of its torrent links to protected works.

This is the first case where the Audiencia Nacional deals with an appeal against an order issued by the ICP and tackles the substance of the legal question at issue, i.e., whether the challenged links constituted a copyright infringement.

It concludes that the links were indeed a copyright infringement, and thus rejects the appeal brought by the webmaster.

The ruling holds that a link to non-authorized content amounts to an act of making available, and thus require the authorization of the rights holder. The court reaches this conclusion on the basis of the CJEU judgment in Svensson. There, the CJEU held that a link constitutes an act of communication to “a public”, albeit it does not need to be authorized where it points to a work which the right holders had made freely available on the Internet, as in that case the link does not target a “new public”, different than that already taken into account by the rights holders when they authorized the initial communication.

The Spanish Audiencia Nacional states that the Svensson criteria fully apply to the case at issue and concludes that the linking website carried out an act of communication to the public which did required the right holders’ authorization, as they “had not authorized the exploitation free of restrictions of their work on the Internet”.

Text of the ruling (in Spainsh) available here (PDF).

Right to Be Forgotten: Google Sentenced to Pay Damages in Spain

December 17, 2014

(Cross posted to the Stanford’s Center for Internet & Society Blog)

The CJEU judgment on the right to be forgotten, Google Spain v. Mario Costeja, hit the search engine on an unexpected front – damages. On the basis of the CJEU’s judgment, the Barcelona Court of Appeals ordered Google to pay damages to an individual who, like Costeja, sought the removal of links to some old, damaging information from the search results.

In 1981, the plaintiff of this case was criminally charged for violating “public health” regulations. He was finally convicted by the Spanish Supreme Court in 1990. Nine years later, he was granted pardon. The Royal Decree granting this pardon was subsequently published in the Boletín Oficial del Estado (Official Gazette), as is required by the law. When typing plaintiff’s name in Google, links to the Official Gazette would appear, thus revealing that this person had committed a crime about thirty years ago.

In 2009, he filed a complaint against Google Spain SL before the Spanish Data Protection Authority (DPA). The DPA ordered Google Spain SL to adopt the measures necessary to withdraw the data from its index and to prevent access to the data in the future. Like in many other similar cases – including the Costeja’s case – Google appealed this decision to the Audiencia Nacional, where it is still pending.

On March 22, 2011, long before the CJEU rendered the Google Spain ruling, the plaintiff brought also a civil lawsuit asking for damages. This is the case now decided by the Barcelona Court of Appeals. The complaint asked for the removal of the links, and for damages. However, at an initial stage of the proceedings, the plaintiff acknowledged that the contested links had already been removed, and thus only the claim for damages survived in the lawsuit.

Initially, the first instance court rejected the complaint, and the plaintiff appealed. On July 17, 2014 (albeit only recently reported), the court of appeals handed down its ruling granting the plaintiff’s claim and awarding damages, although dramatically reducing the exaggerated amount demanded. The court relied heavily on the CJEU Google Spain judgment and held that Google infringed the subject’s data protection rights by failing to remove the links when requested to do so. The plaintiff was awarded moral damages for the period of time the links were accessible.

The Data Protection Directive (95/46) orders Member States to “provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.” This provision was transposed into art. 19 of the Spanish Data Protection Law, which is the basis for the complaint.

Google successfully claimed that the safe harbor for search engines (art. 17 of the Law on Information Society Services) applied to it. However, according to the court, Google lost the safe harbor when it obtained the actual knowledge of the offending links, at the time it knew about the DPA decision. While this claim for damages is independent from any administrative proceeding, the court came to the conclusion that Google was liable from the moment it was notified about the DPA decision, and up to the moment the links were removed – a time span of about ten months.

As noted, the defendant in this case was not Google Inc., but its Spanish subsidiary, Google Spain SL – along with some other entities. The court rejected the defendant’s contention that because the search engine is operated by Google Inc. – a different entity – Google Spain SL cannot be held liable.

The text of the ruling, which has been appealed before the Supreme Court, is available here (in Spanish). Please note that the names of individual parties are anonymized.

New Paper: Privately Litigated Disconnecting Injunctions

July 18, 2014

Martin Husovec and I have just finished a paper titled Privately litigated disconnecting injunctions, which is available at the ssrn website. It deals with a particular type of injunctions that rights holders might apply for against intermediaries on the basis of Art. 8(3) of the InfoSoc Directive, which consist of enjoining an ISP from providing internet access to one of its users, allegedly engaging in copyright infringement. A case already decided in Spain granting the disconnecting injunction serves us as a study case to assess the problems this type of injunctions face. We deal particularly with the serious problems these injunctions raise regarding their compatibility with the EU Charter of Fundamental Rights.

We conclude as follows:

Privately litigated disconnecting injunctions requiring ISPs to cease providing internet access to one of its subscribers raise serious concerns from the standpoint of their compatibility with the EU Charter of Fundamental Rights and the European Convention of Human Rights. For these injunctions to be compatible with the Charter and the Convention, they should respect a number of key requirements. First, as discussed in Part III(1), the concerned individual should be granted the opportunity to defend his or her rights in court. To this end, the plaintiffs would need to previously identify that user, so that he or she could be included in the lawsuit. Second, as shown in Part III(2), some injunctions, particularly those without time limits, those targeting all national ISPs, or blocking also legitimate communications, might qualify as a criminal sanction and hence be unavailable due to the requirement of a stricter legal basis for criminal charges. Third, as explored in Part III(3), the test of proportionality seems difficult to be complied with. At the very least, the injunction should be narrowly tailored and show a sufficient degree of effectiveness. Moreover, not only courts, but also Member States themselves are limited by the Charter in the discretion they enjoy with regards to the way of implementing Art. 8(3) InfoSoc Directive. Whether they provide for disconnections against intermediaries as an administrative or judicial instrument of injunctive nature, Union law is implemented and thus also EU Charter constrains their actions. These problems make it extremely complicated that these injunctions are granted if courts, as they must, demand that the injunction applied for complies with the principles enshrined in the Charter and the Convention. In any event, obtaining such an injunction would be costly and slow for the plaintiff, and the outcome would hardly be effective in bringing to an end the user’s infringing activity. While some right holders may be inclined to explore this injunctions on the basis of the national transpositions of Art. 8(3) InfoSoc Directive, it seems unlikely that this form of relieve may end up being an attractive and effective tool to curb online infringement.

Any comment or suggestion will be welcome!

Spanish court orders an ISP to disconnect a copyright infringer

January 22, 2014

Cross posted on The Center for Internet and Society at Stanford Law School

In a recent ruling issued by the 15th Section of the Barcelona Court of Appeals – a Section specializing on IP – the Spanish ISP R Cable y Telecomunicaciones Galicia has been ordered to suspend, immediately and for good, the Internet connection of a user who engaged in copyright infringing file sharing. The text of the ruling (in Spanish) is available here (PDF). This is the first ruling of this kind in Spain.

The action was brought by Promusicae, an association of Spanish music producers, along with the main music labels operating in Spain. Aided by DtecNet, an anti-piracy firm, Promusicae learned of an internet user who was making available more than five thousand music files in his hard drive shared folder, using the P2P network Direct Connect. The investigative firm actually downloaded three files which corresponded to copyrighted songs owned by the plaintiffs. The user was identified by his nickname and IP address only. It was not possible to find out the user’s real identity as ISPs in Spain are not obliged to reveal the identity of their users for purposes of civil lawsuits.

Not knowing the identity of the file sharer, the plaintiffs brought the case directly and exclusively against the ISP, asking for an injunction under articles 138 and 139.1.h) of the Spanish Copyright Act which allow right holders to seek injunctions against intermediaries whose services are used by a third party to infringe copyright. The requested injunction consisted of suspending the provision of internet access to the infringer. The possibility of asking for injunctions against intermediaries is contemplated in art. 8(3) and Recital 59 of the EU Copyright Directive, though the specific modalities of such injunctions are left to Member States’ national law.

Strikingly enough, the ISP chose not to answer the complaint and didn’t intervene at all in the lawsuit.

The court of first instance dismissed the claim, holding that the user’s conduct was not infringing. The Court of Appeals reversed and held that the user’s acts were indeed infringing as they constituted unauthorized acts of reproduction and making available to the public. It held therefore that plaintiffs were entitled to the sought injunction.

Some difficult questions arise from this case – I will highlight just a few.

First, the user was not a party in the proceedings, as the lawsuit was filed only against the ISP. This poses the question of whether the infringement could be found without summoning the allegedly infringer – though it is of course unlikely that the user could have successfully invoked a defense against the finding of infringement.

Second, articles 138 and 139.1.h) of the Spanish Copyright Act require the injunction to be objective, proportionate and non-discriminatory. The court, however, did not assess at all whether such a radical measure satisfied the required proportionality.

Third, and closely linked to the question of proportion, an IP address does not necessarily identify a single individual as it could have been shared by different people.

Finally, the real effect of the injunction is rather dubious, as the infringer can easily shift to a different access provider.

Website operator sentenced to 18 months of prison for linking to P2P

November 17, 2013

Two recent rulings handed down in Spain have reached opposite conclusions on the much debated question of whether or not linking to copyright infringing content amounts to an act of communication to the public, and thus can be characterized as a primary infringement.

Both rulings come from criminal courts. In the first one, the case of and, the court held that linking to files located in P2P networks does not constitute a communication to the public, being instead a merely intermediary act (see Auto del Juzgado de Instrucción número 4 de Bilbao, August 30, 2013). The court notes that, in addition, the safe harbors laid down in the Spanish Information Society Services Act would apply.

In contrast, in a more recent ruling, the case of, another criminal court found that the website operator did engage in a communication to the public when providing links to infringing content hosted in P2P networks (see judgment 453/13 Juzgado de lo penal número 4 de Castellón, October 30, 2013). The court rejected the claim that the activity is sheltered by the linking safe harbor of the Spanish law. As a result, the website operator was sentenced to 18 months of prison (which most likely will not be effective, as is usual in sentences below 2 years) plus a fine. In addition, damages were awarded to the right owners who brought the action.

These rulings show how the issue is still debated in Spain. While most of the rulings in Spain have reached the conclusion that websites providing links to infringing material do not realize an act of communication to the public, some others have come to the opposite result. This debate has taken place for the most part in criminal procedures brought by right owners (a list of cases can be found here, in Spanish).

Of course, this is by no means just a domestic debate. Some references for a preliminary ruling which address directly this question are pending before the CJUE (see cases C-466/12, Svensson; C-279/13, C More Entertainment AB), and different opinions have been put forward by entities such as ALAI and the European Copyright Society.


Get every new post delivered to your Inbox.