Hostname: page-component-586b7cd67f-tf8b9 Total loading time: 0 Render date: 2024-11-26T15:08:23.283Z Has data issue: false hasContentIssue false

Google Spain SL v. Agencia Esñpaola de Protección de Datos (AEPD)

Published online by Cambridge University Press:  20 January 2017

John W. Kropf*
Affiliation:
Washington, D.C.

Abstract

Image of the first page of this content. For PDF version, please use the ‘Save PDF’ preceeding this image.'
Type
International Decisions
Copyright
Copyright © American Society of International Law 2014

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (AEPD) (Eur. Ct. Justice May 13, 2014). The judgment and opinion of the Court of Justice of the European Union cited herein are available at its website, http://curia.europa.eu.

2 Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 [here inafter Directive 95/46].

3 Law on the Protection of Personal Data(Boletín Oficial del Estado 1999, 298).

4 The Audiencia Nacional is commonly referred to in English as the National Court. The ECJ in Google Spain translates it as National High Court. The court has jurisdiction over criminal, appellate, administrative, and labor matters.

5 Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (AEPD), Opinion of Advocate General Jääskinen (Eur. Ct. Justice June 25, 2013) [hereinafter Jääskinen].

6 The Directive distinguishes a “controller,” meaning a person or entity that “alone or jointly with others determines the purposes and means of the processing of personal data,” from a “processor,” a person or entity that “processes personal data on behalf of the controller.” Directive 95/46, supra note 2, Art. 2(d), (c), respectively.

7 The Directive defines “processing of personal data,” or “processing,” as “any operation or set of operations which is performed upon personal data, whether or not by automatic means,” and includes, inter alia, recording, storage, retrieval, disclosure by transmission, dissemination, blocking, erasure, and destruction. Id., Art. 2(b).

8 In response to the decision, Google stated that it will implement the rulings through newly established internal procedures. See the company’s announcement Search Removal Request Under European Data Protection Law, at https://support.google.com/legal/contact/lr_eudpa?product=websearch. The German Interior Ministry revealed its intention to establish “dispute-settlement mechanisms” for consumers who file takedown requests. see Patrick Donahue & Cornelius Rahn, Germany Mulls Arbitration for Web ‘Right to Be Forgotten,’ BloombergBusinessweek, May 27, 2014, at http://www.businessweek.com (search by title).

9 Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community, Art. 16B(1), Dec. 13, 2007, 2007 O.J.(C306) 1,51 (stating that “[e]veryone has the right to the protection of personal data concerning them”).

10 Commission Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), Art. 17, COM (2012) 11 final (Jan. 25, 2012).

11 Directive 95/46, supra note 2, Arts. 18(3), 26(1)(f). Reference to public data is made in Article 8(e), which allows for the exception of personal data where “the processing relates to data which are manifestly made public by the data subject.”

12 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, Opinion No. 3/99 on Public Sector Information and the Protection of Personal Data (May 3, 1999), at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/1999/wp20_en.pdf.

13 Id. at 11.

14 Directive 2003/98/EC of the European Parliament and of the Council on the Re-Use of Public Sector Information, Art. 1(5), 2003 O.J. (L 345) 90, 93.

15 Jääskinen, supra note 5, paras. 104–06, 108–09, 111.

16 See, e.g., Svantesson, Dan Jerker B.,A “Layered Approach”to the Extraterritoriality of Data Privacy Laws, 3 Int’l Data Privacy L. 278 (2013)CrossRefGoogle Scholar, available at http://idpl.oxfordjournals.org/content/3/4/278.full.pdf+html.

17 See, for example, Yahoo!Inc. v. La Ligue Contre le Racisme et l’Antisemitisme, 433 F.3d 1199 (9th Cir.), cert. denied, 547 U.S. 1163 (2006), refusing (on grounds of ripeness) a challenge to a French court’s decision ordering Yahoo to implement technical or access control measures to block French users auctions featuring Nazi memorabilia that were hosted on the Yahoo.com site. The case illustrates the potential for jurisdictional conflict.

18 Charter of Fundamental Rights of the European Union, Art. 11, Dec. 7, 2000, 2000 O.J. (C 364) 1, 40 ILM 266 (2001). The charter also guarantees the right to the protection of personal data in Article 8.

19 See, e.g., Axel Springer AG v. Germany, App. No. 39954/08, para. 84 (Eur. Ct. H.R. Feb. 7, 2012).

20 See, e.g., Scott, Mark, Adapting to Privacy Ruling, Google Chooses to Hit ‘Undo, ’ N.Y. Times, July 5, 2014, at B3 (N.Y.C. ed.)Google Scholar.