IAPP-GDPR Web Banners-300x250-FINAL
DPI16_Banner_300x250 WITH COPY

In a landmark ruling the European Court of Justice (ECJ) today ruled that search engines, as a principle, need to remove the link between search results and a webpage if it contains information the individual deems should be "forgotten."

In short, the ECJ decided that:

  1. Indexing information by a search engine is "processing of personal data."
  2. Google is a "controller" of personal data.
  3. Spanish data protection law is applicable, even if indexing happens in the U.S.
  4. Google should remove links to webpages containing personal data, even if the webpages themselves are lawful.
  5. A fair balance should be sought between the legitimate interests of search engine users and the privacy rights of individuals.
  6. The right to be forgotten is recognized by the Court of Justice.

The Facts

In 1998, a major Spanish newspaper published two short announcements about a real estate auction due to social security debts of a Spanish citizen. In 2009, this person contacted the newspaper, complaining that the announcements appeared in Google searches of his name. He argued that the search results were damaging his reputation and that the attachment proceedings relating to his social security debts had been resolved many years ago. He asked the newspaper to block the pages with the announcements from being indexed by search engines. The newspaper declined to remove the offending content, stating that publication had been ordered by the Spanish government. The publication is intended to give maximum publicity to the auction in order to attract as many bidders as possible.

The citizen then contacted Google in 2010 and filed a complaint with the Spanish data protection authority (the AEPD). The AEPD agreed to take on the case and sued Google. The AEPD took the view that it has the power to require the withdrawal of data and the prohibition of access to certain data by the operators of search engines when it considers that the locating and dissemination of the data are liable to compromise the fundamental right to data protection and the dignity of persons in the broad sense, and this would also encompass the mere wish of the person concerned that such data not be known to third parties. The Audienca Nacional (the National High Court of Spain) submitted several questions to the ECJ regarding the application of the European Data Protection Directive.

The questions stem from the uncertainty regarding the interpretation of the Data Protection Directive of 1995 in the sphere of Internet communications. The questions relate to, as summarised by the ECJ "what obligations are owed by operators of search engines to protect personal data of persons concerned who do not wish that certain information, which is published on third parties’ websites and contains personal data relating to them that enable that information to be linked to them, be located, indexed and made available to internet users indefinitely." A broad interpretation of the Data Protection Directive could constrain the operation of search engines, for instance if, as noted by the advocate general, they were considered as controllers of personal data on third party web pages.

The Court Decision

The ECJ today ruled against the advice of the advocate general, which is rather uncommon. The advocate general was of the opinion that the citizen should direct their request to the publisher, as they are the controllers of the data, and not to Google who would be a mere processor.

Google is a "controller" of personal data

The ECJ ruled that Google is not a mere processor but also a controller of personal data on third party webpages, because it is Google that decides upon the purposes and the means of the indexing activity.

Indexing is processing of personal data

The ECJ ruled that indexing information by a search engine is "processing of personal data." Indexing information (including personal data) is a "processing activity" in the sense of the European Data Protection Directive.

National data protection law is applicable

The ECJ ruled that Spanish data protection law is applicable, even if indexing happens in the U.S. As Google Spain is established in Spain and is a subsidiary of Google, Inc., the ECJ ruled that the promotion and selling, in Spain, of advertising space offered by the search engine makes Spanish data protection law applicable.

The ECJ held that the activities of search engines, such as providing a search service, and those of its subsidiaries in a member state, such as selling advertising, are "inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”

Data subjects may request the removal of links from Google

Google is obliged to remove the links to webpages containing personal data, even if the publication of those personal data on the webpages itself is lawful. The ECJ stated that the potential interference of a person's rights "cannot be justified by merely the economic interest which the operator of such an engine has in that processing." This removal of the links may be necessary because the search results "are liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the webpage." The ECJ states regarding search results "this information potentially concerns a vast number of aspects of his private life and that, without the search engine, the information could not have been interconnected or could have been only with great difficulty. Internet users may thereby establish a more or less detailed profile of the person searched against."

Fair balance between privacy and other interests

A fair balance should be found between on the one hand the legitimate interests of internet users who may be interested in having access to information and, on the other hand the privacy rights of the citizen. This balance may be different from case to case, and may vary in particular according the role the citizen plays in public life. The ECJ stated that this "balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life."

Right to be forgotten

Today's ruling endorses a right to be forgotten by the ECJ under the current Data Protection Directive. A citizen may require Google to remove him or herself from search results, and hence, make use of his or her "right to be forgotten," if the personal data have become today inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.

Broad implications

This ruling increases the rights of private individuals to remove themselves from search results. It also will make search results less reliable, as certain webpages will be omitted from search results. The ruling could impact the day-to-day operation of certain Internet companies, for instance by providing automated tools for people to remove themselves from search results. It could also potentially have broad implications for any service that uses third-party data sources containing personal data.

In the upcoming new Data Protection Regulation, the right to erasure is defined even more broadly. As a result, the present case will be of considerable interest to Internet companies and publishers regarding how the privacy rights of citizens are to be balanced against other rights, including the right to access information, to conduct a business but also the freedom of expression. Indeed, although the information is still available on the original websites and can be consulted, it will become more difficult to find this information if the search engine had to remove some search results from the list of results displayed following a search made.

It is now up to the Spanish National High Court to decide whether or not the earlier decision of the Spanish Data Protection Authority should be annulled or not. The High Court will probably soon confirm the decision of the Data Protection Authority, obliging Google to "take the necessary measures to withdraw the data from their index and to render access to the data impossible in the future."

This ECJ decision will have an impact throughout the European Union, as the decision is similarly binding on any other EU national courts or tribunals before which a similar issue is raised.


Court decision details: Judgment in Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González

Written By

Patrick Van Eecke


If you want to comment on this post, you need to login.

  • Richard Beaumont May 13, 2014

    There are going to be long term consequences for publishers as well as search engines here.
    It seems unlikely that Google will bear all the costs of this.
    They may change their index algorithms which will impact SEO. You could forsee some model that requires published personal data to carry some kind of expiry date, after which it will be removed. It would potentially be a way to shift responsibility back to the original publisher.
  • Ruby Zefo May 16, 2014

    Thanks for the very concise, factual summary.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»