Google and Data Protection – Again!
By Professor Lorna Woods
A new reference has landed on the ECJ’s desk: Google Spain and Google (Case C-131/12) from the Audiencia Nacional in Spain.
The ECJ official website is a bit thin on details, but this seems to be the same case reported by Reuters. That case concerns the right to be forgotten – implicit in the current data protection regime (but which would be made explicit were the draft Data Protection Regulation ever to come in to being).
While the judge apparently referred a number of questions, including one about jurisdiction, the central issue is whether Google should be obliged to delete data referring to individuals. The impetus for the cases comes from aggrieved individuals who have applied to the Spanish data protection authority to have information deleted. This case is likely to be one that is closely watched given the likely stormy passage of the proposed Data Protection Regulation.
Central to the discussion will be the relationship between the e-Commerce Directive (Directive 2000/31/EC) and the Data Protection Directive. While the e-Commerce Directive shields ISPs from liability in a range of circumstances, that directive is expressed not to apply to ‘questions relating to information society services covered by Directives 95/46/EC and 97/66/EC’ (article 1(5)(b) e-Commerce Directive and Recital 14). Directive 95/46/EC is, of course, the current Data Protection Directive.
Google is, of course, not unfamiliar with the exception to the e-Commerce Directive, as it arose when directors of Google were charged under Italian data protection laws relating to user generated content (UGC) posted on a You-Tube type service operated by Google. The UGC was a clip from a mobile phone which showed some boys bullying another boy with Downs Syndrome. The Google executives were given 6 month suspended gaol sentences. A decision on appeal was due to be handed down by the Court of Appeal in Milan in 2011, though in September the case, according to one of those involved (Peter Fleischer) had not been assigned. One would hope that in the interests of timely just that this issue is decided before the ECJ hands down its ruling in Case C-131/12.
If the non-availability of the hosting exceptions, then presumably the key issue is the scope of the rights under the DPD. Therein lies the rub. While the DPD is set against a privacy (Article 8 ECHR) backdrop, it does not grant any particular right to be forgotten. Instead, the DPD provides how data should be managed, which includes the archiving and deletion obligations. How far the ECJ is prepared to push this, especially in the light of data protection as a fully fledged right in the EU Charter, remains to be seen. This is the new contentious issue in the privacy/freedom of expression debate. For a range of views see: Google’s privacy counsel; a security consultant; and an academic viewpoint [PDF], among, no doubt, many more.