On November 25, 2014, the Article 29 Working Party agreed guidelines for data protection authorities seeking to apply the Court of Justice of the European Union (CJEU) ruling reached earlier this year against Google, which has become known as the right to be forgotten or “RTBF” ruling.  The full guidelines have not yet been published, but the Working Party has now released a short statement that already addresses some important issues.

The Working Party guidelines are not legally binding, but will influence enforcement decisions made by Europe’s data protection authorities.

These clarifications are written for data protection authorities, but will also help Google and other search engines understand the requirements set out in the CJEU judgment in better detail; we’ll provide more information in a later blog post when the full guidance is released.

Continue Reading Article 29 Working Party Agrees Right to Be Forgotten Guidance Following May 2014 CJEU Ruling Against Google

Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed.

The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read into the Data Protection Directive (95/46/EC) in the May 2014 case, Google Spain v AEPD and Mario Costeja González (C-131/12).  At its heart, the right to be forgotten (RTBF) enables European Union residents to request that search engines to take down certain types of search results based on searches of the requestor’s individual name.  For example, the right enables requests to take down “irrelevant” or out of date search results.

Continue Reading Article 29 Working Party Meets To Discuss The Right To Be Forgotten

By Dan Cooper, Mark Young and Kristof van Quathem

On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The decision has wide-ranging consequences regarding the application of EU data protection laws and the rights individuals are afforded under those laws.

In brief, the Court was asked to answer several questions about Google’s responsibility under EU data protection laws in relation to its online search engine.  The Court interpreted the applicable law rules under the EU Data Protection Directive 95/46/EC (the “Directive”) very broadly, holding that Google Inc. is directly subject to Spanish data protection law.  The Court also decided that Google is obliged, in certain circumstances – e.g., where information about an individual is inaccurate – to delete web search results that link to web pages containing information relating to that person.  Further, where an individual requests it, Google must delete search results that link to information about an individual where the information – even truthful information – is prejudicial to the individual or that he or she wishes to be “forgotten” due to the passage of time.  The Court appears to accept that providing access to such information for longer periods of time may be appropriate for high-profile individuals, such as celebrities.

The Court’s landmark decision has dominated headlines and is bound to spark a deluge of analysis and criticism, particularly in relation to issues concerning access to information and censorship.  For many international companies that process personal data and have affiliates in Europe, the most significant element of the judgement may prove to be the Court’s finding on applicable law rules, which undoubtedly presents a compliance challenge.

Continue Reading Google, the CJEU, and the Long Arm of European Data Protection Law

On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at www.google.fr) for a period

Yesterday, the FTC announced a settlement with Goldenshores Technologies, a company that makes the most-downloaded flashlight app on the Android platform.  The FTC alleged that Goldenshores violated Section 5 of the FTC Act by failing to disclose to consumers that it shared location data it collected from users’ device with third parties.  Although a list

On Tuesday, 19 November, the Regional Court of Berlin ruled against Google in a case brought by the Federation of German Consumer Associations (vzbv).  The vzbv had initiated an action for injunction against Google, requesting it to stop using certain clauses in its Terms of Use and Privacy Policy.  In Germany, consumer associations have a right to bring legal proceedings against companies that engage in commercial practices which are illegal under the Act Against Unfair Competition.

The court sided entirely with the plaintiff and ruled that Google must refrain from using the relevant (and similar) clauses in agreements with consumers in Germany. If Google breaches this prohibition monetary penalties of up to €250,000 or imprisonment of up to six months can be imposed (to be enforced against Google’s legal representatives).

The court’s reasoning is not yet available, but according to press reports the court considered the relevant clauses to be overly vague and broad and to restrict the rights of consumers. The vzbv had argued that users were “unreasonably disadvantaged.”  The court’s press release lists all the relevant clauses which the court considered to be illegal.  We break these down after the jump. 

Continue Reading Berlin Court Condemns Google, Strikes Provisions in Privacy Policy and Terms

Google has entered into a $17 million settlement agreement with attorneys general from 37 states and the District of Columbia over allegations that the company engaged in unauthorized tracking of users of Apple’s Safari browser in 2011 and 2012.  The allegations stemmed from 2012 reports that Google had bypassed Safari’s default privacy settings and placed

By Katherine Gasztonyi

Last week, Judge Robinson of the District of Delaware dismissed a multi-district lawsuit claiming that Google, Vibrant Media, Media Innovation Group, and WPP violated federal privacy and computer security laws by allegedly circumventing browser privacy settings in order to track users online.

This lawsuit stems from a February 17, 2012, Wall Street Journal article describing these companies’ use of a loophole in Safari’s privacy settings to set third-party tracking cookies even where the browser had been configured to block such cookies.  Lawsuits alleging violations of the federal Wiretap Act, Stored Communications Act, and Computer Fraud and Abuse Act (as well as various state laws) were filed in courts across the country, and ultimately were consolidated before Judge Robinson in Delaware.

Judge Robinson granted the defendants’ motions to dismiss all of the plaintiffs’ claims on the grounds that the plaintiffs had not adequately alleged standing to sue in federal court and, in any event, had failed to state a claim for relief under any of the statutes invoked in their complaint.

Continue Reading Court Tosses Claims Against Google and Others Based on Safari Hack

In a decision issued last week that is being described by some as a “landmark,” Judge Koh of the Northern District of California denied a motion to dismiss a complaint filed against Google alleging that its Gmail service unlawfully intercepts the contents of emails sent by and to Gmail users.  The case involves Google’s longstanding practice of targeting ads in Gmail based on keywords in emails.  The plaintiffs claim that this practice violates the federal Wiretap Act and analogous state wiretapping and eavesdropping statutes. 

 The court denied Google’s motion to dismiss as to all but one of these claims.  Most notably, the court held that the plaintiffs’ claim under the Wiretap Act can proceed, rejecting Google’s arguments that its practice of scanning the contents of emails is authorized under exceptions in the Wiretap Act for interceptions that occur (1) in the “ordinary course of business” or (2) with the consent of at least one party to a communication. 

Continue Reading Court Denies Google’s Motion to Dismiss Gmail Wiretap Claims