Spain is an interesting country when it comes to the so-called ‘right to be forgotten’ (RTBF). After all, the famous CJEU judgment recognizing this right in relation to search engines stemmed from a request for a preliminary ruling made by a Spanish court (the Audiencia Nacional, AN) following a procedure initiated before the Spanish Data Protection Authority (DPA) by a Barcelona citizen, Mario Costeja González. Likewise, the reasoning which was eventually endorsed by the CJEU – though with a slightly different reach – was a construction put forward by the Spanish DPA.
Now that three years have passed since the ruling was handed down, Google reports it has received requests to delist more than 170,000 URLs by individuals related to Spain, which makes it the fourth EU country by number of requests. Around 38% of the URLs – out of all of those which have been already fully processed – have been delisted by Google.
Interestingly, a fair amount of decisions has been issued in Spain, both by the DPA and by courts. The DPA has handed down more than five hundred decisions. Typically, they arise from petitions by individuals whose removal requests were denied by Google or other search engines. Some of those decisions were subsequently appealed before the AN, which has delivered close to eighty rulings. In addition, a few cases brought directly before civil courts have also dealt with the right to be forgotten.
Some of the most interesting elements of the way the right is being implemented in Spain may be summarized as follows:
– The standing of the Spanish subsidiary. Most of the cases that were pending before the AN when it made the referral to the CJEU were directed against the Spanish subsidiary of Google Inc (Google Spain, SL). In a dramatic move, some sixty AN judgments were reversed and voided by the Administrative Chamber of the Supreme Court on the grounds that Google Spain SL lacks standing to be sued, as the actual controller is only the American company. Unfortunately, the Supreme Court did not deal with the underlying merits of the cases, and thus the value of the material criteria put forward by the AN in all those rulings remains uncertain. More strikingly, a different Chamber of the Supreme Court – the Civil one –disagrees with the Administrative Chamber, and holds that the Spanish subsidiary does have standing.
– Geo-blocking. The Spanish DPA considers that the delisting from the European domains of Google is not enough to fully comply with the CJEU judgment, as any user located in Spain could easily resort the Google.com version to find the delisted link. However, the DPA appears to accept that geo-blocking would be enough, that is, blocking the access to the link in any domain, when the search is carried out by someone from a computer located in Spain.
– Communication the publisher. Once the search engine has decided to delist a link to a piece of content, may Google inform the publisher about the delisting – a usual practice when the webmaster has registered with the tool called “search console”? The Spanish DPA found that it can’t, and fined Google for such a communication, holding that it violates the duty of secrecy set forth in the Data Protection Act. The decision is under appeal.
– Individuals with no relationship to the EU. Data subjects requesting URLs removals must bear some link to EU countries. In several decisions, the DPA has rejected requests from data subjects residing in Latin American countries, noting that the individuals had no meaningful link with the EU territory.
– Are hosts also controllers? The Costeja case related to search engines, and concluded that they are controllers of the personal data that shown in the results and in the content to which they link. May the same conclusion be held for providers of hosting services, though they are arguably in a very different situation? The DPA – following the AN’s criteria – considers that a hosting platform such as Blogger is not a data controller. However, it deems YouTube a data controller, though holding that it may rely on the hosting safe harbour provided by the eCommerce Directive. In this vein, the DPA holds that while YouTube is not liable for the challenged content, it must remove it once it is notified of its illegal nature by a competent authority such as the DPA itself.
– Damages for failing to delist. In a civil lawsuit, finally decided by the Supreme Court, Google was ordered to pay damages to the claimant for failing to remove a link to a notice of pardon published on the Official Gazette, which revealed an old crime committed by the data subject.
– Further removal denied for Mr. Costeja. The now famous lawyer requested the delisting of a blog post criticizing him. The DPA rejected, noting that the facts of the Costeja case have now become a matter of public interest – and moreover he had conceded multiple interviews in the media, thus allowing public discussion on the case.
– Burden of proof about data accuracy. When the accuracy of the data is challenged, decisions by the DPA are not fully consistent as to whether it is the data subject who must prove the inaccuracy, or it is the search engine that must prove the accuracy to be able to reject the delisting request.
– Exclusion protocols. The Supreme Court has held that while an individual has no right to supress content from a newspaper’s historic archive, the publisher must implement exclusion protocols such as robots.txt or metatags so that the content is not indexed by search engines. Failing to do so amounts to an illegal processing by the publisher.
– Websites’ internal search tools. While a data subject may obtain the delisting from search engines, requests that the links are also delisted from the internal search tools of a website – such that of a newspaper – are rejected, on the grounds that this would affect freedom of expression.
To conclude, while RTBF requests are decided on a case by case basis, in most cases both the DPA and the courts offer little justification on why a particular case deserves the requested delisting or not – beyond the most obvious situation of public figures involved –, and thus legal certainty is still far from being achieved.
Miquel Peguera, Associate Professor of Law at the Universitat Oberta de Catalunya (UOC) (Barcelona, Spain). Affiliate Scholar, Stanford Center for Internet & Society. PhD in Law, University of Barcelona (2006), with a dissertation on the liability of Internet intermediaries. Visiting Scholar at the University of Columbia School of Law (2007-08). His research focuses on intermediary liability, copyright, trademarks, and privacy. He is a co-editor of the Journal of Intellectual Property, Information Technology and E-Commerce Law (jipitec.eu). A list of publications can be found at http://ispliability.wordpress.com/about/