On November 25, 2014, the Article 29 Working Party agreed guidelines for data protection authorities seeking to apply the Court of Justice of the European Union (CJEU) ruling reached earlier this year against Google, which has become known as the right to be forgotten or “RTBF” ruling.  The full guidelines have not yet been published, but the Working Party has now released a short statement that already addresses some important issues.

The Working Party guidelines are not legally binding, but will influence enforcement decisions made by Europe’s data protection authorities.

These clarifications are written for data protection authorities, but will also help Google and other search engines understand the requirements set out in the CJEU judgment in better detail; we’ll provide more information in a later blog post when the full guidance is released.

Continue Reading Article 29 Working Party Agrees Right to Be Forgotten Guidance Following May 2014 CJEU Ruling Against Google

After a particularly long work week, curling up with a law-review article can seem a little daunting for weekend reading.  So for this weekend, I’ve been saving up some really promising magazine articles — short, concise, entertaining, and full of terrific information about privacy.  Here are a few ideas that might make for bite-size reading on a nice autumn afternoon:
Continue Reading Privacy Weekend: Provocative Articles We’re Reading Now

Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed.

The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read into the Data Protection Directive (95/46/EC) in the May 2014 case, Google Spain v AEPD and Mario Costeja González (C-131/12).  At its heart, the right to be forgotten (RTBF) enables European Union residents to request that search engines to take down certain types of search results based on searches of the requestor’s individual name.  For example, the right enables requests to take down “irrelevant” or out of date search results.

Continue Reading Article 29 Working Party Meets To Discuss The Right To Be Forgotten

By Dan Cooper, Mark Young and Kristof van Quathem

On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The decision has wide-ranging consequences regarding the application of EU data protection laws and the rights individuals are afforded under those laws.

In brief, the Court was asked to answer several questions about Google’s responsibility under EU data protection laws in relation to its online search engine.  The Court interpreted the applicable law rules under the EU Data Protection Directive 95/46/EC (the “Directive”) very broadly, holding that Google Inc. is directly subject to Spanish data protection law.  The Court also decided that Google is obliged, in certain circumstances – e.g., where information about an individual is inaccurate – to delete web search results that link to web pages containing information relating to that person.  Further, where an individual requests it, Google must delete search results that link to information about an individual where the information – even truthful information – is prejudicial to the individual or that he or she wishes to be “forgotten” due to the passage of time.  The Court appears to accept that providing access to such information for longer periods of time may be appropriate for high-profile individuals, such as celebrities.

The Court’s landmark decision has dominated headlines and is bound to spark a deluge of analysis and criticism, particularly in relation to issues concerning access to information and censorship.  For many international companies that process personal data and have affiliates in Europe, the most significant element of the judgement may prove to be the Court’s finding on applicable law rules, which undoubtedly presents a compliance challenge.

Continue Reading Google, the CJEU, and the Long Arm of European Data Protection Law

On 25 June, the Advocate General (the “AG”) submitted an Opinion on a set of questions that a Spanish court referred to the Court of Justice of the European Union (the “Court”). This is the first time that the Court has been asked to interpret the European Data Protection Directive 95/46/EC (the ‘Directive’) in the context of internet search engines. The questions concern three main issues:

  • the territorial scope of and the applicable national law under the Directive;
  • whether search engine providers are data controllers; and,
  • whether there is a right to be forgotten.

The proceedings were triggered by an individual who was the subject of some press reports in a newspaper in early 1998. In 2010, he requested Google Spain not to show any links to the newspaper when users entered his name in the Google search engine. The publisher, whom the individual also contacted, refused to erase the relevant data. The individual therefore lodged a complaint with the Spanish data protection authority, which subsequently ordered Google Spain and Google Inc. to take the measures necessary to withdraw the data from their index and to render future access to the data impossible. Google appealed the decision to a Spanish court, which referred the aforementioned questions to the Court for a preliminary ruling.

Continue Reading Advocate General Submits Opinion in Google Spain Case

The Court of Justice of the European Union (“CJEU”) in Luxembourg heard argument yesterday concerning the “right to be forgotten”—specifically, whether search engines such as Google must block search results when asked by European citizens to remove references to themselves. 

This particular case—which is representative of approximately 200 similar cases in Spain—came before the CJEU when Google declined to comply with an order from the Spanish Data Protection Authority.  A Spanish citizen, Costeja, wanted Google to de-list references to a publication in a Spanish newspaper in 1998, which discussed the auction of Costeja’s house in connection with his failure to pay social insurance contributions.

Google has taken the position that search engines should not be obligated to remove links to valid (i.e., non-incorrect, defamatory, or otherwise illegal) material that exists online.  Rather, only the original publisher can make the decision to remove such content, at which point it will disappear from the search engine index once removed from source webpages. 

Continue Reading Must Google Forget You?

The European Data Protection Supervisor (“EDPS”) has issued an opinion on Europe’s strategy for protecting children on the Internet.  The European Commission consults with the EDPS on a variety of data protection issues.  However, the opinions of the EDPS are not legally binding. 

Among other things, the EDPS expressed support for: 

  • The implementation of technical tools, such as age-appropriate default privacy settings, to enhance the privacy of children online.     
  • Clear notice about the impact a change to a default setting would have on a child’s privacy and the potential harm it may cause. In particular, the EDPS suggested that in some circumstances a child might not be permitted to change the default settings, or might change the defaults only with parental consent, stating that the “extent to which a child may change the default privacy settings should also be linked to the age and level of maturity of the child.  It should be explored to what extent, and within which age group, parental consent would be required to validate a change of privacy settings.” 
  • A requirement that service providers inform children about the level of sensitivity of each piece of information they provide when creating an online profile and about the potential risks or harms they may encounter when such information is disclosed to a defined group of people or to the public. 
  • A restriction on industry’s ability to create online behavioral advertising segments that target children.
  • A legal mandate for industry to deploy an EU-wide reporting tool for content that is harmful to children.


Continue Reading European Data Protection Supervisor Issues Opinion on Children’s Privacy

By Dan Cooper and Kristof Van Quathem

A widely-leaked version of the first legislative proposal for a General Data Protection Regulation is making its way through Brussels and beyond.  The draft Regulation — which, among other things, aims to apply a harmonized and updated set of core data protection rules across the EU — will be reviewed by the different Directorates-General of the European Commission in the coming weeks, and thus could be liable to change.  The Commission is not expected to release its final proposal until late January 2012.  

Although implementation of the Regulation is not expected for some time, it will eventually replace Data Protection Directive 95/46 and be directly applicable in all European Member States.  One of the chief criticisms of the existing EU data protection regime is that EU Member States have implemented the Directive in a divergent fashion.  The Regulation would remedy this problem and establish a common set of standards applicable across the entire EU.  Highlighted below are some of the more notable aspects of the draft Regulation. That said, with over 91 articles, the Regulation contains a great deal, including a number of radically new concepts.  It also envisions the Commission enacting a large number of delegated acts intended to furnish additional guidance and detail on particular matters.

Continue Reading Draft EU Data Protection Regulation Leaked