In a landmark ruling the European Court of Justice (ECJ) today ruled that search engines, as a principle, need to remove the link between search results and a webpage if it contains information the individual deems should be "forgotten."

In short, the ECJ decided that:

  1. Indexing information by a search engine is "processing of personal data."
  2. Google is a "controller" of personal data.
  3. Spanish data protection law is applicable, even if indexing happens in the U.S.
  4. Google should remove links to webpages containing personal data, even if the webpages themselves are lawful.
  5. A fair balance should be sought between the legitimate interests of search engine users and the privacy rights of individuals.
  6. The right to be forgotten is recognized by the Court of Justice.

The Facts

In 1998, a major Spanish newspaper published two short announcements about a real estate auction due to social security debts of a Spanish citizen. In 2009, this person contacted the newspaper, complaining that the announcements appeared in Google searches of his name. He argued that the search results were damaging his reputation and that the attachment proceedings relating to his social security debts had been resolved many years ago. He asked the newspaper to block the pages with the announcements from being indexed by search engines. The newspaper declined to remove the offending content, stating that publication had been ordered by the Spanish government. The publication is intended to give maximum publicity to the auction in order to attract as many bidders as possible.

The citizen then contacted Google in 2010 and filed a complaint with the Spanish data protection authority (the AEPD). The AEPD agreed to take on the case and sued Google. The AEPD took the view that it has the power to require the withdrawal of data and the prohibition of access to certain data by the operators of search engines when it considers that the locating and dissemination of the data are liable to compromise the fundamental right to data protection and the dignity of persons in the broad sense, and this would also encompass the mere wish of the person concerned that such data not be known to third parties. The Audienca Nacional (the National High Court of Spain) submitted several questions to the ECJ regarding the application of the European Data Protection Directive.

The questions stem from the uncertainty regarding the interpretation of the Data Protection Directive of 1995 in the sphere of Internet communications. The questions relate to, as summarised by the ECJ "what obligations are owed by operators of search engines to protect personal data of persons concerned who do not wish that certain information, which is published on third parties’ websites and contains personal data relating to them that enable that information to be linked to them, be located, indexed and made available to internet users indefinitely." A broad interpretation of the Data Protection Directive could constrain the operation of search engines, for instance if, as noted by the advocate general, they were considered as controllers of personal data on third party web pages.

The Court Decision

The ECJ today ruled against the advice of the advocate general, which is rather uncommon. The advocate general was of the opinion that the citizen should direct their request to the publisher, as they are the controllers of the data, and not to Google who would be a mere processor.

Google is a "controller" of personal data

The ECJ ruled that Google is not a mere processor but also a controller of personal data on third party webpages, because it is Google that decides upon the purposes and the means of the indexing activity.

Indexing is processing of personal data

The ECJ ruled that indexing information by a search engine is "processing of personal data." Indexing information (including personal data) is a "processing activity" in the sense of the European Data Protection Directive.

National data protection law is applicable

The ECJ ruled that Spanish data protection law is applicable, even if indexing happens in the U.S. As Google Spain is established in Spain and is a subsidiary of Google, Inc., the ECJ ruled that the promotion and selling, in Spain, of advertising space offered by the search engine makes Spanish data protection law applicable.

The ECJ held that the activities of search engines, such as providing a search service, and those of its subsidiaries in a member state, such as selling advertising, are "inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”

Data subjects may request the removal of links from Google

Google is obliged to remove the links to webpages containing personal data, even if the publication of those personal data on the webpages itself is lawful. The ECJ stated that the potential interference of a person's rights "cannot be justified by merely the economic interest which the operator of such an engine has in that processing." This removal of the links may be necessary because the search results "are liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the webpage." The ECJ states regarding search results "this information potentially concerns a vast number of aspects of his private life and that, without the search engine, the information could not have been interconnected or could have been only with great difficulty. Internet users may thereby establish a more or less detailed profile of the person searched against."

Fair balance between privacy and other interests

A fair balance should be found between on the one hand the legitimate interests of internet users who may be interested in having access to information and, on the other hand the privacy rights of the citizen. This balance may be different from case to case, and may vary in particular according the role the citizen plays in public life. The ECJ stated that this "balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life."

Right to be forgotten

Today's ruling endorses a right to be forgotten by the ECJ under the current Data Protection Directive. A citizen may require Google to remove him or herself from search results, and hence, make use of his or her "right to be forgotten," if the personal data have become today inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.

Broad implications

This ruling increases the rights of private individuals to remove themselves from search results. It also will make search results less reliable, as certain webpages will be omitted from search results. The ruling could impact the day-to-day operation of certain Internet companies, for instance by providing automated tools for people to remove themselves from search results. It could also potentially have broad implications for any service that uses third-party data sources containing personal data.

In the upcoming new Data Protection Regulation, the right to erasure is defined even more broadly. As a result, the present case will be of considerable interest to Internet companies and publishers regarding how the privacy rights of citizens are to be balanced against other rights, including the right to access information, to conduct a business but also the freedom of expression. Indeed, although the information is still available on the original websites and can be consulted, it will become more difficult to find this information if the search engine had to remove some search results from the list of results displayed following a search made.

It is now up to the Spanish National High Court to decide whether or not the earlier decision of the Spanish Data Protection Authority should be annulled or not. The High Court will probably soon confirm the decision of the Data Protection Authority, obliging Google to "take the necessary measures to withdraw the data from their index and to render access to the data impossible in the future."

This ECJ decision will have an impact throughout the European Union, as the decision is similarly binding on any other EU national courts or tribunals before which a similar issue is raised.


Court decision details: Judgment in Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González

Written By

Patrick Van Eecke


If you want to comment on this post, you need to login.

  • Richard Beaumont May 13, 2014

    There are going to be long term consequences for publishers as well as search engines here.
    It seems unlikely that Google will bear all the costs of this.
    They may change their index algorithms which will impact SEO. You could forsee some model that requires published personal data to carry some kind of expiry date, after which it will be removed. It would potentially be a way to shift responsibility back to the original publisher.
  • Ruby Zefo May 16, 2014

    Thanks for the very concise, factual summary.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens May 1.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»