W Gregory Voss. Business Lawyer. Volume 71, Issue 1. Winter 2015/2016.

Introduction

The past year has seen various developments that are modifying data privacy law in the European Union (EU), with consequences for various sectors of business. Over a year ago, the Court of Justice of the European Union (ECJ) issued its now-famous Google Spain decision, recognizing a so-called “right to be forgotten.” This has been followed by EU member state court decisions raising issues for Internet search engines, publishers of information, and potentially other Internet intermediaries. Coordinated European action with respect to Google’s privacy policy, discussed in last year’s survey, has continued, with implications for other companies offering services that collect and process individual users’ data on the web. Thus, while Google may seem to have been singled out in a year when that firm is also under European competition law scrutiny, the lessons to be drawn are more broadly applicable.

In addition, threats of terrorism and the Charlie Hebdo terrorist attacks in Paris have led to a strengthening of police powers impacting Internet companies and raised calls for airlines in the EU to furnish information about their passengers to law enforcement authorities. Finally, this survey addresses ongoing work on the EU data protection law reform proposals.

Google Spain and the “Right to be Forgotten”: The Sequel

On May 13, 2014, the ECJ rendered its decision in the Google Spain case, involving the request for a ruling by a Spanish court on points of EU law related to a lawsuit brought by Mr. Costeja González against Google Spain SL and Google Inc. The plaintiff sought a court order prohibiting the Google search engine from displaying, in response to a search of his name, a link to a 1998 article published in the Catalan newspaper, La Vanguardia, which disclosed that the plaintiff had been subject to a real-estate auction to satisfy his social security debts. The ECJ ruled that an individual has the right to object to a search engine’s linking to personal information about him, and that evaluation of such an objection calls for a balancing of rights and interests. Criteria applicable to this balancing include the relevance or obsolescence of the data, whether there is a public interest in access to the data, and the published information’s “sensitivity for the data subject’s private life.”

As a result of the Google Spain decision, Google set up an online form allowing individuals to request exercise of this right. As of August 12, 2015, Google received 294,977 delisting requests and deleted 58.7 percent (or approximately 628,102) of the 1,070,021 URL search engine results that the company examined as a result of the delisting requests.

In addition, Google formed a council of experts that consulted with, among others, representatives of government, business, media, academia, the technology sector, and data protection organizations at seven hearings in certain European capitals from September through November 2014 in order to gather advice on how to handle delisting requests. As a result of those hearings, the council issued a report, noting that the privacy right recognized in the Google Spain ruling applies regardless of whether there is harm or prejudice to the data subject, but opining that the presence of such harm (assessed on an “ethical, legal, and practical basis”) is relevant in the balancing of the interest of the general public to access information against the fundamental rights of the data subject. The report sets out four primary criteria for assessing delisting requests: the data subject’s role in public life, the nature/type of information, its source, and how much time has passed since its publication. The council acknowledged that “[m]any people have questioned whether it is appropriate for a corporation to take on what may otherwise be considered a judicial role.”

The report also addressed what it described as the “difficult question” of the geographic scope of the delisting right. Based on Google’s claim that 95 percent of searches from Europe are made via the nationally directed versions of the search engine (i.e., those with country-code domains, such as “google.de” and “google.fr”), and on competing considerations regarding access to information from those outside of Europe, it concluded that “removal from nationally directed versions of Google’s search services within the EU is the appropriate means to implement the Ruling,” thereby not requiring delisting from searches made via generic domains such as “.com.”

The EU’s independent privacy advisory panel created pursuant to Article 29 of the Data Protection Directive—commonly referred to as the Article 29 Data Protection Working Party (WP 29)—took a different view in guidelines it issued about Google Spain on November 26, 2014. The guidelines state that the decision applies not only to search engines with an EU member state country-code domain name, but that “de-listing should also be effective on all relevant domains, including .com.” Consistent with such position, on May 21, 2015, the French data protection authority (CNIL) formally ordered Google to apply the delisting decision to all of the search engine’s domain names, failing which a procedure could be commenced in view of the potential application of sanctions. The CNIL publicly announced the decision in June 2015. Google responded in a blog post on July 30, 2015, contesting the authority’s order, and the CNIL announced that it would study and answer Google’s statement within two months.

WP 29 also confirmed that complaints for search engine refusals to delist, which are to be made to the relevant member state data protection authorities (DPAs), are to be treated by the DPAs “under their national legislation in the same manner as all other claims/complaints/requests for mediation.” WP 29 also made it clear that the guidelines do not solely target Google, and that Google Spain “is specifically addressed to generalist search engines, but that does not mean that it cannot be applied to other intermediaries.” Therefore, other operators of websites that link to web content involving personal data of EU residents should study the decision and consider its potential future application to them, even though it has only been applied to search engines to date.

On December 29, 2014, the Audencia Nacional (Spain’s national appellate court of ordinary jurisdiction) issued its judgment applying the ECJ’s Google Spain decision, thus firmly fixing the “right to be forgotten” in Spanish law. Earlier that same month, the French Tribunal de Grande Instance (the ordinary court of original jurisdiction) of Paris issued an injunctive order for Google Inc. to de-index, or delete the links to, certain web pages of Le Parisien newspaper, regarding information about the criminal conviction of an individual published eight years earlier. The claimant argued, inter alia, that the results linking to such pages when a search was made using her first and last names harmed her chances of getting a job. The court found claimant’s claim well founded. The court’s order, which followed the rejection by Google in September 2014 of claimant’s request to exercise her right to be forgotten using the form supplied by Google following the Google Spain decision, marked the first time Google has been sanctioned in France for failing to respect the “right to be forgotten” after the ECJ’s judgment.

Further Action on Google’s Privacy Policy

During the past year, DPAs in the EU moved forward with actions they had brought against Google based on the 2012 revision of its privacy policies into a single merged policy. Notably, the United Kingdom’s DPA, the Information Commissioner’s Office (ICO), “required Google to sign a formal undertaking to improve the information it provides to people about how it collects personal data in the UK,” based on its finding that the policy was too vague, even though the ICO’s head of enforcement stated that its “investigation concluded that th[e] case ha[d]n’t resulted in substantial damage and distress to consumers.” After setting out the background of the proceedings against Google, the undertaking specifies the search engine’s commitments, which may serve as a guide to other online businesses for best practices regarding their privacy policies where they offer a variety of services to consumers. For example, Google undertakes to continuously engage in privacy impact assessment for changes to processing not reasonably expected by users, to have user experience specialists and representative user groups review significant future changes to the policy, and to inform the ICO in advance of any significant changes to the policy, among other commitments.

Enhanced Security Measures in the Aftermath of the Charlie Hebdo Attacks

On January 7, 2015, three terrorists killed twelve people (including two police officers) in connection with their attack on the Paris office of the French satirical journal Charlie Hebdo. In a related attack that occurred two days thereafter, four people were killed at a kosher grocery on the outskirts of Paris. Those attacks, which involved perpetrators with “deep histories of association with terrorist organizations,” have given impetus to the establishment of additional security measures, certain of which were commenced previously, both on the French national level (websites and surveillance) and on the EU level (airline passenger name records), which will affect businesses in the Internet and airline industries, respectively. Nonetheless, WP 29 rapidly reminded Europeans of their fundamental values, including protection of private life and personal data, and of the need to strike a balance with public security needs, and stated that the EU DPAs looked forward “to contributing to the discussion on how to strike this balance.”

France—Websites and Surveillance

Prior to the attacks, France adopted a law providing new powers in the battle against terrorism. Article 5 of that law added a new Article 421-2-5 to the French Criminal Code allowing the prosecution of those inciting or justifying acts of terrorism and increasing sanctions if any such violation was committed using the Internet.

Following the attacks, French Interior Minister Bernard Cazeneuve went to Silicon Valley to ask Google, Facebook, and Twitter to cooperate directly with French officials during investigations and to take down terrorist material. Cazeneuve explained: “We emphasized that when an investigation is underway we don’t want to go through the usual government to government channels, which can take so long.” France reportedly was “pushing to treat jihadi material on the Internet like child porn, a task that before the attacks in Paris was getting scant traction but now seems to have caught the attention of Europe’s top security officials.” This may have been reflected in the decree France issued on February 5, 2015, providing, inter alia, for the blocking of websites inciting acts of terrorism or justifying them (as well as those distributing child pornography). Internet service providers must block the sites within twenty-four hours after the Ministry of the Interior provides them with a list of prohibited websites. A subsequent decree provides that the Ministry of the Interior may notify search engines and web directories of content inciting acts of terrorism or justifying them, whereupon the search engines and directories have fortyeight hours in which to delist the content. The latter decree would notably be used by the Ministry of the Interior where its corresponding request to a website under the prior decree proved futile. A special office to fight criminality involving information and communication technologies, whose name is abbreviated as “OCLCTIC,” has been set up under the Ministry of the Interior for transmission of blocking requests, and a platform called “PHAROS” has been established for web users to report infringing content, which may involve text, photos, videos, etc. The French DPA has a supervisory function that it exercises through the use of a designated authorized person within the DPA who may make recommendations if there is a questionable blocking request made by the authorities and, if the recommendations are not followed, present the issue for resolution by an administrative judge.

On May 5, 2015, the French National Assembly voted on first reading in favor of a version of the so-called French Surveillance Bill, which would add various articles to the French Internal Security Code. The bill reportedly would “give the authorities their most intrusive domestic spying abilities ever, with almost no judicial oversight,” allowing intelligence services, inter alia, to “read emails and force Internet companies to comply with requests to allow the government to sift through virtually all of their subscribers’ communications.” The bill would create a supervisory organization called the National Commission to Control Intelligence Techniques (CNCTR), which would rule on requests to initiate surveillance. Metadata “would be electronically sorted, and only if the sites visited or the searches carried out suggested suspicious behavior as defined by the intelligence services would a human review of a person’s emails and Internet browsing occur.”

The bill, which was described by the president of the Paris Bar Association as a French analog to the U.S. Patriot Act, and which has been subject to objections from a broad array of Internet-oriented businesses, went before the French Senate, the upper house of the French Parliament, which made various amendments to the bill, and finally adopted an amended version on June 23, 2015, which was then adopted by the French National Assembly on June 24, 2015. On June 25, 2015, French President François Hollande, the President of the French Senate, and sixty members of the French National Assembly submitted the recently adopted French Surveillance Act to the French Constitutional Council (Conseil Constitutionnel) for review of its constitutionality. A French Internet users’ rights organization (La Quadrature du Net) and French Internet service provider associations (French Data Network and FDN Federation) stated that they had filed amicus briefs against the French Surveillance Act. The European Parliament announced that its Civil Liberties Committee would debate concerns over the Act on July 2, 2015, and that members “are likely to ask the Commission to investigate whether the law is in line with EU treaties and the Charter of Fundamental Rights.”

On July 23, 2015, the French Constitutional Council issued its decision, largely upholding the French Surveillance Act; the council, however, invalidated portions of the law, such as those provisions that permitted emergency surveillance without the approval of the prime minister or another governmental minister.

Internet companies with activities in France should review this legislation and the decision of the Constitutional Council and any subsequent legislative reaction either at the French or EU level, and any potential EU judicial challenge, to determine their possible obligations under the legislation.

Europe—Airline Passenger Name Records

In 2004, a few short years after the World Trade Center terrorist attacks in New York, the United States and the EU negotiated an agreement allowing the transfer of personal data of airline passengers traveling from Europe to the United States, where the cross-border data transfer restrictions of the Data Protection Directive would otherwise have prevented such transfer. Years later, in 2011, the European Commission proposed a directive that would harmonize the few member state laws regarding the collection of such passenger name record (PNR) data. PNR data may include travel itineraries and dates, contact details, payment methods, and other personal information that may be useful to law enforcement authorities. The proposed PNR Directive “aims to harmonise Member States’ provisions on obligations for air carriers, operating flights between a third country and the territory of at least one Member State, to transmit PNR data to the competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.” On April 29, 2013, the European Parliament’s Civil Liberties Committee recommended that the European Parliament reject the Commission’s proposed PNR Directive. However, this proposal gained support recently, especially since the Charlie Hebdo attacks and the discovery that terrorists have traveled by air between Europe and areas of conflict in Syria.

WP 29 recognized the changed circumstances, noting that, following the Charlie Hebdo and other attacks in Paris in early January 2015, “the potential establishment of an EU PNR system took over the international headlines.” It cautioned, however, that, because of the fundamental rights involved, the measure would be justified “only if its necessity was to be demonstrated and the principle of proportionality respected.”

In February 2015, a member of the European Parliament, Timothy Kirkhope, circulated an alternative to the proposed PNR Directive, which included coverage of all (including intra-EU) flights, access to terrorism-related PNR data for five years, and other security and data protection measures. While acknowledging that this new draft offers some improvements, WP 29 took the position that the draft “is likely to seriously undermine the rights as set out in Articles 7 and 8 of the Charter of Fundamental Rights in the European Union,” that the instrument’s necessity still needs to be proved, and that there should be further restrictions “to ensure that the data processing is proportionate to the purpose pursued,” especially because the new draft would apply to intra-EU flights. WP 29 added that the use of data should be limited to certain crimes, the system should be periodically evaluated, including a first evaluation after two years at the latest, and that the measure must comply with the requirements of the ECJ decision striking down the Data Retention Directive regarding retention periods for the data, inter alia.

On July 15, 2015, the European Parliament’s Civil Liberties Committee by a vote of thirty-two to twenty-seven approved the new PNR rules as amended by it, and also mandated the opening of negotiations with the EU Council of Ministers. Use of the PNR data would be limited to the prevention, detection, and investigation of terrorism and serious transnational crimes. Other safeguards inserted in the draft legislation included, inter alia, the requirement that data protection officers be appointed by member state Passenger Information Units (PIUs), that PNR data processing be logged or documented, that passengers must be informed about their rights and the collection of their PNR data, and that “stricter conditions would govern any transfer of data to third countries.”

The current Luxembourg Presidency of the EU Council expects to be able to reach agreement with the European Parliament on the PNR proposals by the end of the Presidency’s term, which terminates on December 31, 2015. Airlines and other travel businesses such as tour operators and travel agencies are likely to be affected once the PNR Directive is enacted, in terms of collecting and turning over information, but also with potential effects on their relationship with their customers, as they become data collecting agencies for authorities in EU countries, potentially even for intra-EU flights.

Ongoing Work on European Union Data Protection Law Reform

On January 25, 2012, the European Commission proposed a new General Data Protection Regulation (GDPR) which, if adopted, would have replaced the Data Protection Directive and applied directly throughout the EU. Two years later, on March 12, 2014, the European Parliament voted overwhelmingly in favor of a compromise text of the GDPR.

In its May 2015 blueprint for a European digital single market, the European Commission stated that the GDPR is “due to be adopted by the end of 2015.” In a communication setting out the details of its strategy, the Commission announced that, in 2016, it will propose a European “[f]ree flow of data” initiative, which “will address the emerging issues of ownership, interoperability, usability and access to data in situations such as business-to-business, business to consumer, machine generated and machine-to-machine data.”

Though the Council had been partly responsible for delay in the adoption of the GDPR, the Council eventually finalized a common position on all points of the proposed GDPR on June 15, 2015. The European Parliament and the Council must agree on the same text under the ordinary legislative procedure in order for it to become law. A trilogue involving the Council, the European Parliament, and the European Commission began on June 24, 2014. WP 29 previously criticized the Council’s interim partial draft allowing further processing of data “even if the purpose is incompatible with the original one as long as the controller has an overriding interest in this processing.” In addition, the European Parliament’s rapporteur and lead negotiator for the GDPR, Jan Philipp Albrecht, “stressed that several important issues still needed to be worked out with the Council, such as the need for consumers to give consent for the use of their data, the duties of data controllers and what fines should be imposed on companies that break the rules.” Thus, there is still work to be done in order to reach a full agreement on all points between the European institutions on the GDPR text, in a way that allays the concerns of privacy advisors.

Conclusion

This survey has focused on data privacy developments linked to two major events in the news—the ECJ’s Google Spain ruling and the Charlie Hebdo terrorist attacks. Privacy developments that seemingly involve only one company—namely, Google—have wider implications, and should be of interest to other firms as well. These developments impact various industries and categories of professionals: Internet search engines, certainly, but also other Internet intermediaries and companies that process personal data (including those that publish them on the Internet), media, journalists, airlines, travel industries, and others. Hopefully, this survey will encourage readers to monitor developments in these areas.