• No results found

CHAPTER 2: THE GREAT DEBATE OF INTERNET INTERMEDIARIES'

B. Google Spain and the Right to be Forgotten

In the main proceedings, Mr. González lodged a complaint with the Spanish Data Protection Agency (AEPD) against a daily newspaper (LaVanguardia) along with Google Spain and Google Inc. on the ground that his name appeared in the top results of Google search associated with a newspaper article about a real estate auction for the recovery of social security debts that he had owed 16 years ago. He requested removal or alteration of those pages from the newspaper’s website and the links from Google for the protection of his privacy. The applicant’s request against a newspaper was rejected by the AEPD on the ground that publication of the concerned information was lawful. However, the removal request directed to Google Spain and Google Inc. was upheld on the ground that the search engines’ activity was subject to the data legislation as it is a medium for dissemination of data. Accordingly, the obligation to erase the data should be on them regardless of whether that data remained in place on any other website.148 Google Spain and Google Inc. then appealed the decision to the Spanish High Court which stayed the proceedings and referred preliminary questions related to the application of DPD to the CJEU as this was the Directive in application at the time. As stated, the DPD does not exclusively provide a RTBF, but it does state that the data subject can ask for erasure or block the processing if it does not comply with the principles established in the Directive149. Briefly, the referred question in relation to this chapter was whether the search engine at issue could be classified as a processor or controller of the data or both and ‘what obligations are owed by operators of search engines to protect personal data

147 Joined cases C-236/08 to C-236/10 Google France [2010] ECR I-02417, para 120. 148 Case C-131/12 Google Spain (13 May 2014), paras 16-17.

of persons concerned who do not wish that certain information, which is published on third parties’ websites and contains personal data relating to them that enable that information to be linked to them, be located, indexed and made available to internet users indefinitely.’150

After the examination, the CJEU set out three points of relevance to this thesis:

1. The search engine was classified as ‘processor of personal data’ under Art.2(b) 151 as well as controller under the Art.2(d) given that it was the one who determined the purposes and means of the data processing.152

2. It was held that it is search engines’ obligation to ‘remove from the list of results

displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.’153

3. The request regarding the removal of such results that consist of personal data must be assessed in relation to the fundamental rights of the data subject and the interests of the public. Accordingly, a balance must be struck on a case-by-case basis.154

What should be highlighted from these is that the obligation to remove the data from the search results was held to be the search engine’s obligation when the data is inadequate,

irrelevant or no longer relevant or excessive. This is the RTBF which is exclusively

provided in Art.17 of the GDPR. A search engine, therefore is under a duty to remove the concerned data from the search results and with regard to Art.17 of GDPR it should act

without undue delay. However, if it is otherwise stated, a search engine, as an

intermediary, appears to have the discretionary power in to assess request for removal.

150 Case C-131/12 Google Spain (13 May 2014), para 19.

151 Ibid, para 41. as its operation ‘consists in finding published or placed on the Internet by third parties,

indexing it automatically, storing it temporarily, and finally making it available to the Internet users according to the particular order of preference.’

152 Ibid, para 41. It was also held that ‘If the operator of a search engine has branch or subsidiary in a

member state to promote and sell advertising space offered by that engine, then this operation must be regarded as an establishment of the controller by virtue of the Art.4(1)(a)’ in the paras 55-60.

153 Ibid, para 88. 154 Ibid, para 99.

This points to the same challenging issue that underlies the intermediaries’ liability regime - that of striking a delicate balance between the parties.

It is evident that this case was not related to the liability of Google as was in Google

France. Instead, Google’s duty as a data controller/processor was the question before the

Court. Nevertheless, these two cases are relevant to the liability regime discussion as both considered the same intermediary: Google. On the one hand, Google can benefit from the immunity for its AdWords service if it is not actively involved in the provision of the service. On the other hand, it is under a duty to remove the data which is inadequate, irrelevant etc. when its activity as a search engine amounts to be a data controller. Why this is important for the liability regime is because as the GDPR has the provision that states that the GDPR applies without prejudice to the immunity rules provided in Arts.12- 15 of the ECD, the interaction between those two legislations might have an impact on the liability regime in general. Obligations imposed on the intermediaries under the GDPR may affect an assessment undertaken under the immunity regime. This is because the immunity is provided for intermediaries whose involvement in the provision of the service remain passive. However, the GDPR imposes duties on the data processors and controllers which may put the passivity of that intermediary in jeopardy or may amount to general monitoring duties prohibited in Art.15 ECD. Although it can be argued that the assessment of active/ passive and processor/ controller are different, the fact that the intermediaries’ liability or obligations would be both content based and arise from their users’ activity regardless of being active/ passive or data controller/ processor.

It is also evident that an intermediary is under a duty to take down the content both under the GDPR and ECD. In that respect, the question is should this duty be governed under by the same rules regardless of intermediaries’ position. Unfortunately, the Regulation does not provide further clarity on the interaction between the GDPR and the ECD. This lack of clarity, therefore, appears to be a new challenge for the liability regime.

Ultimately, some aspects of the CJEU’s holding in Google Spain should be underlined in terms of fundamental rights. The discretion given to Google in assessing the removal request raises concerns, especially as to the users’ right to freedom of expression. It is for Google to assess and strike the right balance. Given that Google is a private business, the transparency in its assessment has raised concerns in academia. Academics from all around the world wrote an open letter directed against Google 2015 seeking more

transparency from Google especially on the points of reasons for denial or grant delisting as the Transparency Report published by Google was considered lack of the required transparency on these points.155 Those appear to be another challenge in achieving the goal of striking a delicate balance.

In conclusion, the long-term impacts and reflections of this decision over the national courts and search engines remain to be seen in terms of understanding the issue in more detail, especially from the immunity rules aspect. Yet, the most significant point in respect of the subsequent chapter is the varying obligations imposed on the intermediaries for the purposes of the protection of data online when they are data processors and controllers. Therefore, it would be difficult to state that there is a uniform intermediary regime under EU. This, however, should not be understood as the liability regime established within the ECD. What is meant here is the intermediaries’ position and how the rules have been shaped from the different rights’ aspect. It is evident that the intermediaries and their responsibilities are shaped rather differently when the issue comes to data protection.

V. FUNDAMENTAL RIGHTS