Impact of EU Citizens’ “Right to Be Forgotten” on US Companies

The European Court of Justice (ECJ) recently held that Google must, under certain circumstances, provide European Union (EU) citizens with the right to remove information about themselves, including the list of results displayed following a search of their name^.[1] This decision is likely to have a significant impact on certain US companies that do business in the EU.

Background

In 2009, Mario Costeja Gonzalez, a Spanish resident, filed a complaint with the Spanish National Data Protection Authority (AEPD) against Google Spain, Google, Inc. (collectively, “Google”), and La Vanguardia Ediones SL, a Spanish online newspaper that reported his financial debts and the forced auction of his house. Gonzalez claimed that he resolved the financial issues many years ago, and the publication of this obsolete information was damaging to his reputation. He demanded that the newspaper and Google delete links to the story.

The AEPD dismissed the claim against the online newspaper, holding that it had lawfully published the information, but it upheld the complaint against Google, finding that Google is a Data Controller^[2] and thus subject to the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the “EU Directive”). Google appealed the decision, and the National High Court of Spain eventually referred the matter to the ECJ for a preliminary ruling.

Key Legal Issues

The EU Directive prohibits Processing Personal Data^[3] unless it is done in a “fair, lawful and legitimate” manner. In practice, this means Data Processors^[4] must process Personal Data^[5] consistent with a number of data quality principles, including without limitation destroying Personal Data when it is obsolete (i.e., irrelevant to the purpose for which it was collected). In addition, the Data Controller’s Processing of Personal Data must further the Data Controller’s legitimate interests without infringing the data subject’s fundamental rights and freedoms (which includes the human right to privacy).

The ECJ considered several key legal issues, including whether:

(1) Google’s automatic indexing of Personal Data made Google a Data Processor;

(2) Google’s operation of a search engine caused it to determine the purposes and means of Processing Personal Data, and thus be considered a Data Controller; and

(3) the Personal Data relating to Costeja Gonzalez was obsolete.

Google’s search function takes place in the US, but the advertising sales function (which collects Personal Data about EU citizens and makes the search function economically profitable) takes place in Spain. The ECJ held that the two activities were “inextricably linked,” and that Google was deemed to be a Data Controller, because it was determining the means and purposes for Processing Personal Data in a EU member state. Consequently, Google was held to be subject to the ECJ’s jurisdiction and the EU Directive. The ECJ did not give substantive guidance as to what constitutes obsolete Personal Data, but it did further note that “the economic interest of the operator of the search engine [and] also the interest of the public” in having the information about the individual is outweighed by an individual’s human right to privacy.

ECJ preliminary rulings are legally binding, and Google cannot appeal this decision. The Spanish court is now applying the ECJ’s holding to the underlying case, and Google is reportedly developing a tool that enables users to remove links about themselves.

Scope of the Decision

Only Applies to EU Citizens

For the time being, the right to be forgotten only exists in the EU. However, EU privacy law has functioned as a model for the privacy laws in many other countries, so this decision might have the effect of pressuring other countries to recognize the right to be forgotten as well.

Only Applies to Published Data

This decision only applies to published Personal Data. In the future, EU citizens may seek to extend the “right to be forgotten” to unpublished Personal Data, including without limitation marketing data.

Impact of the Decision on US Companies

This decision will likely have a significant impact on US companies can be classified as Data Processors or Data Controllers and publish Personal Data.

Corporate Structures and Business Operations

This case establishes that companies who set up European affiliates, subsidiaries or other corporate entities to perform certain functions (such as running advertising and Personal Data collection operations), but who have servers or operate other portions of their business in the United States will not necessarily be exempt from EU jurisdiction or from being classified as Data Controllers who are subject to the EU Directive. Companies who could potentially be categorized as Data Controllers and who publish Personal Data should review their corporate structures, business operations and business plans in light of this.

Implementation of the Right to Be Forgotten

The ECJ gave Google very little guidance in its decision as to how to implement the right to be forgotten. Absent such guidance, companies will need to work closely with EU regulators to confirm that their practices and processes conform with EU law.

Companies impacted by this decision also must decide whether to apply the right to be forgotten to all users or just to users who are EU citizens. They must consider whether it is more cost-effective to implement the right to be forgotten company-wide vs. having a separate process for EU citizens. They must also carefully consider how implementing the right to be forgotten for all customers vs. just for EU citizens may impact customer relations.

Impact on Company Services

The right to be forgotten will likely impact Internet search findings. As the right to be forgotten is implemented, Internet searches in Europe will likely return different and less complete search results than in other countries. This in turn may impact companies’ product and service offerings or adversely impact companies’ ability to efficiently target ads and promotions to EU consumers or users.

Terms of Use Agreements

US companies often have Terms of Use Agreements for their Internet offerings, and these Terms of Use Agreements typically specify that users of their Internet offerings grant them a perpetual license to use, copy, publicly display, publicly perform, etc. any content or Personal Data the user provides to the company. The scope of the license (i.e., the reasons for which the company can use, copy, publicly display, etc.) such content or Personal Data) varies depending on the circumstance. Companies who may qualify as Data Controllers can no longer rely upon the licenses in such Terms of Use Agreements, because the ECJ holding effectively states that notwithstanding any such license EU citizens can have their Personal Data, under most circumstances, removed at any time. Such companies will need to modify their Terms of Use Agreements accordingly.

Conclusion

There are many questions left unanswered by the decision, including how it should be implemented. The consequences of this decision are likely to have an impact on how companies conduct business around the world, and we will only be able to see the full extent of it as implementation begins over the coming months.

For further information about this or related matters, please contact Helen Christakos at helen.christakos@kayescholer.com.

[1]C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González.

[2] “Data Controller” means meaning anyone who determines the purposes and means of “Processing Personal Data.”

[3] “Processing Personal Data” means any set of operations performed on personal data including without limitation, collecting, recording, organizing, storing, retrieving, using or disclosing by transmission or dissemination.

[4] “Data Processor” means anyone who processes personal data for a Data Controller.

[5] “Personal Data” means information about any identified or identifiable natural person, meaning anyone who can be identified, directly or indirectly, by reference to an ID number or by one or more factors specific to his physical, physiological, mental, cultural or social identity.