Introduction

In finding that search engines had positive data protection obligations arising from their indexing of public domain personal data, the Google Spain ʻright to be forgottenʼ ruling in May 2014 quickly came to symbolize the breadth and ambition of EU data protection.  Given that the UK has often been rather critical of these characteristics of EU law in this area, it might be expected that this Court of Justice judgment would be implemented here in a distinctly lacklustre fashion.  In many respects, however, this does not seem to have been the case.  It is true that there was some initial political backlash, with the House of Lords EU Committee questioning whether a search engine should be classed as a data controller and arguing that it was not “reasonable or even possible for the right to privacy to allow data subjects a right to remove links to data which are accurate and lawfully available”.  In addition, the Information Commissioner’s Office (the UK’s Data Protection Authority (DPA)) has adopted a more restricted formulation of the judgment’s terms than that suggested by the pan-EU Article 29 Working Party.  At the same time, however, the ICO has remained actively engaged in the area.   Even more strikingly the (albeit only interim) case law from UK courts has positively explored the notion that search engines have wider responsibilities beyond simply deindexing particular URLs from a name search after specific notice that the processing violates data protection norms.  Finally, the uptake of this so-called ʻright to be forgottenʼ right in the UK after this judgment has been comparatively extensive compared to most other major EU Member States.

UK Implementation of Google Spain by Google (and other search engines)

Although as legal scholars we naturally gravitate towards analysing court and regulatory decision-making, it is important to recognise that the vast majority of ʻright to be forgottenʼ claims lodged against search engines end at the point of being assessed by these actors operating as the data controller.  Moreover (perhaps unsurprisingly given its over 90% market share of search in Europe) only one actor is generally involved, namely, Google.  Between May 2014 and May 2017, Google had received approximately 728,000 claims asserting a ʻright to be forgottenʼ under European data protection law relating to over 2 million distinct URLs.  (By comparison, the next most popular search engine Microsoft Bing disclosed that up to December 2016 it had received only around 18,000 such cases relating to around 50,000 URLs.)  Within Google’s overarching figure, some 108,000 claims have been lodged in the UK relating to around 267,000 URLs.  This suggests a relatively strong up-take of this newly validated right from UK residents/citizens.  In comparison, in Spain itself only around 59,000 claims have been made regarding some 176,000 URLs.  Indeed, amongst the large EU countries, only French residents/citizens seem to have exhibited more interest in these new possibilities, having made some 230,000 requests so far relating to around 423,000 URLs.   Google has disclosed an overall breakdown indicating that it has rejected approximately 57% of URLs requests and accepted 43% of these across the EEA.  (As regards UK-based claims these figures are 61% and 39% respectively).  In general, however, it has been relatively opaque about how it assesses claims.  Its FAQ on the subject suggests that it only acts on specified URL links following ex post demands from European residents and/or citizens (or, perhaps, those with a cognate connection to a European country) and only deindexes against searches made under their name and generally only in relation to European-badged search services (although in a change from initial practice (pp. 3-4) it does now indicate that it also deploys (imperfect) geolocation technology to extend this to any search service accessed within the country in which claim is lodged including on e.g. google.com).   Substantively, it also appears to have narrowly construed Google Spain as granting rights only over personal information which is “inadequate, irrelevant, no longer relevant, or excessive” rather than that which violates other requirements of the European data protection such as accuracy.  Finally, it indicates that it notifies original webmasters of any URL which has been deindexed, a practice which will often involve a disclosure of personal data and carry significant privacy implications for the data subject.  (Perhaps in recognition of this, Google has stated elsewhere that from early 2015 it has now stopped this practice as regards deindexing from malicious porn sites (p. 29)).

UK Implementation of Google Spain by the Information Commissioner’s Office

If data subjects are dissatisfied with the search engines’ approach, then their most obvious next port of call is their local Data Protection Authority (DPA).  EU DPAs collectively responded to Google Spain through a set of Guidelines issued by the Article 29 Working Party in November 2014.   Probably partly reflecting DPAs’ very limited resources, these Guidelines only took issue with a narrow range of the limitations which Google (and indeed other search engines) had read into the judgment.  Firstly, they suggested that to ensure “effective and complete protection” of data subjects, de-listing must be “effective on all relevant domains, including .com” (p. 9).  Secondly, they argued that routine communication “to original webmasters that results relating to their content had been delisted” was simply illegal and that even if prior contact with original publishers was in principle legitimate in particularly difficult cases it was then vital that it “take all necessary measures to properly safeguard the rights of the affected data subject” (p. 10).  Third and finally, rather than focusing only on the substantive elements at play in the Google Spain case itself, the Working Party indicated that the data subject could point to any breach of the “data protection principles” (p. 11), specifically flagging up issues additional to those in play in the Google Spain case, notably data accuracy.

Turning directly to the approach and role of the UK’s Information Commissioner’s Office (ICO), shortly after the issuing of the pan-EU Guidelines above, the ICO issued delisting criteria which closely matched that developed by the Working Party.  It also indicated – especially through the development of a sui generis online form – that it was open to data subjects addressing concerns to it regarding a search engine’s refusal to deindex material against a name search.  Since this time, the ICO appears to have analysed approximately 800 such claims including over 120 in 2014/5 (p. 34), over 370 in 2015/16 (p. 24) and 300 in 2016/17.  Whilst not insignificant, this only represents perhaps 1-1.5% of claims for deindexing which have been rejected by Google (and other search engines).   In his overview of the first year and a half of Google Spain implementation, the then UK Deputy Information Commissioner David Smith indicated that ICO had rejected 40% of concerns on grounds of material or jurisdictional scope (rejections which, it must be said, were likely sometimes debatable especially given the case law cited below), had upheld the search engines’ decision in a further 40% but found that further action was required in the remaining 20%.   Meanwhile, in its 2015/16 and 2016/17 figures, the ICO stated that it has found need for more delisting in one third of cases.  If these later figures are being calculated with “out of scope” claims still included in the total then ICO findings against search engines would appear to have stabilised at a slightly higher level than initially.  Given that the delisting criteria has remained essentially unchanged, that in turn might suggest a more stringent approach being taken by Google to delisting than it adopted initially.

Whilst being relatively explicit as regards substantive delisting criteria, the ICO’s formal guidance has avoided confronting the other tricky aspects of the judgment which were highlighted by the Working Party, namely, the appropriate territorial reach of deindexing and the legitimacy or otherwise of webmaster notification.  Nevertheless, both issues were at least tangentially addressed in the only case so far which has resulted in the ICO issuing a criminally-backed Enforcement Notice.  In sum, in this complex and rather troubling case from the summer of 2015, Google had previously removed some links to an old newspaper story online concerning a minor criminal offence committed almost ten years previously.   However, after being tipped off through Google’s webmaster notification, the newspaper and then others wrote stories about this, in the process repeating details of the original conviction.  These stories were not only widely publicised but, worst still, were readily available through a name search on Google.  However, despite a new exercise of the ʻright to be forgottenʼ, Google refused to carry out further deindexing arguing that the stories were relevant and that the indexing was in the public interest.  Without addressing itself to the legitimacy of webmaster notification (or to the fact that a substantial portion of the UK media was using this data to republish deindexed stories), the ICO held that Google was obliged to deindex the new stories which included details of the old conviction.  The Enforcement Notice was initially formally ambiguous as to its territorial reach.  However, the ICO subsequently issued a clarified Notice making clear that it required that Google ensure that the relevant links were not visible to anyone directly accessing any Google search services from within the UK.  Although Google appealed the Notice at first, it ultimately agreed to comply (p. 22).  This switch was linked to a wider change of policy in early 2016 involving the generic use of geolocation technology as noted above.  Thus, although the ICO’s actions here are far less severe than the French DPA’s decision requiring truly globally effective deindexing or the Spanish DPA direct enforcement against Google’s webmaster notification practices themselves, the UK ICO cannot be said to have entirely ignored the two background issues arising here.

UK Implementation of Google Spain by the Courts

In the main, however, appeal to the ICO has only proved a positive way forward for (some) data subjects seeking a ʻnarrowʼ deindexing remedy i.e. the redaction of pre-specified URLs against a name search using European-focused services and only after having given the search engine a good period of time to respond.  In contrast, court action has resulted in a couple of data subjects with sufficient resources securing rather wider remedies.  Moreover, despite both cases settling prior to final judgment, it has also resulted in judicial dicta which appears receptive to the idea that such wider remedies may be legally mandated at least in certain circumstances.  In the first case, Daniel Hegglin, a Hong Kong businessman and Swiss national with business and personal links to the UK was confronted with a large number of abusive and defamatory allegations online accusing him, for example, of being a “murderer, a Nazi, a Klu Klux Klan sympathiser, a paedophile”  (at [2]).  He sought to require Google to take proactive steps “to ensure that such material does not appear as snippets in Google search results” (at [7]).  Notwithstanding that Hegglin was not a British resident or citizen and that he clearly sought a remedy going considerably beyond simply removing specific URLs on name searches carried out on google.co.uk, on 31 July 2014 Mr Justice Bean granted him leave to serve this claim on Google.com out of jurisdiction (at [22]).  The High Court then set aside five days for a full trial in November 2014.  However, on the first day of this trial it was announced that the two parties had settled.  Whilst unable to disclose the precise details of the agreement, Hegglin’s barrister Hugh Tomlinson QC stressed that the case was brought “against Google in order to seek extra assistance to combat a campaign of anonymous and extreme Internet trolling” and that “[t]he settlement includes significant efforts on Google’s part to remove abusive material from Google hosted websites and from its search results”.   In the second case (also argued by Hugh Tomlinson QC), the former head of Formula One Max Mosley sought to require that Google proactively block access to images of him engaging in private sexual activity (originally illegally published in the News of the World newspaper in 2008) across not only name but all searches.  In a January 2015 decision rejecting Google’s attempt to strike out this claim, Mr Justice Mitting held that from the point of view of UK data protection law “[t]he claimant’s assertion that he has suffered substantial unwarranted distress [from Google’s data processing] is plainly capable of belief, and if so, founding the remedy which he seeks” (at [25]).  Moreover, even if the e-Commerce Directive’s ban on requiring that certain intermediary actors engage in general monitoring of their services applied here (which was found to be a debatable point), Mitting J held that “[g]iven that it is common ground that existing technology permits Google, without disproportionate effort or expense, to block access to individual images, as it can do with child sexual abuse imagery, the evidence may well satisfy a trial judge that it can be done without impermissible [general] monitoring” (at [55]).  Again, however, Google settled the case just before full trial; whilst the details of the agreement were confidential, Max Mosley’s solicitor Tanja Irion described him as being “happy” with the outcome.

Conclusions

Google Spain placed European data protection within clearly controversial territory.   Nevertheless, three years on, the indications are that even in the UK this judgment has fallen on fairly fertile ground.  There has been a comparatively strong uptake by UK residents/citizens of this newly validated ʻright to be forgottenʼ right, with claims for the deindexing of hundreds of thousands of URLs being lodged principally against Google.  Meanwhile, the UK’s Information Commissioner’s Office has remained reasonably actively engaged in this area.  Although the number of individual concerns which it has dealt with remains small, the ICO has found further nominative deindexing to be required in approximately one third of its cases.  Meanwhile, whilst considerably more pragmatic than pan-EU Working Party guidance in this area, the ICO’s one formal Enforcement Notice mandated that Google use geolocation technology to restrict relevant results in the UK and also addressed some of the troubling consequences of Google’s practice of webmaster notification by requiring a new deindexing of the stories written off the back of the information which Google disclosed.  Finally, and perhaps most strikingly, the UK courts have responded rather sympathetically to the idea that, at least in certain cases, wider remedies may be legally mandated, such as ensuring deindexing in contexts other than a name search and deploying technology to block particularly problematic content on a proactive basis.  Undoubtedly, future jurisprudence at both UK and EU level will need to carefully address several critical issues left essentially unanalysed in the judgment, notably the balance required in particular cases with freedom of expression.  Nevertheless, the evidence presented here suggests that, even if the current EU-UK negotiations result in Court of Justice jurisprudence no longer being binding in the UK, the essence of the Google Spain judgment should survive even in this country.  This is not a judgment that will simply be forgotten.

David Erdos, University Lecturer in Law and the Open Society, Faculty of Law and WYNG Fellow in Law, Trinity Hall, University of Cambridge

See all the contributions to our econference on the Right To Be Forgotten in Europe and Beyond