SEARCH ENGINE LIABILITY UNDER THE LIBE DATA REGULATION PROPOSAL: INTERPRETING THIRD PARTY RESPONSIBILITIES AS INFORMED BY GOOGLE SPAIN

Transcription

1 SEARCH ENGINE LIABILITY UNDER THE LIBE DATA REGULATION PROPOSAL: INTERPRETING THIRD PARTY RESPONSIBILITIES AS INFORMED BY GOOGLE SPAIN COOPER MITCHELL-REKRUT* ABSTRACT The right to be forgotten now branded as the right to erasure has been publicized as one of the four pillars of the EU s proposed General Data Protection Regulation. Although the right to erasure is not promised to be an absolute one, it has been retained and strengthened in subsequent drafts of the proposed Regulation. However, technological, jurisdictional, and other practical limitations to effectively erasing data remain substantial. Accordingly, search engines are at risk of becoming a central battleground for efforts to make undesirable data effectively inaccessible, if not actually erased. In June 2013, First Advocate General of the European Court of Justice Niilo Jääskinen issued an advisory opinion on Google Spain, a case that directly addressed the liability of search engines under the right to be forgotten. The advisory opinion counseled strongly against according liability for erasure to search engines for the independently published content that they neutrally catalogue. Although the Advocate General analyzed Google Spain under the EU Data Protection Directive, the opinion is useful for considering the proposed Regulation and addressing problems that may appear therein. The Regulation s most recent draft proposal in particular creates problematic ambiguity as to the possibility of search engine liability either as a third party or a controller. In order to avoid the potentially severe consequences of subjecting search engines to such liability, as noted in Google Spain, search engines should be considered third parties, not controllers. Further, the right to erasure should be clarified to ensure that direct liability does not extend to third parties. Finally, in as much as search engines might be considered controllers, the bases of lawful processing enumerated in the Regulation should directly accommodate neutral search engines instead of requiring that they seek legal refuge in derogations by individual member states. * Cooper Mitchell-Rekrut is a student at Georgetown University Law Center (expected date of graduation: May 2015) and an Executive Editor on the Georgetown Journal of International Law. This Note was influenced in large part by discussions with Professor David Stewart, though any errors made herein are attributable only to the author. 2014, Cooper Mitchell-Rekrut. 861

2 GEORGETOWN JOURNAL OF INTERNATIONAL LAW I. INTRODUCTION II. GOOGLE SPAIN AND THE RIGHT TO BE FORGOTTEN A. Facts and Context of Google Spain B. Questions for the European Court of Justice First Category of Questions: Territorial Scope and Jurisdiction Second Category of Questions: Categorization of Search Engines a. Relevant Conduct of Search Engine b. Processing of Personal Data and the Search Engine as Controller c. A Search Engine s Responsibilities as Controller Third Category of Questions: The Right to Be Forgotten III. DIFFERENCES BETWEEN DIRECTIVE AND REGULATION PROPOSALS. 874 A. Territorial Scope of the Regulation B. Penalties for Violation C. Article 17: The Right to Erasure The Article 19 Right to Object and Article 6 Lawfulness of Processing Article 17(1): Circumstances Warranting Erasure Generally Article 17(2): The Trigger for Third Party Erasure Article 17(3): Exemptions From Erasure IV. ANALYSIS OF SEARCH ENGINE LIABILITY UNDER LIBE PROPOSAL A. Territorial Jurisdiction and Fines B. Challenges of Liability C. Functional Efficacy of Search Engine Liability V. RECOMMENDED CHANGES AND CLARIFICATIONS A. Categorization of Search Engines B. Avoiding Third Party Liability C. Search Engines As Controllers VI. CONCLUSION [Vol. 45

3 SEARCH ENGINE LIABILITY I. INTRODUCTION In 2012, the European Commission proposed an initial draft proposal (Commission Proposal) 1 of the General Data Protection Regulation (Regulation). The Regulation is intended to improve upon and supercede the European Union (EU) Data Protection Directive (Directive), 2 which was enacted in 1995 and continues to be enforced today. Unlike an EU Directive, which is addressed only to member states and may be implemented according to the member states choice of form and methods, an EU Regulation is directly binding at both the Union and national level. 3 The central goal of the proposed Regulation on data protection appears to be streamlining data compliance and regulation by creating a single Data Protection Authority for the EU a one stop shop and ensuring the mutual enforceability of member states rulings under the Regulation. 4 In addition to these structural changes, the Commission Proposal further included a new and controversial right to be forgotten. 5 This right has been represented as one of the four pillars of the new Regulation. 6 In October 2013, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) considered and consolidated nearly four thousand proposed amendments to the Commission Proposal into a new proposal (LIBE Proposal) 7 that was adopted by the Com- 1. Commission Proposal for a Regulation of the European Parliament and of the Council, COM (2012) 11, art. 4(2) (Jan. 25, 2012) [hereinafter Commission Proposal], available at eu/lexuriserv/lexuriserv.do?uri COM:2012:0011:FIN:EN:PDF. 2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) [hereinafter Data Protection Directive], available at OJ:L:1995:281:0031:0050:EN:PDF. 3. T.C. HARTLEY, THE FOUNDATIONS OF EUROPEAN UNION LAW (7th ed. 2010). 4. Press Release, European Commission, LIBE Committee Vote Backs New EU Data Protection Rules (Oct. 22, 2013), available at 5. While EU data advocates have previously held that the right to be forgotten was not actually a discrete right, but the effective result of several fundamental data principles, the Regulation explicitly includes the right to be forgotten as an independent article. See Sophie Kwasny, Why Online Privacy and Data Protection Still Matter, HUM. RTS. EUROPE (Sept. 23, 2012), 6. Press Release, supra note EUROPEAN PARLIAMENT AND COUNCIL OF EUROPEAN UNION, PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, COMPROMISE AMENDMENTS (COM (2012) 0011 C7 0025/ /0011(COD)) (Oct. 22, 2013) [hereinafter LIBE PROPOSAL], available at ] 863

4 GEORGETOWN JOURNAL OF INTERNATIONAL LAW mittee. 8 The passage of the LIBE Proposal represents a significant step toward the EU s official adoption of the Regulation. 9 Several of the LIBE s changes expand upon and strengthen the right to be forgotten. 10 Separately, in 2012, Spain s Agencia Española de Protección de Datos (AEPD) referred a series of questions to the European Court of Justice (ECJ) in the case of Google Spain. 11 These questions pertained to the territorial scope of the Directive; the appropriate categorization of search engines under the Directive; and the applicability of a right to be forgotten to search engines, if indeed such a right can be said to exist under the Directive. 12 Niilo Jääskinen, Advocate General (AG) of the ECJ, issued an advisory opinion to the court in June of 2013, providing an early indication as to how the court might rule in its final judgment. 13 However, future search engine defendants will face a radically altered statutory landscape if the Regulation as drafted by the Commission and adopted by the LIBE becomes EU law. 14 This Note will consider the risks of the right to be forgotten as it might apply to search engines in the most recent draft Regulation, the LIBE Proposal. The analysis will draw from the ECJ AG s recent advisory opinion in Google Spain, both as a factual premise and as a source of interpretive reasoning. In Part II, I will review the reasoning of the ECJ AG in the case of Google Spain. In Part III, I will compare the statutory language of the Directive relied on in Google Spain to the LIBE.pdf. 8. Press Release, supra note 4. The other three pillars of the Regulation are Pillar One: One continent, one law... ( The European Parliament agrees that the new data protection law for the private and public sector should be a Regulation, and no longer a Directive. ), Pillar Two: Non-European companies will have to stick to European data protection law if they operate on the European market, and Pillar Four: A One-stop-shop for businesses and citizens. Id. 9. Id. The LIBE vote gives a mandate to the Rapporteurs, MEPs Albrecht and Droutsas, to negotiate with the Council of the EU. Id. Generally, legislation must be agreed upon by both the EU Parliament and the EU Council before it is officially adopted as law. BARRY E. CARTER & ALLEN S. WEINER, INTERNATIONAL LAW 515 (6th ed. 2011). 10. See Press Release, supra note Case C-131/12, Google Spain SL v. Agencia Española de Proteción de Datos (AEPD) (Advisory Opinion of Advocate General Nillo Jääskinen), CCH-PLMKG 60866, 2013 WL (June 25, 2013) [hereinafter Google Spain]. 12. Id See generally id. The advisory opinion of an Advocate General is not binding on the ECJ, but is considered with great care by the Judges when rendering a final decision. T.C. HARTLEY, THE FOUNDATIONS OF EUROPEAN UNION LAW 47-56, 58, 70 (7th ed. 2010). 14. See infra Parts II and III. 864 [Vol. 45

5 relevant language in the current LIBE Proposal, including special attention to instances where the LIBE Proposal differs from the earlier Commission Proposal. In Part IV, I will consider how search engine liability might be analyzed under the LIBE Proposal, and in Part V, I will argue that search engines should not be subjected to liability under the right to be forgotten and make recommendations for clarifications to the proposal by drawing on principles employed in the Google Spain advisory opinion. II. SEARCH ENGINE LIABILITY GOOGLE SPAIN AND THE RIGHT TO BE FORGOTTEN On June 25, 2013, ECJ AG Niilo Jääskinen issued a highly anticipated advisory opinion to the court in Google Spain. 15 Scholars and commentators expected that the AG s advisory opinion would offer early indications of the extent to which the right to be forgotten if it exists at all under the Directive could be vindicated by the ECJ. 16 Indeed, cases akin to Google Spain, in which an individual seeks to erase an aspect of his or her online history by suing a search engine, have been abundant in Spain for the past several years. 17 Google Spain itself, however, presented a unique opportunity to consider search engine liability as entirely distinct from the original publisher s liability because the personal data at issue has been published pursuant to Spanish law and was indisputably legal. 18 A. Facts and Context of Google Spain The facts of the Google Spain case involved an attempt by a Spanish citizen, Mr. Mario Costeja González, to erase from the internet personal data pertaining to himself that he believed was irrelevant and misleading. 19 The data at issue took the form of two announcements published in 1998 in the print edition of a Spanish newspaper, and which were thereafter made available online by the newspaper s pub- 15. See Google Spain, supra note See id. 23; see, e.g., Muge Fazlioglu, Forget Me Not: The Clash of the Right to Be Forgotten and Freedom of Expression on the Internet, 3 INT L DATA PRIVACY L. 149, 153 (2013) ( The ruling of this case is certain to enlighten the debate over whether search engines are data controllers, clarify their obligations, and could establish a benchmark for European rules of online personal data protection and the right to be forgotten. ). 17. See Google Spain, supra note 11, See id See id ] 865

6 GEORGETOWN JOURNAL OF INTERNATIONAL LAW lisher. 20 The announcements concerned a real estate auction connected with attachment proceedings prompted by social security debts, identifying Mr. González as the owner of the property. 21 By November of 2009, Mr. González had discovered that a Google search for his first and last name yielded results pertaining to the real estate auction. 22 Mr. González eventually pursued his complaint with the AEPD, requesting that the original publisher be required to remove the data, and further asserting that Google Spain SL (Google Spain) should be required to remove or conceal his data. 23 Mr. González argued that his social security debt had been resolved many years earlier and was of no relevance. 24 As Mr. González complained in 2013, according to Google, I m still in debt and married. 25 The AEPD rendered a decision on July 30, 2010, calling on Google, Inc., (Google) and Google Spain to take necessary measures to remove the data from their search indices, rendering the newspaper announcements inaccessible via Google search. 26 However, the AEPD denied Mr. González s complaint against the publisher, finding that the data s inclusion in the newspaper announcements has been legally justified. 27 Google and Google Spain appealed the decision, and the Spanish national court stayed the proceedings, referring questions to the ECJ. 28 B. Questions for the European Court of Justice The questions referred to the ECJ fell into three categories. 29 The first pertained to the territorial scope of the Directive, specifically concerning whether Google, based in the United States, was under the jurisdiction of the Directive by virtue of Google Spain s conduct in the EU. 30 The second category of questions pertained to the scope of the Directive s application. 31 Specifically, the court sought to deter- 20. See id See id. 22. See id See id See id Paola Obelleiro, Según Google, Sigo Siendo Deudor y Casado, EL PAÍS (Mar. 21, 2013), See Google Spain, supra note 11, See id. 22. In fact, the announcements were effected by the Spanish Ministry of Labour and Social Affairs and were explicitly required by Spanish law. Id Id See id See id. 31. See id. 866 [Vol. 45

7 SEARCH ENGINE LIABILITY mine whether Google was properly considered a data controller under the Directive, as only data controllers are directly liable for erasure of data under the Directive. 32 Finally, the court was asked whether the right to be forgotten could properly be applied to a search engine. 33 At the heart of the case was the curious question as to whether a search engine could be liable for content published by a third party in the absence of any finding that the original publication itself violated a law. A few factors should be noted that circumscribe the potential for applying the AG s reasoning to the LIBE-supported draft of the Regulation. Not only is the advisory opinion not binding on the ECJ affording only an uncertain indication as to how the court might rule but the opinion expressly restricts its discussion to the Directive, setting aside the un-enacted draft Regulation. 34 This is significant both because the actual text of the Directive differs from the Regulation at several crucial points, and because the AG s analytical mode is highly informed by the chronological and technological distance between the Directive s initial proposal in 1990 and the case before the court in The AG refers several times to the vast technological divide of nearly two decades as being central to the court s rule of reason or principle of proportionality. 36 It may be that a Regulation passed in 2014 would not warrant such a careful and admittedly non-literal interpretation. 37 In spite of these potential limitations, the AG s opinion does provide some valuable insight for consideration of the proposed Regulation. 1. First Category of Questions: Territorial Scope and Jurisdiction I will address the AG s analysis of the territorial question only briefly because it would be rendered irrelevant under the Regulation if the law were passed as drafted by the Commission or LIBE. 38 The Regulation s proposed territorial scope is significantly broader than that of the Directive. Whereas the AG undertook several pages of analysis to determine that Google was within the territorial scope of the Directive, 32. See id.; Data Protection Directive, supra note 2, art. 6(2) ( It shall be for the controller to ensure that paragraph 1 is complied with ). 33. See Google Spain, supra note 11, See id See id Id See id See infra Parts II.A, III.A. 2014] 867

8 GEORGETOWN JOURNAL OF INTERNATIONAL LAW the question would yield a straightforward affirmative under the Regulation Second Category of Questions: Categorization of Search Engines a. Relevant Conduct of a Search Engine Under the second category of questions, Jääskinen considered the role of a search engine under the Directive. 40 In so doing, he laid out exactly what type of conduct was at issue. 41 The AG s description of search engine conduct below will be considered accurate for discussion throughout this paper, including in the context of interpreting the Regulation in Parts III and IV and the proposals made in Part V. 42 Jääskinen s inquiry was limited to the conduct of a search engine in its provision of search results that direct the internet user to the source web page, as distinct from the search engine s retention and processing of the internet searcher s own personal data, such as an IP address. 43 Jääskinen further divided the relevant conduct into three aspects. First, a search engine does not in principle create new autonomous content, but rather indicates where autonomous content may be found and provides the user with a hyperlink. 44 Second, search results do not perform an instant search of the entire World Wide Web. 45 Rather, content has previously been gathered, processed, copied, and indexed. 46 Finally, search engines often provide some portion of the source web page s content alongside the link to make results more user-friendly and useful. 47 These clips of source material can be at least in part retrieved from the search engine s own copied catalogue, rather than directly from the source web page See Google Spain See id See id. 3, The AG s framing of what is meant by a search engine addresses only the most essential functions of an engine. Whereas major search engines, most notably Google, have undertaken all manner of ancillary enterprises, it would be outside the scope of this Note to consider more than the basic cataloging and provision of search results by search engines. 43. See Google Spain 3. The publication of the source web page is of course also a distinct act in the context of the Directive. Id. 44. See id See id See id. 47. See id See id. 868 [Vol. 45

9 SEARCH ENGINE LIABILITY b. Processing of Personal Data and the Search Engine as Controller A core issue in [the] case 49 and the key determination in the second category of questions posed to the ECJ was whether a search engine should merely be categorized as engaged in processing of personal data or whether it is also a controller of such data. 50 Processing of personal data, under the Directive, is defined quite broadly to include any operation performed upon personal data, including collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. 51 Given the broad definition of processing, Jääskinen employed only cursory analysis to find that a search engine s processes of indexing, storing, and making data available to users could indeed properly be deemed processing. 52 However, Jääskinen was less willing to consider a search engine a controller of data, even though he conceded that it might be a logical conclusion of a literal and perhaps even teleological interpretation of the Directive. 53 Under the Directive, a controller determines the purpose and means of the processing of personal data. 54 In large part, the AG s distinction relies on the search engine s robotic and procedural indifference to personal data qua personal data. 55 Certainly, a determination of purpose and means was made at Google at some points in the search engine s design, but the engine s mechanical interaction with each discrete datum and each source web page on the internet does not constitute a new controlling determination. 56 In the case of Google, processing is conducted by googlebot, the crawler function that constantly and systematically visits source web pages, requests copies, and records keyword and search terms. 57 A complex 49. Id Id. 69. The opinion notes that half of the questions in the second category are not relevant if a search engine were not considered a controller, id. 69, and none of the questions in the third and final category could be relevant in that instance either, id Data Protection Directive, at art. 2(b). 52. See Google Spain In my opinion an affirmative answer to this sub-question does not require much discussion. Id Id. 77. Jääskinen acknowledges that, at least in some sense, a search engine indisputably makes determination of purpose and means, but not in the sense implied by the term controller. 54. Data Protection Directive, art. 2(d). 55. See Google Spain See id See id ] 869

10 GEORGETOWN JOURNAL OF INTERNATIONAL LAW algorithm assesses the relevance of those search results. 58 Indeed, the search engine service provider is not aware of the personal data on the web pages it catalogues, except in the broad sense of the statistical likelihood that a given page may include personal data. 59 A search engine is thus not aware of the personal data in the sense that awareness is a prerequisite to determining the purpose and means of processing the personal data. 60 To conclude that a search engine is a controller of personal data would apply the definition of controller too broadly and fail to achieve a reasonable outcome. 61 Jääskinen s consideration of the practical implications of such a broad reading of controller further supported his refusal to apply the term to search engines. Jääskinen considered the opinion of the Article 29 Working Party, established under Article 29 of the Directive to provide advice and opinion on the Directive, that the concept of controller is intended to allocate responsibility. 62 An interpretation of controller that includes a search engine might also, Jääskinen considered, encompass a law professor who downloads the essential case-law of the ECJ to his laptop, as personal data is certainly contained therein. 63 Further, any person reading the news on his smartphone or tablet might be liable for controlling personal data. 64 Employing the principle of proportionality, Jääskinen advised that such an interpretation should not be accepted. 65 c. A Search Engine s Responsibilities as Controller Despite the above recommendations, the AG outlined a few situations in which a search engine might be reasonably considered a controller. 66 Notably, such interpretations apply predominantly at a meta level, pertaining to the search engine s design and implementation, rather than its interaction with specific source web pages. For 58. See id. 59. Id Id. 80 (quoting Directive Article 2(d) (emphasis added by Jääskinen)). Personal data does not manifest itself distinctly from any other data robotically processed by a search engine. Id Id. 77, See id. 83 (citing Opinion 1/2010 on the concepts of controller and processor, Article 29 Data Protection Working Party, p. 9 (Feb. 16, 2010)). 63. See id See id. 65. See id See id [Vol. 45

11 SEARCH ENGINE LIABILITY instance, Jääskinen suggested that a search engine might have controller liability in the sense that it decides whether or not to comply with exclusion codes. 67 Further, a search engine might have controller liability where it fails to update its cache in response to a request of a source web page that has changed its content. 68 Such actions represent policy level determinations that could reasonably undercut a search engine s claim to neutrality. In as much as the ECJ might, in its final opinion, consider search engines to be controllers under the Directive, Jääskinen considered the obligations of a search engine under the Directive s Article 7, which outlines the instances in which data may be legally processed. 69 To this end, Jääskinen thought it obvious that search engines pursue legitimate interests, as authorized under Article 7(f) of the Directive. 70 These interests include making information more easily accessible for internet users, rendering dissemination of the information... more effective, and enabling information society services, such as keyword advertising, which are ancillary to the search engine. 71 Such interests are related to fundamental rights embodied in the Charter of Fundamental Rights of the European Union (Charter), including freedom of information and expression and freedom to conduct a business. 72 Accordingly, the opinion maintains that even as a controller, an internet search provider pursues legitimate interests, within the meaning of Article 7(f) of the Directive, when he processes data made available on the internet, including personal data. 73 Continuing the analysis of search engines as controllers, in arguendo, Jääskinen found that search engines meet their obligations under Article 6 of adequacy, relevancy, proportionality, accuracy and completeness. 74 With respect to the temporal aspects of Article 6 (that information be up to date and not stored longer than necessary), the court indicated that such issues should be considered only in the context of the search engine s actual performance, rather than conflating the search engine s responsibility with that of the source web page s 67. See id. 91. Exclusion or do not track codes allow source web page designers to communicate to search engines their unwillingness to be indexed and made searchable. Id. 68. See id Data Protection Directive, supra note 2, art. 7. Article 6(2) of the Directive indicates that it shall be for the controller to ensure that data is processed fairly and lawfully. Id. art See Google Spain 95; Data Protection Directive, supra note 2, art. 7(f). 71. See Google Spain See id. 73. See id. 74. Data Protection Directive, supra note 2, art. 6(c)-(d); See Google Spain ] 871

12 GEORGETOWN JOURNAL OF INTERNATIONAL LAW controller. 75 That is to say, a search engine should be considered compliant with Articles 6 and 7 so long as it accurately reflects the content of the source web pages that it indexes and copies. 3. Third Category of Questions: The Right to Be Forgotten In the third group of questions, Jääskinen noted that the opinions expressed are only relevant if the court rejects the conclusion that Google is not a controller or in as much as the court finds that Google is a controller in the limited contexts discussed above. 76 The question boils down to whether Articles 12(b) and 14(a) constitute a right to be forgotten that can be exercised directly against a search engine by a data subject. Although he found that no absolute or unqualified right to be forgotten can exist under the Directive, 77 the AG s analysis further supports his reluctance to expose search engines to controller liability. Article 12(b) provides that data subjects may obtain from the controller, as appropriate[,] the rectification, erasure or blocking of the data processing which does not comply with the provisions of [the] Directive, in particular because of the incomplete or inaccurate nature of the data. 78 Jääskinen dismissed this provision as a basis for deleting Mr. González s data by asserting that the record did not indicate that the relevant personal data was in any sense incomplete or inaccurate essentially limiting the provision by its final clause. 79 Jääskinen next looked to Article 14(a), 80 which guarantees a data subject the right, at least in the cases referred to in Article 7(e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save 75. See Google Spain See id See id I consider that the Directive does not provide for a general right to be forgotten in the sense that a data subject is entitled to restrict or terminate dissemination of personal data that he considers to be harmful or contrary to his interests. The purpose of processing and the interests served by it, when compared to those of the data subject, are the criteria to be applied when data is processed without the subject s consent, and not the subjective preferences of the latter. A subjective preference alone does not amount to a compelling legitimate ground within the meaning of Article 14(a) of the Directive. Id Data Protection Directive, supra note 2, art. 12(b). 79. See Google Spain Mr. Gonzalez did not claim that the published information was inaccurate, but that it was irrelevant and misleading to persons who conducted a search for his name. 80. See id [Vol. 45

13 SEARCH ENGINE LIABILITY where otherwise provided by national legislation. 81 Article 7 provides various bases on which personal data may be legally processed, and provisions (e) and (f) refer to data processing that is done for public interest or a legitimate interest pursued by the controller, respectively, so long as those interests are not outweighed by the data subject s privacy interests. However, instead of expressly following the above statutory path, Jääskinen implicitly summed up its meaning in the Article 6(2) requirement to weigh the interests of the data controller, or third parties in whose interest the processing is exercised, against those of the data subject, and noted that such balancing is exclusively under the purview of the controller. 82 Indeed, the responsibility of such balancing is exactly what Jääskinen understood would be thrust upon search engines if the court were to find that search engines are controllers of personal data. 83 The search engine would be required to abandon its intermediary function between the user and the publisher and put itself in the position of publisher, in some instances requiring the search engine to censure the content by preventing or limiting access to it. 84 However, the Advocate General expressed that such a scenario is neither supported by the Directive nor tolerable under the Charter. 85 Such a responsibility for a neutral search engine would lead to automatic withdrawal of links to any objected contents or unmanageable requests for popular and important search engines. 86 For search engines to be saddled with such an obligation would interfere with the source web page publisher s freedom of expression by denying her adequate legal protection, and would effectively amount to a private entity censoring published content. 87 Such balancing of interests is fundamentally incommensurate with a search engine s neutral role. Although Jääskinen maintained that an absolute right to be forgotten one that is unhinged from the appropriate objective balancing of interests discussed above cannot exist under the Directive or even the 81. Data Protection Directive, supra note 2, art. 14(a). 82. Google Spain 107. The Advocate General referred to Directive Article 6(2), which requires the controller to ensure compliance with Article 6(1). Article 6(1), in turn requires, inter alia, that data be processed legally, and Article 7 provides the bases in this instance 7(f) on which processing of personal data may be allowed. See Data Protection Directive, supra note 2, arts. 6 and See Google Spain Id See id. 111, Id Id ] 873

14 Charter, he noted that the Commission Proposal provides explicitly for a right to be forgotten in Article Although the proposed Regulation was not before the court, Jääskinen noted that the text of Article 17 seems to consider internet search engine service providers more as third parties than controllers in the own right. 89 However, the Article to which he was referring has since been changed, as will be discussed further below, creating ambiguity as to how the case of Mr. González might have come out under the LIBE-approved draft of the Regulation. 90 III. GEORGETOWN JOURNAL OF INTERNATIONAL LAW DIFFERENCES BETWEEN DIRECTIVE AND REGULATION PROPOSALS If the Regulation were passed as drafted in the LIBE Proposal, the statutory landscape on which Jääskinen s opinion was based would be radically altered. 91 While controllers would continue to be subjected to a balancing responsibility as under the Directive, the LIBE Proposal creates a tougher burden of proof and a greater risk of financial penalization. 92 The LIBE Proposal also creates substantial ambiguity as to third parties liability, which could directly implicate search engines. 93 A. Territorial Scope of the Regulation The Commission and LIBE Proposals both expand the territorial application of the Regulation enormously as compared to the Directive. The Regulation covers the processing of a controller in the EU, whether or not the processing occurs in the EU. 94 Further, the LIBE Proposal applies to controllers or processors outside the EU, so long as the controller or processor offers goods or services to EU citizens irrespective of whether a payment...isrequired. 95 B. Penalties for Violation Whereas the current Directive provides generally that member states shall...lay down the sanctions to be imposed in case of infringe- 88. Id. 110; Commission Proposal, supra note 1, art Google Spain Id. Compare Commission Proposal, supra note 1, art. 17, with LIBE Proposal, supra note 7, art See generally infra Parts II, III. 92. See infra Part III.C See infra Part III.C LIBE Proposal, supra note 7, art Id. 874 [Vol. 45

15 SEARCH ENGINE LIABILITY ment of the Directive, 96 the LIBE Proposal mandates a more specific framework authorizing severe penalties for violations of the Regulation. In addition to compensation for damages suffered by data subjects, including non-pecuniary damages, 97 violating entities may be subject to a fine up to 100,000,000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater. 98 C. Article 17: The Right to Erasure Whereas the relevant defined terms of the Regulation are identical to those of the Directive, the most glaring difference for a person in Mr. González s shoes is the existence of the Regulation s Article 17 right to erasure. 99 As further analysis will reveal, Article 17 does not yield an absolute right to be forgotten, but only slightly expands on the right of erasure already available under the Directive. 100 However, in as much as Article 17 expands on the personal rights of the Directive, it does so primarily by reference to the Article 19 right to object and the Article 6 list of lawful bases for processing. 101 As the opinion in Google Spain revealed, the right to object essentially triggers a responsibility for controllers to weigh relative interests. 102 Compared to the Directive, the balancing required by the LIBE Proposal is expanded in scope and weighted against the controller, creating a significant liability for any party saddled with such an obligation The Article 19 Right to Object and Article 6 Lawfulness of Processing The Regulation s Article 19 right to object is functionally equivalent to the Directive s Article 14(a) right to object discussed in Google Spain. 104 In both documents, the right to object refers to the list of allowable bases for processing Article 6(1)(f) under the Regulation and Article 7(f) under the Directive and indicates which bases are 96. Data Protection Directive, supra note 2, art Id. art Id. art LIBE Proposal, supra note 7, art See infra Part III.C Id See Google Spain See infra Part II.D Compare Commission Proposal, supra note 1, art. 19, and LIBE Proposal, art. 19, with Data Protection Directive, supra note 2, art. 14(a). 2014] 875

16 GEORGETOWN JOURNAL OF INTERNATIONAL LAW vulnerable to objection. However, relative to the Directive, the Commission and LIBE Proposals expand the scope of allowable objections. The Commission and LIBE Proposals authorize objection to data that is processed as necessary for the vital interest of the data subject, whereas the Directive only allows objection for data that is necessary to the public interest or the controller s legitimate interest. 105 Additionally, the Commission and LIBE Proposals shift the burden to the controller to justify compelling legitimate grounds for processing the data. 106 Finally, the LIBE Proposal takes the burden shifting even farther, requiring no justification or any particular purpose to lodge an objection to processing that is done in pursuit of the controller s legitimate interest. 107 Generally speaking, the Regulation expands the right to object and shifts the burden to justify processing to the controller. The LIBE Proposal expands the right of erasure available under the Directive or the Commission Proposal in yet one further way. Whereas Regulation Article 6(1)(f), like Directive Article 7(f), allowed for processing in pursuit of a controller s legitimate interest, the LIBE Proposal adds a limiting qualification: Controllers may only pursue legitimate interests which meet the reasonable expectations of the data subject based on his or her relationship with the controller. 108 This qualification could substantially reduce the reliability of 6(1)(f) as a legal basis for processing where the controller and data subject do not have an established relationship. Recall that the controller s legitimate interest provided the legal basis for search engine processing in the same way that Jääskinen s analysis found that search engines might be controllers Article 17(1): Circumstances Warranting Erasure Generally Article 17(1) was initially drafted by the Commission to grant data subjects the right to obtain erasure from the controllers of personal data under several enumerated circumstances. 110 However, the current LIBE Proposal also provides that data subjects may obtain from third parties the erasure of any links to, or copy or replication of the offending 105. Id Id LIBE Proposal, supra note 7, art. 19(2) Compare LIBE Proposal, supra note 7, art. 6(1)(f) (emphasis added), with Data Protection Regulation, supra note 2, art. 7(f) Google Spain See Commission Proposal, supra note 1, art. 17(1). 876 [Vol. 45

17 SEARCH ENGINE LIABILITY personal data, 111 creating uncertainty as to the direct liability of search engines and other third parties. The enumerated circumstances in which erasure is warranted only expand on the Directive in as much as they incorporate by reference the Article 19 right to object. 112 Although Article 17(1) does not enormously expand on the qualified right to erasure already available under the Directive, the reference to third parties creates significant ambiguity as to third party liability. This reference is particularly troubling as it comes on the heels of an Article 29 Working Party opinion that expressed concern specifically over the lack of third party direct liability in the Commission Proposal Article 17(2): The Trigger for Third Party Erasure In the Commission Proposal, Article 17(2) included the only reference to third parties in the Article 17 right to be forgotten. 114 Given the structure, it was fairly obvious that Article 17(2) functioned as the exclusive trigger for the involvement of third parties in erasure. 115 The Commission Proposal s Article 17(2) required controllers to inform appropriate third parties of the erasure request if the data was subject to erasure under Article 17(1) and the controller had made the data public. 116 This was effectively equivalent to the Directive s requirement under Article 12(c) that controllers attempt to notify third parties where data is entitled to erasure pursuant to Article 12(b). 117 The LIBE Proposal, like the Directive and the Commission Proposal, appears to restrict the direct Article 17(2) responsibility to controllers, 111. LIBE Proposal, supra note 7, art. 17(1) (emphasis added) Compare Data Protection Directive, supra note 2, arts. 12(b), 14(a), with LIBE Proposal, supra note 7, art. 17. Directive Articles 12(b) and 14(a) collectively provide for the erasure of data that is processed in violation of the Directive. With the exception of LIBE Proposal Article 17(1)(c), which provides for erasure through Article 19 s right to object, Article 17(1) does not significantly expand on erasure as under the Directive Opinion of the Art. 29 Data Protection Working Party 1/2012 on the Data Reform Proposals,at12 (Mar. 23, 2012) ( consideration could be given to extend the right of data subjects to allow them to directly address requests for erasure to third parties in cases where that cannot be done through the controller ), available at documentation/opinion-recommendation/files/2012/wp191_en.pdf See Commission Proposal, supra note 1, art Essentially, Article 17(1) defined erasure, Article 17(2) lay out the circumstances in which it would be warranted, and Article 17(3) lay out exceptions See Commission Proposal, supra note 1, art. 17(2) Compare Data Protection Directive, supra note 2, art. 12(c), with Commission Proposal, supra note 1, art. 17(2). 2014] 877

18 GEORGETOWN JOURNAL OF INTERNATIONAL LAW but limits the context in which a controller must reach out to third parties. 118 Under the LIBE Proposal, Article 17(2) is only triggered when the controller publicized the personal data without a legitimate purpose under Article 6(1). 119 The draft report of LIBE Rapporteur Jan Philipp Albrecht suggests that this reflects an acknowledgement that the right to erasure of data that was published on legitimate grounds is neither realistic nor legitimate. 120 Indeed, were it not for the LIBE Proposal s reference to third parties in Article 17(1), Article 17(2) suggests a reduced, albeit less clear, emphasis on third party liability Article 17(3): Exemptions From Erasure Like the LIBE Proposal s Article 17(1), Article 17(3) also includes a reference to third parties that was not included in the Commission Proposal. 122 LIBE proposal Article 17(3) requires that the controller and, where applicable, the third party shall carry out the erasure without delay, except under several enumerated circumstances. 123 These circumstances include freedom of expression, health, research, and compliance with Union or member state law. 124 Each of the foregoing four circumstances refers to another article specifically laying out the terms 118. See LIBE Proposal, supra note 7, art. 17(2). Further ambiguity is created by requiring third parties to take all reasonable measures to cause third parties to delete offending data, instead of specifically requiring notice. However, it is reasonable to assume that notice constitutes the extent of reasonable measures that a controller can take, so long as the third party is not itself directly liable. An EU press release has since indicated that, [i]n most cases, this will involve nothing more than an . Memorandum from the European Comm. (Jan. 27, 2014), available at See id European Parliament, Comm. on Civil Liberties, Justice and Home Affairs, Draft Rep. on the Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) Amend. 35 and 147, 2012/ 0011(COD) (Jan. 16, 2013) [herinafter LIBE Rapporteur Draft Report], available at europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf Whereas the Commission Proposal required a controller to take all reasonable steps... to inform third parties of a request for erasure, the LIBE Proposal simply requires that a controller take all necessary steps to have the data erased, without specifying the controller s specific responsibility with respect to potential third parties. LIBE Proposal, supra note 7, art. 17(2) Compare LIBE Proposal, supra note 7, art. 17, with Commission Proposal supra note 1, art LIBE Proposal, supra note 7, art. 17(3) (emphasis added where LIBE Proposal Article 17(3) differs from Commission Proposal Article 17(3)) See LIBE Proposal, supra note 7, art. 17(3)(a)-(d). 878 [Vol. 45

19 under which personal data may be processed for the particular exception under member states individual derogations from the Regulation. 125 Structurally, the exemptions for erasure represent a significant change from the Directive, which simply provides for erasure where processing was non-compliant with the Directive, obviating the need for any exceptions. 126 Under the Regulation, freedom of expression may find more protection through exemptions to erasure rather than as an allowable basis for processing. Whereas AG Jääskinen found that freedom of expression fits among the prescribed allowable bases for processing data under the Directive s Article 7(f), 127 the LIBE Proposal s alterations to Article 6(1)(f) potentially removes such interests from the ambit of allowable processing by creating a relationshipbased test and assigning the burden of proof to the controller. 128 It is uncertain at this point how such a test would be analyzed. The result, however, may be that freedom of expression is significantly more reliant on individual member states derogations from the Regulation. 129 Freedom of expression, under the LIBE regulation, will vary from member state to member state, likely creating a patchwork of laws for erasure in what promise to be numerous marginal cases balancing a data subject s right to privacy with a controller s right to free expression. 130 IV. SEARCH ENGINE LIABILITY ANALYSIS OF SEARCH ENGINE LIABILITY UNDER LIBE PROPOSAL A. Territorial Jurisdiction and Fines The LIBE Proposal ensures that the Regulation s territorial scope will apply to any search engine accessible in the EU, and will easily 125. See id See Data Protection Directive, supra note 2, art. 12(b) See Google Spain See supra Part III.C See LIBE Proposal, supra note 7, art. 80 (providing for derogations from the provisions of the Regulation to accommodate freedom of expression) See, e.g., Muge Fazlioglu, Forget Me Not: The Clash of the Right to Be Forgotten and Freedom of Expression on the Internet, 3 INT L DATA PRIVACY L., 149, 154 (2013) ( Although freedom of expression is one of the exemptions in the application to the right to be forgotten, this issue is complicated by the fact that the limitations to these exemptions are to be determined by the member states...unfortunately, where data protection rules clash with freedom of expression, EC law remains silent, giving each member state the authority and discretion to determine a fair balance between the rights in question and freedom of expression. ) 2014] 879

20 GEORGETOWN JOURNAL OF INTERNATIONAL LAW extend to entities outside the EU, such as Google. 131 Whether or not the processing occurs in the EU, a search engine will be potentially liable so long as it offers goods and services, irrespective of whether a payment...isrequired to EU citizens. 132 Given the generally unrestricted nature of the internet, the Regulation effectively claims universal jurisdiction, at least with respect to search engines. Further, the penalties for non-compliance with the Regulation, including for failure to enact erasure, are potentially quite severe. 133 In the case of a search engine such as Google, a penalty of up to five percent of the enterprise s worldwide turnover could be sufficiently chilling to result in preventative censorship. 134 B. Challenges of Liability The LIBE Proposal poses a potential danger to search engines liability as third parties by appearing to create a direct avenue for data subjects to demand erasure by third parties under Article 17(1). 135 If search engines are considered controllers under the LIBE proposal or if direct liability is extended to third parties engaged in processing of personal data they will be required to comply with Article 17 erasure requests. 136 This requires a balancing of interests, as AG Jääskinen observed in Google Spain. 137 However, under the LIBE Proposal, the legitimate bases for data processing as a controller are more tenuous, and the burden of proof is on the controller. 138 As under the Directive, the liability risks of a controller expose an entity to balancing requirements that are fundamentally inconsistent with a 131. See LIBE Proposal, supra note 7, art Id See supra Part III.B See Fazlioglu, supra note 130, at 155 ( This threat of sanction may cause data controllers to choose the path of deletion in unclear cases, which would be a chilling side effect of the rule ); Google Spain 133 (noting that liability could result in either automatic withdrawal of links to any objected contents or an unmanageable number of requests handled by the most popular and important search engine providers ) See supra Part III.C See LIBE Proposal, supra note 7, art See id.; Google Spain 107. In considering the Directive s 14(a) right to object, Jääskinen found that it triggered an obligation to weigh the interests of the controller against the parties. Id. LIBE Proposal Article 17 includes, by reference, Article 19, which provides the equivalent right to objection under the Regulation. See supra Part II(D)(1) See supra Part III.C [Vol. 45