European Union and Google Spain
This paper provides an overview of the legal framework governing the liability of Internet intermediaries in the European Union (EU) with a focus on the E-Commerce Directive, analyzing the Google Spain ruling as an example for evaluating the interaction between the intermediary liability regime and data protection law.
European Union and Google Spain
Authors: Aleksandra Kuczerawy and Jef Ausloos
Interdisciplinary Centre for Law & ICT (ICRI), KU Leuven
Abstract: This paper[1] provides an overview of the legal framework governing the liability of Internet intermediaries in the European Union (EU). The E-Commerce Directive undoubtedly constitutes the key legal instrument targeting Internet intermediaries on the EU-wide level. After outlining the key provisions in this Directive, the paper will analyze the Google Spain ruling as a case study.[2] This ruling is particularly interesting for two reasons. First of all, it involves a type of intermediary (search engine) whose legal position is largely undefined at the EU level. Secondly, the Google Spain case concerns the position of search engines vis-à-vis the personal data they process. In this regard, it is an ideal case study with which to evaluate the interaction between the intermediary liability regime and data protection law. Additionally, it provides food for thought with regard to the role of intermediaries in the governance of the Internet.
[1] Part of the research leading to these results has received funding from the European Community’s Seventh Framework Programme for research, technological development and demonstration in the context of the EXPERIMEDIA project (www.experimedia.eu) under grant agreement no: 287966 and the REVEAL project (revealproject.eu) under grant agreement no: 610928, as well as the Flemish research institute iMinds (www.iminds.be).
[2] CJEU, Google Spain, C-131/12, Grand Chamber, 13.05.2014, http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=264438.
Table of Contents
I. Introduction
II. EU regime on liability of Intermediaries – E-Commerce Directive 2000/31/EC
A. Scope
B. Liability Exemptions for Intermediaries
1. Mere conduit
2. Caching
3. Hosting
4. No general obligation to monitor
III. Review of the E-Commerce Directive
A. Criticism
1. Legal Fragmentation
2. Legal Uncertainty
3. Notice and Takedown
B. Notice & Action Initiative
IV. Situation of search engines
A. Relevance of Search Engines / Information Location tool services
B. Search engines regulation across the EU
V. Google Spain case
A. The Ruling
1. Facts
2. Decision
B. Particularities
1. Notification
2. Taking down legitimate information?
3. Autonomy
C. Aftermath
D. Looking ahead
VI. Conclusion
I. Introduction
After introducing the liability regime for Internet intermediaries in the EU, this working paper makes a deep-dive into the particular position of search engines. The Court of Justice of the EU (CJEU) has recently issued a ruling obliging search engines to de-link certain results when person-names are used as search terms. The so-called Google Spain Case also highlights the important discussion on the interaction between data privacy laws and intermediary liability exemptions. Using this case as the thread throughout the second half of the paper, we identify the core issues that are relevant and need further research.
II. EU regime on liability of Intermediaries – E-Commerce Directive 2000/31/EC
In the European Union, Directive 2000/31 regulates the liability of Internet intermediaries on certain legal aspects of information society services, in particular electronic commerce in the Internal Market (E-Commerce Directive, ECD).[3]
The E-Commerce Directive was proposed by the European Commission in 1998, and signed by the European Parliament and the Council of the EU in June 2000. Member States had until January 2002 to implement the Directive into their national legal orders.[4]
As observed in the preamble to the Directive, the development of information society services within the Community is hindered by a number of legal obstacles that make the exercise of the freedom of establishment and the freedom to provide services less attractive.[5] Moreover, ‘these obstacles arise from divergences in legislation and from the legal uncertainty as to which national rules apply to such services’.[6] The goal of the Directive, therefore, is to create a legal framework to ensure the free movement of information society services between Member States. The Directive aims to achieve this by realizing two main objectives. In the first instance, it seeks to remove certain legal obstacles hampering the development of electronic commerce within the internal market. At the same time, it is also aimed at providing legal certainty and ensuring consumer confidence towards electronic commerce. The development of electronic commerce was considered a crucial factor that would stimulate economic growth and investment in innovation by European companies, and which could also enhance the competitiveness of European industry.[7]
The Directive only partially succeeded in achieving its objectives. Since the introduction of the Directive, e-commerce in the EU has generally grown.[8] However, it is still less advanced than in the United States and the Asia-Pacific.[9] For a long time cross-border activity remained low,[10] although steady growth can be observed in the last few years.[11] Nonetheless, the European Commission has expressed the view that more needs to be done in order to achieve the Directive’s full potential.[12]
The E-Commerce Directive regulates several aspects of information society services, including freedom of services, the treatment of electronic contracts, and liability issues for third party content, among others. In this section we briefly present the scope of the Directive before focusing more extensively on the intermediary liability provisions.
[3] Directive 2000/31 of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), OJ L 178, 17.07.2000, 1-16.
[4] See more in: First Report on the Application of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on the Directive on Electronic Commerce, COM(2003) 702 final, Brussels, 21.11.2003.
[5] Freedom of establishment (articles 49 to 55 TFEU) and freedom to provide services (56 to 62 TFEU) are intended to guarantee the mobility of businesses and professionals within the EU (See: recital (5) to the E-Commerce Directive). See more at: http://www.europarl.europa.eu/aboutparliament/en/displayFtu.html?ftuId=FTU_3.1.4.html; See the full text of the Treaty on the Functioning of the European Union at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012E/TXT.
[6] Recital (5) to the E-Commerce Directive.
[7] Recital (2) to the E-Commerce Directive.
[8] Commission Communication to the European Parliament, The Council, The Economic and Social Committee and The Committee of Regions, A coherent framework for building trust in the Digital Single Market for e-commerce and online services {SEC(2011) 1640 final} http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0942:FIN:EN:PDF, p. 3.
[9] Ibid. p.3.
[10] 5th Consumer Conditions Scoreboard, Consumers at home in the single market, European Commission, March 2011, http://ec.europa.eu/consumers/consumer_research/editions/cms6_en.htm.
[11] 9th Consumer Conditions Scoreboard, Consumers at home in the single market, European Commission, July 2013, http://ec.europa.eu/consumers/archive/consumer_research/editions/docs/9th_edition_scoreboard_en.pdf.
[12] Commission Communication to the European Parliament, The Council, The Economic and Social Committee and The Committee of Regions, A coherent framework for building trust in the Digital Single Market for e-commerce and online services {SEC(2011) 1640 final} http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0942:FIN:EN:PDF, p. 6. For the analysis of the remaining obstacles to the development of the e-commerce in the EU see also Commission Staff Working Document Online services, including e-commerce, in the Single Market, Brussels, 11.1.2012 SEC(2011) 1641 final.
http://ec.europa.eu/internal_market/e-commerce/docs/communication2012/SEC2011_1641_en.pdf; and Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC), available at: http://ec.europa.eu/internal_market/consultations/docs/2010/e-commerce/summary_report_en.pdf.
A. Scope
The E-Commerce Directive applies to ‘information society services’. Such services are defined as ‘any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services’ (art. 2.a E-Commerce Directive). The notion of ‘information society services’ covers a wide range of services. Many of the economic activities that take place online fall under the scope of the E-Commerce Directive. Examples of the services falling under this broad definition can be found in Recital (18) to the Directive. They may include (in so far as they represent an economic activity): online contracting, services providing transmission of information via communication networks, services providing access to a communication network, hosting of information, as well as services that do not give rise to on-line contracting, e.g. those that offer on-line information or commercial communications or those that provide tools allowing for search, access and retrieval of data.[13]
The key elements in determining whether or not a particular service can be qualified as an information society service are as follows:
- remuneration[14];
- distance;
- electronic means;
- individual request of a recipient[15].
The E-Commerce Directive also excludes a number of services and legal issues from its scope such as, for example, questions covered by the Data Protection Directive (art. 1 (5). b).[16]
[13] See Recital (18) to the E-Commerce Directive for more examples.
[14] The element of remuneration does not necessarily refer to the specific way in which the service is financed. Rather than that, it refers to the existence of an economic activity or an activity for which an economic consideration is given in return. Information society services therefore extend to services which are not remunerated by those who receive them. This means that a service financed through advertising, such as for example social networking site or a search engine, would be classified as an information society service.
[15] The element of “individual request of a recipient of services” covers an activity of visiting a website. The transmission of data is initiated on demand, by an individual ‘requesting’ the URL or following a link.
[16] Additionally, the Directive does not apply to: issues related to taxation; questions relating to agreements or practices governed by cartel law; the activities of notaries or equivalent professions to the extent that they involve a direct and specific connection with the exercise of public authority. See article 5.1 E-Commerce Directive.
B. Liability Exemptions for Intermediaries
The E-Commerce Directive regulates the liability of intermediary service providers in Section 4. This part of the Directive contains provisions introducing liability exemptions for certain types of intermediary services. Only three types of services are covered, namely ‘mere conduit’ (article 12), ‘caching’, (article 13) and ‘hosting’ (article 14). In order to benefit from these exemptions, providers of such services must comply with the conditions of each article.
The liability provisions of the E-Commerce Directive reconciled two main arguments in the debate taking place between the Internet industry and EU policy makers at the time. On one hand, there was the concern that if intermediaries were to be held liable for third party content on similar grounds as ‘publishers’, it could restrain service providers from entering the market.[17] On the other hand, the European Commission recognized the role that Internet intermediaries could play in limiting illegal online content and, through that, improved public trust and confidence in the Internet as a safe space for economic activity.[18] The balance that was reached was meant to stimulate growth and innovation of the newly born technology and provide positive incentives for further development, which would effectively contribute to reaching the goals delineated in the E-Commerce Directive.[19]
The scope of the liability exemptions in the E-Commerce Directive is horizontal. This means that the liability exemptions cover various types of illegal content and activities (infringements on copyright, defamation, content harmful to minors, unfair commercial practices, etc.) and different kinds of liability (criminal, civil, direct, indirect).[20]
If the conditions for being exempt from liability are not met, this does not mean that the intermediary is per se subject to liability. The effect is that the intermediary can no longer rely on the immunity provided by the Directive. The question of liability is then determined under the applicable material law specific for the type of infringing content in each Member State.[21]
[17] OECD, Directorate for Science, Technology and Industry, Committee for Information, Computer and Communication Policy, The Role of Internet Intermediaries In Advancing Public Policy Objectives, Forging partnerships for advancing public policy objectives for the Internet economy, Part II, 22.06.2011, p. 12.
[18] Ibid., p. 12.
[19] See Recitals 1-6 of the E-Commerce Directive.
[20] Helberger N., et al., ‘Legal Aspects of User Created Content’ in IDATE, TNO, IViR, User-Created Content: Supporting a Participative Information Society, Study for the European Commission (DG INFSO), December 2008, p. 220, available at: http://www.ivir.nl/publications/helberger/User_created_content.pdf.
[21] Van Eecke P., Truyens M., Legal analysis of a Single Market for the Information Society, New rules for a new age? a study commissioned by the European Commission's Information Society and Media Directorate-General, November 2009. Chapter 6: Liability of Online Intermediaries, p.10. Available at: http://ec.europa.eu/information_society/newsroom/cf/document.cfm?doc_id=842.
1. Mere Conduit
Art. 12 targets traditional Internet access providers and backbone operators. The liability exemption provided in this provision refers to providers of ‘mere conduit’ services, which are described as:
- services which consist of the transmission in a communication network of information provided by a recipient of the service (‘transmission services’); and
- services which consist of the provision of access to a communication network (‘access services’).
Recital (42) further stipulates that the exemptions provided by the Directive apply only to cases ‘where the activity of the information society service provider is limited to the technical process of operating and giving access to a communication network (…)’.[22] It further elaborates that such activities are of a mere technical, automatic, and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information it transmits or stores.[23] The services described in art. 12 are sometimes compared to postal services, which are similarly not held liable for the illegal content of a letter.[24]
The ‘mere conduit’ exemption of liability only applies on the condition that the service provider:
- (a) does not initiate the transfer of data ;
- (b) does not select the recipient of the data; and
- (c) does not select or modify the transmitted data.
The liability exemption for mere conduits also extends to the automatic, intermediate, and transient storage of the information transmitted. This is the case if the storage takes place for the sole purpose of carrying out the transmission in the communication network. Moreover, the information cannot be stored for any period longer than is reasonably necessary for the transmission (art. 12.2).
Despite the lack of liability of the service provider (when the conditions are met), national courts and administrative authorities may direct prohibitory injunctions towards a provider of a ‘mere conduit’ service. Such injunction must be in accordance with the law of the Member State where the case is decided (Article 12.3).[25]
[22] Recital (42) to the E-Commerce Directive.
[23] While recital (42) purports to address all of the exemptions of the Directive, one might argue that the scope of this part of the recital should be limited to the transmission and access services identified in articles 12 and 13. After all, the exemption for hosting identified in art. 14 does not limit its scope to either transmission or access services (see also Montéro, E., ‘Les responsabilités liées au web 2.0’, Revue du Droit des Technologies de l’Information 2008, n° 32, p. 367). However, the ECJ has held recital (42) equally applicable to hosting services: see European Court of Justice, Joined Cases C-236/08 to C-238/08, 23 March 2010 (Google France and Google v. Louis Vuitton Malletier a.o.), paragraphs 113-114.
[24] Lodder A., ‘Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, in Lodder A. and Kasspersen (eds.), eDirectives: Guide to European Union Law on E-commerce – Article by Article Comments, Kluwer Law international, 2002, p. 87.
[25] The matter of injunction towards an Internet service provider was discussed recently by the Court of Justice of the European Union (CJEU) in the UPC Telekabel. The case concerned an injunction for the Internet service provider (UPC Telekabel) to block access of its customers to a website making available to the public copyright infringing materials. The Court ruled that an injunction ordering blocking access to such website does not have to specify the measures to be taken by the ISP. As long as the ISP takes all reasonable measures to achieve the result defined in the injunction, it shall not be a subject to penalties for breach of the injunction. These measures should have the effect of preventing unauthorized access to the protected material or, at least, of making it difficult to achieve and of seriously discouraging Internet users. At the same time such measures should appropriately balance other rights at stake. See par. 64 of the ruling. See: CJEU, Case C 314/12, 27 March 2014, (UPC Telekabel Wien).
2. Caching
The second liability exemption provided by the E-Commerce Directive applies to the ‘caching’ of information. The provision is targeted at providers of so called ‘proxy-servers’.[26]
Caching is defined as ‘the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients of the service upon their request’.[27] This exemption covers only information society services which consist of the transmission in a communication network of information provided by a recipient of the service (‘transmission services’) (art. 13.1).[28] Just as ‘mere conduits’, providers of this type of service can only be exempted from liability if they are in no way involved with the information transmitted (recital (43)). In addition, the following five conditions must be met in order for a service provider to benefit from the caching exemption (art. 13.1):
- the (service) provider may not modify the information as it would deprive him of the position of the intermediary;
- the provider has to comply with conditions on access to the information;
- the provider must update the information regularly in accordance with the generally recognized rules and practices in this area;
- the provider may not interfere with the lawful use of technology that is used to measure the use of information;
- the provider must remove the cached information immediately upon obtaining actual knowledge that the initial source of the information is removed, access to it has been disabled, or that a court administrative authority has ordered such removal or disablement.
The liability exemption for caching does not affect the power of courts or administrative authorities to issue prohibitory injunctions in accordance with the national legal system (art. 13.2).
[26] Van Eecke P., Truyens M., Legal analysis of a Single Market for the Information Society, New rules for a new age? a study commissioned by the European Commission's Information Society and Media Directorate-General, November 2009. Chapter 6: Liability of Online Intermediaries, p.8.
[27] Article 13.1 to the E-Commerce Directive.
[28] When comparing the caching exemption with the exemption for transient storage under the ‘mere conduit’ rule of art. 12.2, the wording appears to be very similar. The key difference between the caching exemption for transient storage and the exemption for transient storage under the mere conduit provision therefore is the purpose for which the storage is taking place. See Lodder A., ‘Directive 2000/31 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, in Lodder A. and Kasspersen (eds.), eDirectives: Guide to European Union Law on E-commerce – Article by Article Comments, Kluwer Law international, 2002, p. 88.
3. Hosting
Article 14 of the E-Commerce Directive provides the third liability exemption for Internet intermediaries. This provision concerns information society services consisting of the storage of information provided by a recipient of the service at his request. Typically, it concerns webhosting services that provide web space to their users, where users can upload content to be published on a website (e.g. YouTube).[29]
The storage by the ‘hosting’ service providers differs from the storage carried out in the context of mere conduit or caching mainly in terms of the purposes for which the storage takes place. In contrast to mere conduit or caching services, such storage is not merely ‘incidental’ to the provision of the transmission or access services.[30] Storage may be provided for a prolonged period of time, and may also be the primary object of the service.[31] In comparison to mere-conduit and caching services, the level of passivity required from the providers of the hosting service is different.[32] The Court of Justice of the EU specified that in order to enjoy the benefit of the liability exemption, a service provider’s conduct must be neutral. The Court further defined neutrality as a conduct that is ‘technical, automatic and passive, pointing to a lack of knowledge or control of the data which it stores’.[33]
Such service provider shall not be liable for the information stored, on the condition that:
- the provider is not aware of facts or circumstances from which the illegal activity or information is apparent – with regard to civil claims for damages, and he does not have actual knowledge of illegal activity or information – with regard to other claims (art. 14.1.a); or
- the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information (art. 14.1.b).
Interestingly, the Directive introduces different levels of knowledge with regard to criminal and civil liability. For the former, ‘actual knowledge’ is required, while for the latter it is enough to establish ‘constructive knowledge’ of the service provider. It is not entirely clear, however, what the boundary is between these types of knowledge. For example, the interpretations of ‘actual knowledge’ range among the EU countries from knowledge obtained through a court order, to informal notice by a user, which, however, should be sufficiently substantiated.[34] Divergent case law across the EU shows that there is a lack of consistency in the interpretation of these terms and the following requirements for a valid notice.[35]
The exemption of article 14 does not apply when the recipient of the service is acting under the authority or the control of the provider (art. 14.2). For example, if the service provider is acting as an employer or supervisor of the service recipient, it will not qualify for the exemption if the content was introduced pursuant to its instructions.
Similarly, as in the case of the ‘mere-conduit’ and caching services, the liability exemption does not affect the possibility of a court or administrative authority, in accordance with Member States' regulations, requiring the service provider to terminate or prevent an infringement (art. 14.3).
Article 14.3, additionally, creates for Member States the possibility of establishing specific procedures governing the removal or disabling of access to information. The Directive does not provide any details for taking down or blocking access to content from article 14.1.b. In consequence, there are no procedures on how such processes should be handled by service providers, nor safeguards to ensure proportionality or due process of the removal or blocking. Procedural aspects were left entirely to the discretion of the Member States.[36] Some of the EU countries provided a more detailed regulation for the hosting exemption by introducing formal notification procedures (‘Notice-and-Take Down procedures’). Many, however, opted for a verbatim transposition of the Directive, leaving this matter unattended.[37]
[29] Van Eecke P., Truyens M., Legal analysis of a Single Market for the Information Society, New rules for a new age? a study commissioned by the European Commission's Information Society and Media Directorate-General, November 2009. Chapter 6: Liability of Online Intermediaries, p.9.
[30] I. Walden in: Bullesbach A., Poullet Y., Prins C. (eds.), Concise European IT Law, Kluwer Law International Alphen aan den Rijn, 2005, p. 253.
[31] It has been said that this exemption was originally aimed at ISP’s providing space on their Internet servers for third parties’ websites, or bulletin boards or chat room services provided by the ISP itself (where the ISP only provides technical means for the users’ communication without interfering with the content being communicated between the users) (see: S.S. Jakobsen, ‘Mobile Commerce and ISP Liability in the EU’, International Journal of Law and Information Technology 2010, vol. 19 no. 1, p. 44). However, the exemptions provided by the E-Commerce Directive are defined in functional terms (i.e. in terms of the activity being performed), not in terms of the qualification of the actor. While the European legislator arguably only envisioned providers whose services consisted mainly, if not exclusively, in the performance of operations of a strictly technical nature, the scope of the exemption may also be applied to other entities (provided the conditions set forth by art. 14 are met). As a result, the exemption may in principle benefit any type of service provider who stores content at the request of the recipient; including so-called ‘web 2.0’ service providers (see E. Montéro, ‘Les responsabilités liées au web 2.0’, Revue du Droit des Technologies de l’Information 2008, n° 32, 369-373).
[32] Van Eecke P., Truyens M., Legal analysis of a Single Market for the Information Society, New rules for a new age? a study commissioned by the European Commission's Information Society and Media Directorate-General, November 2009. Chapter 6: Liability of Online Intermediaries, p.9.
[33] Court of Justice of the European Union, Joined Cases C-236/08 to C-238/08, 23 March 2010 (Google France and Google v. Louis Vuitton Malletier a.o.), paragraphs 113-114. The European Court of Justice addressed the issue of neutrality of hosting service providers also in the L’Oréal eBay case. The Court ruled that art. 14 of the Directive applies to hosting providers if they don’t play an active role that would allow them to have knowledge or control of the stored data. Court of Justice of the European Union, Case C‑324/09, 12 July 2011 (L’Oréal v. eBay), paragraphs 112 - 116.
[34] European Court of Justice (Grand Chamber), C‑324/09, 12 July 2011, (L’Oréal SA and others).
[35] See for example: BGH, 23/09/2003, VI ZR 335/02; Dutch Supreme Court 25 November 2005, LJN Number AU4019, case number C04/234HR; M. Turner(ed.) & J. Llevat, “The Spanish Supreme Court clarifies the concept of actual knowledge in connection with ISP’s liability”, Comp LSR 2010, volume 26, issue 4, 440-441.
[36] Also in recital 46, the Directive stipulates that the removal or disabling of access should be undertaken in observance of this right and of procedures established for this purpose at national level.
[37] First Report on the Application of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on the Directive on Electronic Commerce, COM(2003) 702 final, Brussels, 21.11.2003.
4. No General Obligation to Monitor
Member States may not impose on providers of services covered by articles 12, 13, and 14 (i.e. mere conduit, caching or hosting) a general obligation to monitor information they transmit or store (art. 15). The same provision states that they cannot introduce a general obligation to actively look for facts or circumstances indicating illegal activity.
An obligation to conduct general monitoring of content, if permitted, would counteract the limited liability paradigm.[38] This is because intermediary service providers actively seeking illegal activities would no longer be neutral and passive in nature. Moreover, general monitoring obligation could lead to censorship and consequently have a negative impact on freedom of expression.[39]
The prohibition towards monitoring obligations refers solely to monitoring of a general nature. It does not concern monitoring obligations in a specific case, nor does it affect orders by national authorities in line with national legislation (Recital (47)).[40] The Directive also allows Member States to require hosting providers to apply duties of care, which can reasonably be expected from them (Recital (48)). Such duties of care, however, should only be introduced to detect and prevent certain types of illegal activities, foreseen by national law.[41] To the confusion of many, the Directive does not specify what exactly such duties of care entail. As a result, the boundary between such duties and general monitoring is not clear. Recital (48), for this reason, can be seen as contradictory to art. 15.[42]
The prohibition of article 15 is addressed to the Member States’ legislators. They are not allowed to introduce regulations that would require providers of the specified services to monitor the information they store or transmit. This does not mean that service providers cannot take up such activities on their own. The prohibition should not be read as a prohibition against service providers monitoring information. Most of the service providers in the EU do perform certain monitoring activities to maintain a ‘civilized’ environment of their service. Voluntary monitoring, however, can prove detrimental. Exercising too much control could compromise the neutral status of the intermediary and, in consequence, deprive them of the safe harbor protection. The EU intermediary regime does not contain a ‘Good Samaritan-like’ clause.[43] There is no provision which explicitly protects intermediaries from liability should their voluntary monitoring prove imperfect. As a result, service providers are careful not to shoot their own foot by being overzealous.
Article 15 (2) defines two additional obligations that Member States may impose upon information society service providers. The first provides Member States the possibility to require service providers to inform authorities about any alleged illegal activities of their users. Such notification would need to be given as soon as the provider becomes aware of the illegal activity. Secondly, Member States may also establish obligations on providers to disclose the identity of users with whom they have storage agreements. Establishing these obligations is not a requirement and is left to the discretion of the Member States.[44]
The regime laid out by the E-Commerce Directive has been in place for over two decades now, without any update or amendment. During this time, a number of issues have been identified with regard to its functions.[45] The review process of the Directive was, therefore, long awaited.
[38] OECD, Directorate for Science, Technology and Industry, Committee for Information, Computer and Communication Policy, The Role of Internet Intermediaries In Advancing Public Policy Objectives, Forging partnerships for advancing public policy objectives for the Internet economy, Part II, 22.06.2011, p. 15.
[39] Ibid. p. 36. See also Council of Europe, Human rights guidelines for Internet Service Providers – Developed by the Council of Europe in co-operation with the European Internet Service Providers Association (EuroISPA), July 2008, p.3, available at: http://www.coe.int/t/dghl/standardsetting/media/Doc/H-Inf(2008)009_en.pdf.
[40] Application of art. 15 differs across the EU in case of injunctions. For example, in Germany a host may still be required to actively monitor his platform for further infringing activity. See more in T. Verbiest, Spindler G, et al., Study on the liability of Internet Intermediaries – General trends in Europe, Markt/2006/09/E, 12.11.2007, p. 85.
[41] Prohibition of the general monitoring obligation was addressed by the Court of Justice of the European Union in two cases, Scarlet v. Sabam and Sabam v. Netlog. Both cases concerned an obligation to install a filtering system in order to prevent sharing of copyright infringing files. Such request was initiated by the Belgian authors’ association (Sabam) with regard to an Internet Service Provider (Scarlet), and to a Belgian social networking site (Netlog). The Court decided, in both cases, that an injunction requiring to install a filtering system for all information which is passing via its services or stored on its servers by its users would constitute a general monitoring obligation if it applies indiscriminately to all of the users; as a preventative measure; exclusively at the provider’s expense; and for an unlimited period, and if it is capable of identifying electronic files containing musical, cinematographic or audio-visual work of which the applicant holds intellectual property rights, with a view to preventing those works from being made available to the public in breach of copyright. Court of Justice of the European Union, C-70/10, 24 November 2011 (Scarlet v. SABAM), and Court of Justice of the European Union, C-360/10, 16 February 2012 (SABAM v. Netlog).
[42] Barceló R. J. and Koelman, K., ‘Intermediary Liability In The E-Commerce Directive: So Far So Good, But It's Not Enough’, Computer Law & Security Report 2000, vol. 4, pp. 231-239, p. 232.
[43] Such as, for example the one offered by the US CDA, Section 230 (c)(2).
[44] The possibility of introducing an obligation to disclose the identity of recipients was questioned in the Promusicae case (CJEU, C 275/06, 29 January 2008, Promusicae v. Telefonica de Espana). The request for preliminary ruling concerned questions whether Member States were required to introduce such an obligation in order to effectively protect copyrights. Moreover, a question was asked whether such obligation could pose a risk of infringement of a right to respect for private life of the users. The Court ruled that the Member States are not required to lay down an obligation to communicate personal data in order to ensure effective protection of copyright. Moreover, the Court stated that when transposing directives into national legal system a fair balance needs to be struck between the various fundamental rights protected by the Community legal order. In this case, the rights to protection of property, including intellectual property and the right to effective remedy with the right to protection of personal data, hence to private life. No guidelines how to struck such balance were provided by the Court. See more: F. Coudert, E. Werkers, In The Aftermath of the Promusicae Case: How to Strike the Balance?, Int. Jnl. of Law and Info. Technology, 2010, Volume 18, Issue 1, Pp. 50-71.
[45] T. Verbiest, Spindler G, et al., Study on the liability of Internet Intermediaries – General trends in Europe, Markt/2006/09/E, 12.11.2007, p.15; OECD, The Economic and Social Role of Internet Intermediaries, April 2010, p. 20; Barceló R. J. and Koelman, K., ‘Intermediary Liability In The E-Commerce Directive: So Far So Good, But It's Not Enough’, Computer Law & Security Report 2000, vol. 4, p. 231; Commission Communication to the European Parliament, The Council, The Economic and Social Committee and The Committee of Regions, A coherent framework for building trust in the Digital Single Market for e-commerce and online services {SEC(2011) 1640 final} http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0942:FIN:EN:PDF, p. 41.
III. Review of the E-Commerce Directive[46]
Despite the repeated criticism, the European Commission only started the process of reviewing the E-Commerce Directive in 2010.[47] The goal was to establish whether a revision was required. Following a stakeholder consultation, the European Commission released a report documenting the most often expressed complaints of the Directive in general, and the intermediary liability regime in particular.[48] The bulk of the latter concerned fragmentation and legal uncertainty.[49] Additionally, some specific problems regarding the hosting regime were described. A more thorough analysis of the identified issues was conducted in the Commission Staff Working Document on Online services.[50]
[46] This section is based on a manuscript: A. Kuczerawy, Intermediary Liability & Freedom of expression: Recent developments in the EU Notice & Action Initiative, submitted to CLSR, publication pending.
[47] Public consultation on the future of electronic commerce in the internal market and the implementation of the Directive on electronic commerce (2000/31/EC), http://ec.europa.eu/internal_market/consultations/2010/e-commerce_en.htm.
[48] Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC), available at: http://ec.europa.eu/internal_market/consultations/docs/2010/e-commerce/summary_report_en.pdf.
[49] Ibid., p. 10 – 15.
[50] Commission Staff Working Document Online services, including e-commerce, in the Single Market, Brussels, 11.1.2012 SEC(2011) 1641 final.
http://ec.europa.eu/internal_market/e-commerce/docs/communication2012/SEC2011_1641_en.pdf.
A. Criticism
The Commission Staff Working Document on Online Services expands on the problematic issues identified during the 2010 consultation. It mainly focused on the still pending questions with regard to legal uncertainty and fragmentation. Attention was also given to the specific issues of the hosting regime and the notice-and-takedown mechanism.
1. Legal Fragmentation
Legal fragmentation constitutes one of the greatest obstacles for the development of e-commerce in the EU. Despite the guarantees offered by the Directive, Internet intermediaries struggle with the fragmentation of rules that apply once they are aware of illegal content or activity on their websites.[51] It has been observed that the costs and risks arising from the coexistence of 28 national legal systems constrain innovation.[52] This factor discourages potential new players in the market and hampers development of online business.[53]
[51] Commission Communication to the European Parliament, The Council, The Economic and Social Committee and The Committee of Regions, A coherent framework for building trust in the Digital Single Market for e-commerce and online services {SEC(2011) 1640 final} http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0942:FIN:EN:PDF, p. 14.
[52] Ibid. p. 6.
[53] Ibid. p. 14.
2. Legal Uncertainty
The most common criticism of the Directive refers to the unclear scope of the definitions of intermediaries.[54] As a result, it is often problematic to establish whether some services can benefit from the safe harbors offered by the ECD. This is particularly the case with ‘new’ types of services (e.g. video-sharing sites or social networking sites). Other criticisms mention the unclear position of search engines in the E-Commerce Directive. Opinions on the qualifications of this type of service differ across the EU.[55] Further, respondents to the consultation complained about the unclear conditions for exoneration.[56] Terms such as “expeditiously” or “actual knowledge” are defined in a way that leads to different interpretations in various countries by different stakeholders.[57] This makes the functioning of the internal EU market problematic for the providers of the online cross-border services, as well as for their users.
[54] Commission Staff Working Document Online services, including e-commerce, in the Single Market, Brussels, 11.1.2012 SEC(2011) 1641 final, p. 32 -39.
[55] Ibid., p. 26.
[56] Ibid., p. 43.
[57] Ibid., p. 32 -39.
3. Notice and Takedown
Another issue is a lack of uniform rules implementing liability exemption procedures, such as a notice-and-takedown system, across the EU.[58] This is considered to be one of the major obstacles for intermediary service providers, as well as for victims of illegal content, to exercising their rights.[59] As mentioned above, the Directive left establishing specific procedures governing the removal or disabling of access to information to the discretion of the Member States. This possibility is delineated in art. 14.3, while art. 16 (and recital (40)) encourages self-regulation in this aspect. This however proved to be inefficient – only some countries introduced formal takedown procedures. [60] The procedures that were introduced are not harmonized with each other.[61] This leads to significant costs for all stakeholders in terms of both human and financial resources.[62]
The differences between the existing procedures can be quite substantial. Only a few countries foresaw any defense mechanism for the content provider (‘counter-notice’).[63] Very often a user has no means of defending what is a rightful use of the content. Moreover, the user might not even be aware that a third party objected to the use of the content, and which was, as a consequence, removed from the website in question. In most EU countries there is no requirement for hosting providers to inform content providers of any actions taken against their content.[64] These aspects of notice-and-take-down have been criticized on numerous occasions.[65]
These examples point out another weakness of the European intermediary liability regime. The E-Commerce Directive currently lacks any firm safeguards that would ensure the proper balance of the fundamental rights at stake.[66] No guidelines were advanced with regard to the implementation of takedown mechanisms implied in art. 14. Most EU countries did not foresee any procedural safeguards to ensure compatibility of notice-and-take-down regimes with the fundamental rights to freedom of expression, right to conduct business, due process, as well as the principle of proportionality.[67]
Hosting service providers can benefit from the liability exemption only if they ‘act expeditiously’ to remove or disable access to content upon obtaining notification about its illegal character. The decision to remove or disable has to be swift in order to exonerate the service provider from the potential liability. This often leads to ‘over-compliance’ with takedown requests. Specifically, it has been argued that this provision creates ‘an incentive to systematically take down material, without hearing from the party whose material is removed’.[68] This is because any thorough assessment of the illicit character of content is not in the interest of the service provider. Moreover, the current legal situation is described as an “inappropriate transfer of juridical authority to the private sector”.[69] These two factors may lead to private or corporate censorship.[70] Concern about a possible ‘chilling effect’ on freedom of expression in this process was expressed by a number of organizations, including the Council of Europe.[71] The ongoing review of the Directive is aimed at tackling all identified issues, but it has proved to be very challenging.
[58] Ibid., p. 39 – 47.
[59] Ibid., p. 24 – 26.
[60] Van Eecke P., Truyens M., Legal analysis of a Single Market for the Information Society, New rules for a new age? a study commissioned by the European Commission's Information Society and Media Directorate-General, November 2009. Chapter 6: Liability of Online Intermediaries, p. 19.
[61] See more in the First Report on the Application of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market, at 13, COM (03) 0702, (November 21, 2003), available at: http://ec.europa.eu/internal_market/e-commerce/directive/index_en.htm#maincontentSec3.
[62] Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC), p. 11.
[63] In particular Finland, Hungary, Lithuania, Spain and UK. See more in: First Report on the Application of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on the Directive on Electronic Commerce, COM(2003) 702 final, Brussels, 21.11.2003.
[64] T. Verbiest, Spindler G, et al., Study on the liability of Internet Intermediaries – General trends in Europe, Markt/2006/09/E, 12.11.2007.
[65] Commission Staff Working Document Online services, including e-commerce, in the Single Market, Brussels, 11.1.2012 SEC(2011) 1641 final, p. 45; Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC), p. 12,available at: http://ec.europa.eu/internal_market/consultations/docs/2010/e-commerce/summary_report_en.pdf
[66] Commission Staff Working Document Online services, including e-commerce, in the Single Market, Brussels, 11.1.2012 SEC(2011) 1641 final, p. 43 - 47.
[67] Horten M., The Copyright Enforcement Enigma – Internet Politics and the ‘Telecoms Package’, Palgrave Macmillan, 22 Nov 2011, p. 48-50;, T. Verbiest, Spindler G, et al., Study on the liability of Internet Intermediaries – General trends in Europe, Markt/2006/09/E, 12.11.2007.
[68] Barceló R. J. and Koelman, K., ‘Intermediary Liability In The E-Commerce Directive: So Far So Good, But It's Not Enough’, Computer Law & Security Report 2000, vol. 4, p. 231.
[69] Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC), p. 12.
[70] Barceló R. J., On-line intermediary liability issues: comparing EU and US legal frameworks, E.I.P.R. 2000, 111; The Organization for Security and Co-Operation in Europe and Reporters Sans Frontiers, Joint declaration on guaranteeing media freedom on the Internet, 17-18.06.2005, available at: http://www.osce.org/fom/15657.
[71] Council of Europe (Council of Ministers), Declaration on freedom of communications on the Internet, 28.05.2003, available at: http://www.coe.int/t/informationsociety/documents/Freedom%20of%20communication%20on%20the%20Internet_en.pdf; Council of Europe, Human rights guidelines for Internet Service Providers – Developed by the Council of Europe in co-operation with the European Internet Service Providers Association (EuroISPA), July 2008, available at: http://www.coe.int/t/dghl/standardsetting/media/Doc/H-Inf(2008)009_en.pdf, paras 16 and 24; T. Verbiest, Spindler G, et al., Study on the liability of Internet Intermediaries – General trends in Europe, Markt/2006/09/E, 12.11.2007, p.15; OECD, The Economic and Social Role of Internet Intermediaries, April 2010, pp. 9-14.*
B. Notice & Action Initiative
The 2010 consultation revealed that the majority of respondents did not see the need for a revision of the Directive at that stage. Many of them, however, expressed the need to clarify certain aspects of the Directive, particularly with regard to intermediaries’ liability for third party content.
The European Commission also concluded that procedures aimed at eliminating illegal online content should lead to a quicker takedown, but at the same time should better respect fundamental rights (in particular freedom of expression) and should increase legal certainty for online intermediaries.[72] Based on these findings, the Commission decided to focus specifically on these aspects and direct its efforts to developing a new European framework for combating illicit online content.[73]
In January 2012, the European Commission announced a new initiative on ‘Notice-and-Action’ procedures.[74] The goal of this initiative is to set up a horizontal European framework for notice-and-action procedures, to combat illegality on the Internet, and to ensure the transparency, effectiveness, and proportionality of N&A procedures, as well as compliance with fundamental rights.[75] In order to combat illicit content more effectively, the Commission also announced a parallel revision of the Directive on the enforcement of intellectual property rights.[76]
Following this announcement, the EC launched a new public consultation, this time dedicated entirely to N&A procedures.[77] In response, the EC received a great number of contributions from a wide range of stakeholders. They included businesses and business associations representing different types of intermediaries, as well as public authorities, lawyers, individual citizens, and members of the copyright industry and civil society. So far, the EC has not provided a formal response to the consultation and its results, even though a response was expected in 2013. As briefly summarized in the 2013 Action Plan, ‘the Commission services are working on an impact assessment of the notice-and-action procedures’.[78]
According to Brussels insiders, the works are actually more intense that the official sources suggest. After the 2012 consultation, the EC was preparing a proposal for a new Notice-and-Action Directive. Such a Directive would address the problem of Internet intermediaries’ uncertainty without the need to amend the whole E-Commerce Directive. The proposal, however, has not yet officially surfaced.[79] It seems however that the works have currently slowed down. Several commentators suggested that, in the light of the 2014 European elections, the proposal was (at least temporarily) withdrawn due to a heavy industry lobbying effort and general sensitivity to the issue.[80] There are indications that the topic has not been abandoned and it will return onto the EU policy agenda after the 2014 European elections.[81]
[72] European Commission on Notice and Action Procedures, http://ec.europa.eu/internal_market/e-commerce/notice-and-action/index_en.htm.
[73] Commission Communication to the European Parliament A coherent framework for building trust in the Digital Single Market for e-commerce and online services {SEC(2011) 1640 final}.
[74] The main difference with Notice-and-Take Down is that in Notice-and-Action a broader range of actions against the content can be taken, providing a possibility for a tailored response (e.g. ‘notice-and-notice’ or ‘notice-and-stay down’); ‘The notice and action procedures are those followed by the intermediary Internet providers for the purpose of combating illegal content upon receipt of notification. The intermediary may, for example, take down illegal content, block it, or request that it be voluntarily taken down by the persons who posted it online’. Commission Communication to the European Parliament, The Council, The Economic and Social Committee and The Committee of Regions, A coherent framework for building trust in the Digital Single Market for e-commerce and online services {SEC(2011) 1640 final}, p. 13, ft. 49, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0942:FIN:EN:PDF.
[75] Ibid., p.14.
[76] Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of
intellectual property rights. OJ L 195, 2.6.2004. Commission Communication to the European Parliament A coherent framework for building trust in the Digital Single Market for e-commerce and online services {SEC(2011) 1640 final}, p. 15. See more on the Directive on the enforcement of intellectual property rights: http://ec.europa.eu/internal_market/iprenforcement/directive/index_en.htm; Action Plan on the enforcement of Intellectual Property Rights: http://ec.europa.eu/internal_market/iprenforcement/action-plan/index_en.htm#140701.
[77] A clean and open Internet: Public consultation on procedures for notifying and acting on illegal content hosted by online intermediaries, http://ec.europa.eu/internal_market/consultations/2012/clean-and-open-Internet_en.htm.
[78] Commission Staff Working Document E-commerce Action plan 2012-2015 - State of play 2013, Brussels, 23.4.2013 SWD(2013) 153 final, p. 19, available at: http://ec.europa.eu/internal_market/e-commerce/docs/communications/130423_report-ecommerce-action-plan_en.pdf.
[79] See: Open Letter to Commissioner Barnier, https://ameliaandersdotter.eu/sites/default/files/letter_commissioner_barnier_notice_and_takedown.pdf.
[80] Monica Horten, 2013, Notice and action directive to be blocked as EU backs down, 28 July 2013. Available at: http://www.iptegrity.com/index.php/ipred/893-notice-and-action-directive-to-be-blocked-as-eu-backs-down.
[81] Recently, Commissioner Barnier indicated that the works on the N&A initiative shall continue when speaking to the European Parliament. See more at: Monica Horten, 2014, Notice of Action! Barnier to resurrect take-down directive, in Iptegrity.com 6 February 2014. Available at: http://www.iptegrity.com/index.php/ipred/945-notice-of-action-eu-commission-to-revive-take-down-directive;
IV. Situation of search engines
A. Relevance of Search Engines / Information Location Tool Services
Search engines are a type of selection intermediary, also called information location tool services or referencing services. Their role is to map, order, select, validate, and valuate online information. By doing this, they can help users to navigate the Web with its abundance of information. By providing a way to overcome ‘information overload’, search engines guarantee the free flow of information and deliver a crucial service to the society. It could be said that by providing access to information and diverse opinions they participate in ensuring freedom of expression, as delineated in art. 10 of the European Convention of Human Rights.[82]
Information location tool services, or search engines, are covered by the definition of the Information Society Service from the E-Commerce Directive. In Recital 18 it is stated that: ‘[I]nformation society services are not solely restricted to services giving rise to online contracting but also, in so far as they represent an economic activity, extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data…’.[83]
However, this type of service is not covered by any of the three definitions of the services described in Section 4 of the E-Commerce Directive. They are, strictly speaking, neither a mere-conduit service, nor caching or hosting service. This would mean that the intermediary liability regime of art. 12-15 ECD does not cover, at least nominally, search engines (or hyperlinks). The Directive, therefore, leaves this issue unattended.[84] Only in the Final Provisions of the Directive is the problem mentioned, as it appears on the list of topics that should be analyzed in future, during the re-examination of the document. In Article 21 the Directive specifies that: ‘In examining the need for an adaptation of this Directive, the report shall in particular analyze the need for proposals concerning the liability of providers of hyperlinks and location tool services…’.[85]
This means that, until now, the E-Commerce Directive had not specifically addressed the legal situation of search engines with regard to liability for third party content. As can be seen in numerous examples of cases at both the national and the EU level, this approach creates a certain amount of confusion.[86]
Some of the most active search engines in Europe try to deal with this obstacle (at least partially) through different, and possibly combined, strategies. In some cases, search engine providers look for a solution by providing localized versions of their services.[87] This practice is especially common in case of highly sensitive content, such as Nazi glorification – prohibited by some European countries. In the majority of the cases, non-European search engines design their policies in accordance with the national laws of their countries of origin. Given the fact that most of them are based in the US, this has led to a de facto application of the US regime, especially with regard to copyright infringements (cfr. Section 230, DMCA).[88] As a result, the search engines governance debate in Europe is strongly influenced by the US approach (which also became clear in the Google Spain Case).[89]
[82] Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms, CETS No. 005, 04.11.1950, Rome, retrieved from http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm. See also Recommendation CM/Rec(2012)3 of the Committee of Ministers to member States on the protection of human rights with regard to search engines, (Adopted by the Committee of Ministers on 4 April 2012 at the 1139th meeting of the Ministers’ Deputies).
[83] Directive 2000/31, Recital (18).
[84] Van Eecke P., Truyens M., Legal analysis of a Single Market for the Information Society, New rules for a new age? a study commissioned by the European Commission's Information Society and Media Directorate-General, November 2009. Chapter 6: Liability of Online Intermediaries, p. 25.
[85] Directive 2000/31/EC, art. 21(2).
[86] Spain: Miguel v. Google Inc., Spanish Supreme Court [STS (Civil Chamber) of 4 March 2013 no. 144/2013]; Spanish Supreme Court, Civil Chamber, ruling of 9 December 2009, no. 773/2009; Spanish Supreme Court, Civil Chamber, ruling of 4 March 2013 no. 144/2013; UK: R v Rock and Overton, Crown Court, Gloucester, 06.02.2010, ref. no. T20097013; Belgium, Brussels Court of First Instance, 15.02.2007, ref. no. 7964; Germany: Deutscher Bundesgerichtshof (BGH), 29.04.2010, ref. no. I ZR 69/08;
[87] W. Seltzer, “The Politics of Internet Control and Delegated Censorship”, American Society of International Law, April 10, 2008, p. 3, accessible at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1496056.
[88] The most popular search engines like Google, Bing and Yahoo! are US based companies. For Google’s policy see the Transparency Report FAQ: "It is our policy to respond to clear and specific notices of alleged copyright infringement. The form of notice we specify in our web form is consistent with the DMCA and provides a simple and efficient mechanism for copyright owners from countries around the world." http://www.google.com/transparencyreport/removals/copyright/faq/#other_copyright_laws.
[89] J. Van Hoboken, Search engine freedom. On the implications of the right to freedom of expression for the legal governance of Web search engines, Academisch Proefschrift ter verkrijging van de graad van doctor aan de Universiteit van Amsterdam, defended on 23 March 2012, p. 70.
B. Search Engines Regulation Across the EU
The E-Commerce Directive declined to address the situation of search engines with regard to third party’s content. This issue was left entirely to the discretion of the Member States. Some countries have taken advantage of this opportunity, according to the EC’s first report on the application of the E-Commerce Directive.[90] The result is a variety of approaches across the EU.
Some countries extended the legislation transposing the E-Commerce Directive in order to cover search engines (and hyperlinks). This result was achieved mostly by adding an additional provision that targets these types of services. Among those Member States, two trends arise.
In Austria and Liechtenstein, for example, search engine services were classified as providers of ‘access services’. As a result, they were provided with a liability exemption similar to that of the providers of mere conduit services. The argument behind this classification was that ‘search engines generally do not edit the content they show in the results, are not the source of the information they link to, and are not in the position to remove it from the Web’.[91]
Other Member States, such as Hungary[92], Portugal,[93] and Spain[94] have opted for the hosting model for both search engines and hyperlinks. This means that providers of these services are exempted from liability if they do not have knowledge of the illegal nature of the information they are linking to. They must also act expeditiously in case they obtain such knowledge, for example upon a notification from an individual, administrative body or a court.
The third group of the EU countries left this issue unregulated, choosing instead to apply the general rules of existing law. The best example here is the U.K., which is waiting for the European Commission to deal with this issue.[95] A similar situation can be found in Germany and the Netherlands, where the general rules of law, particularly tort law, are applied.[96] Very often, this results in complex rulings of the respective courts on the subject matter.[97]
The situation of search engines with regard to third party content is therefore far from harmonized at the EU level. The level of complexity of the underlying issues and the varying national approaches create a situation of legal uncertainty that is problematic for the providers of these services. This can be illustrated with the variety of decisions of different European courts with regard to the legal situation of the biggest player on the European search market: Google.[98]
This climate of legal uncertainty and fragmentation could also pose considerable difficulties for new, smaller market players that very often cannot afford elaborate legal services to determine the liabilities of their particular business models.[99] This could be considered an obstacle to entering the field and, as a result, could hamper innovation and competition in the European market.[100] It has already been observed that the major multinational selection intermediaries tend to choose compliance with the US law, which provides them with liability exemptions necessary to ensure their lawful operation.[101] Applicability of the EU legislation to the US based services, including search engines, has been debated extensively over the last few years.[102] This issue has been addressed in a recent high-profile case at the CJEU Google Spain, which will be presented below.
[90] First Report on the Application of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market, at 13, COM (03) 0702, (November 21, 2003), available at: http://www.europarl.europa.eu/registre/docs_autres_institutions/commission_europeenne/com/2003/0702/COM_COM(2003)0702_EN.pdf.
[91] See footnote 30 in: Van Hoboken J., Legal Space for Innovative Ordering: on the need to update selection intermediary liability in the EU, International Journal of Communications Law & Policy, Issue 13, Winter 2009.
[92] See 2001. évi CVIII Törvény az elektronikus kereskedelmi szolgáltatások, valamint az információs társadalommal összefüggő szolgáltatások egyes kérdéseiről [Act CVIII of 2001 on Electronic Commercial Services and Certain Legal Aspects of Information Society Services] (promulgated 24 Dec., 2001), MAGYAR KÖZLÖNY [HUNGARIAN GAZETTE] 2001/153, translated in http://www.nhh.hu/dokumentum.php?cid=11961.
[93] See Decreto- Lei n.º 7/2004, de 7 de Janeiro, que transpõe para a ordem jurídica nacional a Directiva n.º 2000/31/CE, do Parlamento Europeu e do Conselho, de 8 de Junho, relativa a certos aspectos legais dos serviços da sociedade de informação, em especial do comércio electrónico, no mercado interno; Decreto-Lei 62/2009; Official Journal: Diaro da Republica I, number: 48, Publication date: 10/03/2009, p. 01602-01602 (MNE(2009)51108) http://www.cnpd.pt/bin/legis/nacional/DL62-2009-SPAM.pdf.
[94] See art. 17 of Law 34/2002 on Information Society Services and Electronic Commerce (Ley 34/2002 de Servicios de la Sociedad de la Información y de Comercio Electronicó) of 12 July 2002 (B.O.E. 2002, 166). For a short a discussion see R. Julia- Barceló, ‘Spanish Implementation of the E-Commerce Directive. Main features of the Implementation of the Ecommerce directive in Spain’, Computer und Recht International 2002, p. 112. See also Spanish Data Protection Agency (AEPD), Statement on Internet Search Engines, p. 2 et seq., available at: http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/statement_aepd_search_engines_/Statement_AEPD_Search_Engines_en.pdf.
[95] DTI Consultation Document on the Electronic Commerce Directive: The Liability of Hyperlinkers, Location Tool Services and Content Aggregators - Government Response and Summary of Responses 6 (December 2006), available at http://www.berr.gov.uk/files/file35905.pdf.
[96] See Sieber U., Liesching M., Die Verantwortlichkeit der Suchmaschinenbetreiber nach dem Telemediengesetz [The Liability of Search Engine Operators after the Telemedia Act], MULTIMEDIA UND RECHT [MMR], Issue 8/2007; Peter Ruess, ‘Just Google it?’ – Neuigkeiten und Gedanken zur Haftung der Suchmaschinenanbieter für Markenverletzungen in Deutschland und den USA [‘Just Google it?’ – Novelties and Thoughts on the Liability of Search Engine Operators for Trademark Infringement in Germany and the USA], 2007 GEWERBLICHER RECHTSSCHUTZ UND URHEBERRECHT 198 – 203.
[97] Germany: Bundesgerichtshof [BGH][Federal Court of Justice] Jul 17, 2003, I ZR 259/00; Oberlandesgericht [OLG] Hamburg [Court of Appeals Hamburg], February 20, 2007, AZ. 7 U 126/06; Landesgericht [LG] Berlin [Trial Court Berlin], February 22, 2005, AZ 27 O 45/05; Netherlands: Hof Amsterdam, 15 June 2006, Stichting BREIN vs. Techno Design Internet Programming BV, case LJ number AX7579‘.
[98] E.g. European Court of Justice, Joined Cases C-236/08 to C-238/08, 23 March 2010 (Google France and Google v. Louis Vuitton Malletier a.o.); Court of Appeal, Case no. 08/13423, 26 January 2011 (Socie´te´ des Auteurs des Arts visuels et de l’Image fixe (SAIF) v Google France/Google inc.); The Court of Appeal of Brussels, Case no. 2007/AR/1730, 5 May 2011 (Copiepresse v. Google); Court of Milan, Case no. 1972/2010, 24 February 2010.
[99] Van Hoboken J., Legal Space for Innovative Ordering: on the need to update selection intermediary liability in the EU, International Journal of Communications Law & Policy, Issue 13, Winter 2009.
[100] Ibid.
[101] J. Grimmelmann, The Structure of Search Engine Law, 93 IOWA L. REV. 1 (2007); U. Gasser, Regulating Search Engines: Taking Stock and Looking Ahead, 8 YALE J. L. & TECH. 124 (2006).
[102] Article 29 Data Protection Working Party, ‘Opinion 8/2010 on applicable law’, WP 179, 16 December 2010, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf; L. Moerel, ‘The long arm of EU data protection law: Does the Data Protection Directive apply to processing of personal data of EU citizens by websites worldwide?’, International Data Privacy Law 2011, Vol. 1, No. 1, p. 34-35; C. Kuner, F.H. Cate, C. Millard and D.J.B. Svantesson, ‘The extraterritoriality of data privacy laws – an explosive issue yet to detonate’, International Data Privacy Law 2013, Vol. 3, No. 3, p. 147-148; A. Kuczerawy, Facebook and its EU users - applicability of the EU data protection law to US based SNS, in M. Bezzi et al. (Eds.): Privacy and Identity, IFIP AICT 320, 2010, pp. 75–85.
V. Google Spain case
The so-called Google Spain Case (recently before the Court of Justice of the European Union (C-131/12)) constitutes an excellent example of the issues mentioned in the previous pages.[103] The case raises crucial questions lying at the intersection of the legal regimes concerning intermediary liability, freedom of expression, privacy, and data protection.[104] Interestingly enough, the Court’s decision hinged entirely upon the European data protection framework. In other words, the Court barely mentioned the right to freedom of expression and made no reference whatsoever to intermediary liability exemptions.[105]
The following section will give a brief overview of the main issues in this case when looked at from an intermediary liability angle. But before that, we briefly recall the main facts of the case.
[103] Court of Justice of the European Union, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, C-131/12, 13 May 2014.
[104] For an elaborate discussion on all theses issues, see: Alsenoy, Van, Brendan, Aleksandra Kuczerawy, and Jef Ausloos. Search Engines after “Google Spain”: Internet@Liberty or Privacy@Peril?. ICRI Research Paper. Leuven, Belgium: ICRI, September 6, 2013. http://papers.ssrn.com/abstract=2321494.
[105] This is in sharp contrast to the Advocate General’s Opinion of June 2013. REFERENCE
A. The Ruling[106]
1. Facts
In the late 1990’s a Spanish citizen was subjected to insolvency proceedings, which in turn resulted in a public auction of some of his property. Information about this public auction was published in a local newspaper (LaVanguardia), in accordance with an order issued by the Spanish Ministry of Labour and Social Affairs.[107] By 1998, all debts were successfully settled.
In 2009, the Spanish citizen discovered references to the above-mentioned LaVanguardia article when entering his name into Google’s search engine. Disturbed, he asked the newspaper to remove the content in question. This request was denied, as the newspaper had a legal obligation to publish this information. Unsuccessful vis-à-vis the newspaper itself, the individual then requested Google’s Spanish subsidiary (hereafter: ‘Google Es.’) to stop including this article in search results when someone enters his name as a search term.[108] Google Es. referred this request to Google Inc., arguing that this is the entity responsible for the development of search results.
In March of 2010, the individual asked the Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD) to issue an administrative decision which would (a) order LaVanguardia to eliminate or modify the publication so his personal data would no longer appear in search results; and (b) order Google to stop referring to the contentious publication in its search results.[109] In July of the same year, the AEPD ordered Google Es. and Google Inc. to take ‘all reasonable steps to remove the disputed personal data from its index and preclude further access.’[110] The request against La Vanguardia was denied, because – according to the AEPD – the newspaper still had a legitimate reason to process the data at issue.[111] One year later, Google launched an appeal against the AEPD’s decision before the Spanish National Court (Audiencia Nacional) in Madrid. In March 2012, this court referred the case to the Court of Justice of the European Union (CJEU) for a preliminary ruling.[112]
[106] This section is largely based on a similar section in another paper the authors co-wrote: Van Alsenoy, Brendan, Aleksandra Kuczerawy, and Jef Ausloos. Search Engines after “Google Spain”: Internet@Liberty or Privacy@Peril? ICRI Research Paper. Leuven, Belgium: ICRI, September 6, 2013. http://papers.ssrn.com/abstract=2321494, 6.
[107] Audiencia Nacional. Sala de lo Contencioso, Google Spain SL y Google Inc., S.L. c. Agencia de Protección de Datos, paragraph 1.2, available at http://www.poderjudicial.es/search/doAction?action=contentpdf&databasematch=AN&reference=6292979&links=%22725/2010%22&optimize=20120305&publicinterface=true
[108] Ibid, paragraph 1.3.
[109] Ibid, paragraph 2.1.
[110] Ibid, paragraph 2.3.
[111] i.e. order issued by the Spanish Ministry of Labour and Social Affairs Ibid, paragraph 6.2.
[112] At the risk of generalizing too much, the request for a preliminary ruling contained two categories of questions: (a) the scope of application of European data protection law; and (b) the existence of a right to be forgotten/erasure vis-à-vis search engines directly.
2. Decision
The Court of Justice issued its ruling on May 13th 2014. To the surprise of many, the decision entirely countered the Advocate General’s Opinion of June 2013.[113] Put briefly, the Court decided that Google – and ‘search engine operators’ more broadly – do fall within the scope of application of European data protection law. After all, the Court declared, by (autonomously) retrieving, recording, and organizing personal data from third party websites, search engines can be considered ‘data controllers’ within the meaning of the data protection directive (95/46).[114] The Court also resolutely decided that Google falls within the Directive’s territorial scope of application.[115] Following this first category of questions (regarding the scope of application of European data protection law), the Court dealt with the more controversial questions regarding the so-called ‘Right to be Forgotten’. In short, it decided that data subjects can indeed ask search engines to remove a reference to a webpage when their name is used as a search term.[116] The lawfulness of the source material is not a condition,[117] nor does the data subject have to prove harm.[118] The Court did specify, however, that the right to erasure is not absolute, and a balance of rights and interests needs to be made.[119] These rights and interests include, on the one hand, the economic interests of the search engine operator, as well as the legitimate interests of Internet users in accessing information and, on the other hand, data subject’s rights. According to the Court of Justice, the search engine’s economic interests alone cannot be a justification to interfere with the data subject’s rights. With regard to the balancing of fundamental rights and interests of Internet users versus those of the data subject, the Court did state that the latter override all others by default.[120] In other words, the burden of proof seems to be on the search engine to establish that the interests/rights of its users weigh more than those of the data subject. The Court did provide some guidance on what criteria might influence the balancing exercise in casu: nature or sensitivity of the information; public interest; role of data subject in public life; time elapsed; etc.[121] In any situation, it is important to emphasize that the data subject will still have to fulfill the conditions for exercising his/her right to object/erase[122] and the search engine is only subject to data protection rules ‘within the framework of its responsibilities, powers, and capabilities’.[123]
[113] In this non-binding, advisory document to the Court, the Advocate General argued that search engines do not fall within the scope of application of the data protection framework with regard to the content they refer to. Moreover, he claimed that the current EU data protection directive does not provide for a general ‘right to be forgotten’ vis-a-vis search engines. Opinion of Advocate General Jääskinen, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD) Mario Costeja González, Case C‑131/12, 25 June 2013, in particular paras. 100; 108.
[114] For the Court’s reasoning, see Ruling paras. 21-32 on the Material Scope Determination (‘processing’ and ‘personal data’) and paras.32-41 on the Personal Scope Determination (‘data controller’). For a detailed academic analysis, see: Alsenoy, Van, Brendan, Aleksandra Kuczerawy, and Jef Ausloos. Search Engines after “Google Spain”: Internet@Liberty or Privacy@Peril? ICRI Research Paper. Leuven, Belgium: ICRI, September 6, 2013. http://papers.ssrn.com/abstract=2321494, 9-19.
[115] See Paras.42-60 of the Ruling.
From a practical perspective, this means non-EU intermediaries (or Internet service providers more broadly) will not be able to escape the territorial reach of the data protection framework when they are processing EU citizens’ personal data and have an establishment in the Union.
Following the ruling, Google has clarified that it will only comply with potential erasure requests when the search queries originate in the EU. Put differently, the takedowns will not be implemented globally (see: Sam Schechner, “Google Starts Removing Search Results under Europe’s ‘Right to Be Forgotten,’” Wall Street Journal, June 26, 2014, sec. Technology, http://online.wsj.com/articles/google-starts-removing-search-results-under-europes-right-to-be-forgotten-1403774023. This article also explains at least one regulator has expressed displeasure in this regard). Whether or not Member-States will deem this an appropriate reaction still has to be seen.
[116] Such a right would be based on the rights to object (14) and to erasure (12(b)) in the Data Protection Directive.
[117] Paragraph 88; 93-94.
[118] Paragraph 96; 99.
[119] Paragraphs 74 et seq.
[120] Paragraph 81; 97.
[121] Paragraph 81; 93.
[122] In order to exercise one’s right to object, the data subject will have to put forward ‘compelling legitimate grounds relating to his/her particular situation to the processing of data relating to him/her’ (article 14 Directive 95/46). The right to erasure can be exercised when the processing in question ‘does not comply with the provisions of [the] Directive, in particular because of the incomplete or inaccurate nature of the data’ (article 12(b)).
[123] Paragraph 83.*
B. Particularities
Even though entirely ruled under the data protection framework, the Google Spain (or ‘Right to be Forgotten’) case[124] bears a lot of resemblance to the notice-and-takedown procedures that people are more familiar with under the intermediary liability regime (supra). After all, an individual – with certain rights vis-à-vis the information – demands an entity that is not at the source of the information, to remove it. Nevertheless, there are some important questions that distinguish this particular case from traditional N&T procedures.
[124] For a comprehensive overview of the possibility to request the removal of (links to) personal data by search engines, see: Van Alsenoy , Brendan, Aleksandra Kuczerawy, and Jef Ausloos. Search Engines after “Google Spain”: Internet@Liberty or Privacy@Peril? ICRI Research Paper. Leuven, Belgium: ICRI, September 6, 2013. http://papers.ssrn.com/abstract=2321494.
1. Notification
As has been described supra, search engines are not explicitly included in the intermediary liability exemption regime in the E-Commerce Directive. However, Spanish law explicitly provides for a search engine liability exemption, similar to that for hosting providers.[125] In the Google Spain Case, however, the Court put emphasis on the search engine’s own activities vis-à-vis the (personal) data and not the activities of the original publisher. The latter, after all, were legal.
Once notified of a certain processing activity (i.e. the referral to a certain website upon searching for someone’s name), it was argued, Google cannot deny its responsibility with regard to that processing. It is therefore worth highlighting that in Google Spain, the rights holder (i.e. the data subject) did notify the search engine. When the company did not react, the individual eventually obtained a court order to have the respective information taken down. Therefore, when looked at from an intermediary liability perspective, Google would still have had to remove the information upon notification (cfr. the hosting regime). In casu, they did not even remove it after receiving a court order (cfr. mere conduit regime, where information has to be removed following such an order).[126]
[125] Supra, Section 3.2; Recently, Google was explicitly ruled not to have actual knowledge in a case where a victim of defamation had issued a takedown request and even obtained a judgment declaring the original content to be illegal. See more: C. A. Rigaudias, “Miguel v. Google Inc. Spanish Supreme Court [STS (Civil Chamber) of 4 March 2013 no. 144/2013] – “The recent judgment of the Spanish Supreme Court addressed the liability of intermediary information services providers for defamatory content and sheds light on the so-called ‘right to be forgotten’ case being heard by the ECJ”, E-Commerce Law Reports - volume 13 issue 04, p. 11.
[126] Clearly, it was a deliberate and strategic decision on Google’s part not to comply with this specific injunction. Besides wanting to obtain a more definitive and authoritative answer on whether or not these kind of erasure requests should be possible in the first place, Google was probably interested in being elucidated on who will bear the costs of compliance. Do search engines (exclusively) bear the burden of assessing removal requests? Or can they just defer to the authorities (DPA or Court) to make the appropriate balance? The CJEU seems to suggest a middle-way, in which search engines can be asked to make a balance, but can easily defer the requester to the relevant national authority in more problematic cases (without risking liability).
2. Taking Down Legitimate Information?
One of the elements making the Google Spain Case so interesting and controversial is the fact that the underlying information – which is referred to by Google – is published lawfully. In other words, the information at its source is legitimate and the original publisher does not have an obligation to take it down.[127] It is in this context the analogy with the notice-and-takedown regime falls apart. The exemption regime under the E-Commerce Directive focuses on the (illegal) nature of the content or the activities of the originator. The Data Protection Directive, on the other hand, focuses on the activities of the controller itself (in casu the search engine), regardless of those of the entity at the source of the information. This approach goes back to the Court of Justice’s Lindqvist[128] and Satamedia[129] cases. In these cases, the Court emphasized that personal data that has been published, is still protected by data protection law. Each use of the relevant personal data should hence be assessed against data protection law separately. To put this differently, the data protection framework – and right to erasure in particular – starts from a different paradigm than the liability exemptions in the E-Commerce Directive. The latter is hinged upon traditional tort law principles where an individual is subject to (potential) harm caused by the publication of certain information. Data protection simply puts certain responsibilities on the shoulders of whoever processes personal data. In order to exercise one’s rights under the data protection framework, it is not necessary to demonstrate (potential) harm.[130]
[127] In this particular case, the original source (LaVanguardia) even had an explicit obligation to publish the information.
[128] Court of Justice of the European Union , Bodil Lindqvist, C-101/01, 6 November 2003.
[129] Court of Justice of the European Union, Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy and Satamedia Oy, C‑73/07, 16 December 2008.
[130] Article 23 of the Directive does provide for the possibility to obtain damages in case one is actually harmed.
3. Autonomy
Contrary to the intermediaries mentioned in Section 4 of the E-Commerce Directive (e.g. caching, mere conduit and hosting providers), search engines do not remain purely passive with regard to the information they facilitate access to.[131] In fact, they do a great deal with this data independent from gathering it from its source.[132] Based on their algorithmic analysis of the information, they refer to certain web pages when entering a particular search term/phrase. A strong argument can be made that search engines bear responsibility for this specific activity. After all, it determines — entirely autonomously — how and why the information is presented in a certain way. But, one could counter-argue that search engines only offer a tool to their users and should not be held responsible for the queries these users make.
In any situation, it is hard to deny the importance of search engines in giving visibility/publicity to the information they refer to. In Google Spain, the Court emphasized that search results constitute “a structured overview of the information [...] that can be found on the Internet [...] and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile...”.[133] While this is – of course – one of the main reasons people use search engines in the first place, it is also the reason why a search engine has such a potentially important impact on users’ perception of the search term. In other words, the harm or impact on the individual might not have occurred (to the same extent) if the information had not been accessible through search engines.[134] Put briefly, one could draw a direct causal relationship between the search engine’s activities and the impact on the individual. Hence, it is not surprising to see the Council of the EU also emphasize that the required balancing exercise differs depending on whether it relates to taking down the source or a search link.[135]
The above is well-illustrated by two Australian cases involving Yahoo![136] and Google[137]. In these (defamation) cases, the plaintiff successfully established that the search engines’ result pages caused him reputational harm. The links, snippets and photos that were shown when searching for the plaintiff’s name – and which were all legal/legitimate on their own – gave the impression Mr. Trkulja was a criminal.[138] In the same vein, several European courts have recognized that – under certain circumstances – Google’s ‘auto-complete’ functionality can cause harm to the relevant individual. For example, a German Federal Court recently ruled that Google should remove offensive word-combinations upon notification (in casu ‘scientology’).[139] In a comparable and ongoing case, Bettina Wulff (the former First Lady of Germany), has demanded that Google cease auto-completion with words such as ‘escort’ and ‘red light district’ when entering her name.[140] Similarly, an Italian court has ruled Google to be responsible for the auto-complete terms ‘truffatore’ (con man, swindler) and ‘truffa’ (scam, fraud).[141] Other cases against Google’s auto-complete functionality were introduced by companies, seeing their name being associated with terms such as ‘receivership’[142]; ‘crook’[143]; ‘scam’[144]; etc.).
In any situation, the above clearly illustrates the difficulties of categorizing search engines or even defining the nature of their activities. It is clear that, on the one hand they do perform autonomous and independent activities on the information, while on the other hand acting as a mere intermediary facilitating access to third party content. But it is much less clear whether this conceptual distinction can – or even should – be translated into practice.
[131] Intermediary liability exemptions are based on the premise that the ‘sole purpose’ of their activities is to make “the transmission more efficient; this activity is of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored.” (recital 42 of the E-Commerce Directive).
[132] For a comprehensive overview, see: Van Alsenoy et al., 11 et seq.This is probably also one of the reasons why search engines are not explicitly included in the E-Commerce Directive’s exemption regime in the first place. The legislator specifically introduced an article spurring the European Commission to analyse “the need for proposals concerning the liability of providers of hyperlinks and location tool services.” (article 21.2).In the Google Spain Case, the Court of Justice emphasized the distinction between the search engine’s and the original publisher’s activities at several occasions: Paragraph 80; 84-85; 86-87.
[133] Paragraph 80.
[134] This line of arguments was already put forward by the Spanish DPA in a Statement dating back from December 2007. Spanish Data Protection Agency, Statement on Internet Search Engines (Madrid, Spain, December 1, 2007), 9–10. The DPA stated inter alia that “Although the initial incorporation of this personal information on the web ‘may be legitimate at source, its universal and secular conservation on the Internet may be disproportionate.’ People must have at their disposal reaction instruments in order to avoid, on their own initiative, to be subject to a global exhibition.”
[135] Council of the European Union - Working Group on Information Exchange and Data Protection (DAPIX). “Note on the Proposal for a General Data Protection Regulation - the Right to Be Forgotten and the Google Judgment,” July 3, 2014. http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2011289%202014%20INIT, 5-6.
[136] Trkulja v Yahoo! Inc LLC & Anor (VSC 2012).
[137] Trkulja v Google Inc LLC & Anor (No 5) (VSC 2012).
[138] More specifically, when looking for the plaintiff’s name, search engine users were presented with pictures of criminals with the plaintiff’s name underneath. The results pages also contained a link to an article titled ‘Shooting probe urged ...’ aside a big picture of the plaintiff and underneath the heading ‘Melbourne Crime’.
[139] BGH, judgment of 14 May 2013, ref. VI ZR 269/12, available at http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=pm&Datum=2013&nr=64071&pos=0&anz=86. Also see: EDRi. “Germany: Google Must Remove Autocomplete Harmful Searches If Notified,” May 22, 2013. edri.org/edrigram/number11.10/autocomplete-harmful-searches-google-germany; “German Federal Court Raps Google on the Knuckles over Autocomplete Function | Technology | DW.DE | 15.05.2013,” DW.DE, accessed June 25, 2013, http://www.dw.de/german-federal-court-raps-google-on-the-knuckles-over-autocomplete-function/a-16813363.
[140] “Bettina Wulff Will Weiter Gegen Google Vorgehen,” Welt Online, May 20, 2013, sec. Wirtschaft, http://www.welt.de/wirtschaft/article116355211/Bettina-Wulff-will-weiter-gegen-Google-vorgehen.html; “German Federal Court Raps Google on the Knuckles over Autocomplete Function | Technology | DW.DE | 15.05.2013.”
[141] EDRi, “Italian Court Found Google Responsible For Search Suggestions To Users,” April 20, 2011, http://www.edri.org/edrigram/number9.8/italian-case-google-suggest.
[142] In 2011, an Irish hotel sued Google over the search term suggestion ‘receivership’ (“the legal state of having forfeited control of a business or estate to a receiver to allow for the attempted recovery of a debt”). The case was later dropped by the Hotel for unclear reasons. See: Rob Young, “Irish Hotel Drops Autocomplete Defamation Case Against Google,” Search Engine Watch, November 25, 2011, http://searchenginewatch.com/article/2127329/Irish-Hotel-Drops-Autocomplete-Defamation-Case-Against-Google.
[143] In France, a Court of Appeals confirmed an earlier decision, requiring Google to remove the auto-suggestion, pay €50.000 in damages and publish the decision on its homepage. See: “Google Suggest Condamné En Appel Pour Injure - LeMonde.fr,” accessed December 29, 2011, http://www.lemonde.fr/technologies/article/2011/12/28/google-suggest-condamne-en-appel-pour-injure_1623293_651865.html.
[144] Marc Rees, “Google Condamné Pour Avoir Suggéré La Requête,” January 6, 2010, pcinpact.com/news/54815-google-suggest-arnaque-requete-moteur.htm.
C. Aftermath
Only two weeks after the CJEU’s decision, Google had already put in place an online form, allowing individuals to request the removal of links from the results that were produced by a search of their name.[145] At the same time, the search engine company also announced it would create a hand-picked team of experts.[146] This ‘advisory council’ will help them define a strategy on how to deal with the multitude of requests that they receive, and includes academics, policymakers, business people, and journalists.[147] More recently, Google also invited the public at large to give them feedback on how to implement the ruling.[148] Some national data protection authorities have issued official reactions to the ruling already[149] and the Article 29 Working Party[150] has already had an internal meeting on the Court’s ruling[151], and sat together with several search engines at the end of July.[152]
Twenty-four hours after putting the form online where individuals can ask Google to remove certain links, the search engine already reported receiving over 12,000 requests. This number climbed to 41,000 by early June[153] and over 70,000 one month after that.[154][155] Most requests emanated from France, than Germany, Great Britain, and Spain.[156] Google declared to regulators that it approved over 50% of the requests, asked for more information in about 15%, and rejected over 30%.
At first, the search engine intended to notify its users when their search query would have been the subject of an erasure request under the data protection framework (similarly to what it does with regard to takedowns in the context of copyright).[157] Instead, however, Google now puts a disclaimer on the bottom of every search it identifies as a ‘name search’, stating, “Some results may have been removed under data protection law in Europe” with a link to more information on the CJEU case. It seems, though, that Google will try to notify the relevant source in certain cases. This was clearly illustrated when the Guardian[158] and BBC[159] published reports that some of their articles on corrupt politicians, dodgy bankers, and pedophiles had been de-indexed by Google.[160] Finally, it should be said that all of the above only occurs within the context of the EU. In other words, the form is not available outside the EU and search results are not filtered when queries are made on top-level domain names outside of the EU (e.g. .com; .sn).[161]
[145] https://support.google.com/legal/contact/lr_eudpa?product=websearch&hl=en.
[146] Alistair Barr and Rolfe Winkler, “Google Offers ‘Right to Be Forgotten’ Form in Europe,” Wall Street Journal, May 30, 2014, http://online.wsj.com/articles/google-committee-of-experts-to-deal-with-right-to-be-forgotten-1401426748.
[147] See: https://www.google.com/advisorycouncil/
[148] https://www.google.com/advisorycouncil/
[149] For example: The Spanish DPA being generally positive but emphasizing the need for a thorough impact assessment (AEPD, Press Release - The Court of Justice of the European Union supports the thesis of the Spanish DPA on search engines and the right to be forgotten online, 13 May 2014, http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2014/notas_prensa/common/may_14/Press_release_EU_Court_judgement_right_to_be_forgotten1.pdf); the UK’s information Commissioner declared there is an important role to be played by national regulators (David Smith (Deputy Commissioner and Director of Data Protection, ICO), Four things we learned from the EU Google judgment, 20 May 2014, http://iconewsblog.wordpress.com/2014/05/20/four-things-weve-learned-from-the-eu-google-judgment.).
[150] Umbrella organization including the data protection authorities from all EU member states. See: http://ec.europa.eu/justice/data-protection/article-29/
[151] Article 29 Data Protection Working Party, Press Release, 23 May 2014, http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20140523_wp29_press_release_ecj_google.pdf
[152] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20140717_wp29_press_release_meeting_with_search_engines.pdf
For a complete list of the concrete questions the Working Party asked the search engines, see: Article 29 Working Party, “Press Release: European DPAs Meet with Search Engines on the ‘right to Be Forgotten,’” July 25, 2014, http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20140725_wp29_press_release_right_to_be_forgotten.pdf.
[153] Jennifer Baker, “Google Has Received over 41,000 Requests to ‘Forget’ Personal Information,” Tech Blog, IT World, (June 4, 2014), http://www.itworld.com/networking/421740/google-has-received-over-41000-requests-forget-personal-information.
[154] Op-Ed by Google’s Chief Legal Officer D. Drummond: http://googleblog.blogspot.be/2014/07/searching-for-right-balance.html. By the end of July, Google reported to have received over 91.000 requests. See: David Lee, “Google Quizzed over Deleted Links,” BBC News, July 24, 2014, www.bbc.com/news/technology-28458194.
[155] These numbers seem to indicate a progressive decline of requests. Anecdotally, it is worth mentioning that Bing (Microsoft’s search engine) only received around 20 requests the day after Google released its erasure-form (see:Mark Scott, “Microsoft Taking Steps to Comply With the Right to Be Forgotten,” New York Times, July 9, 2014, sec. Bits Blog, http://bits.blogs.nytimes.com/2014/07/09/microsoft-to-wade-into-complying-with-the-right-to-be-forgotten/.)
[156] Lee, “Google Quizzed over Deleted Links.”
[157] Josh Halliday, “Google Search Results May Indicate ‘Right to Be Forgotten’ Censorship,” The Guardian, June 8, 2014, sec. Technology, http://www.theguardian.com/technology/2014/jun/08/google-search-results-indicate-right-to-be-forgotten-censorship.
[158] James Ball, “EU’s Right to Be Forgotten: Guardian Articles Have Been Hidden by Google,” The Guardian, July 2, 2014, sec. Comment is free, http://www.theguardian.com/commentisfree/2014/jul/02/eu-right-to-be-forgotten-guardian-google.
[159] Robert Peston, “Why Has Google Cast Me into Oblivion?,” BBC News, July 2, 2014, www.bbc.com/news/business-28130581.
[160] These takedowns were seen by some as a deliberate media strategy by Google. Intentional or not, after receiving a lot of criticism for these takedowns, the company quickly reinstated the references. For more information, see: Chris Moran, “Things to Remember about Google and the Right to Be Forgotten,” The Guardian, July 3, 2014, sec. Technology, http://www.theguardian.com/technology/2014/jul/03/google-remember-right-to-be-forgotten; Paul Bernal, “Facebook, Google and the Little People....,” Paul Bernal’s Blog, July 4, 2014, http://paulbernal.wordpress.com/2014/07/04/facebook-google-and-the-little-people/; David Meyer, “Why Is Google Really Removing Links to News Articles in Europe?,” July 3, 2014, http://gigaom.com/2014/07/03/why-is-google-really-removing-links-to-news-articles-in-europe/; Andrew Orlowski, “Google de-Listing of BBC Article ‘Broke UK and Euro Public Interest Laws’ - So WHY Do It?,” The Register, July 4, 2014, theregister.co.uk/2014/07/04/google_peston_bbc_delisting_not_compliant_w_public_interest_law_says_expert/.
[161] This has also enabled some to compare search results (based on name-searches) in different jurisdictions and create a list of those results that have been the subject of an erasure request. See: Kevin Rawlinson, “‘Hidden From Google’ Lists Pages Blocked by Search Engine,” BBC News, July 15, 2014, http://www.bbc.com/news/technology-28311217; Julia Powles and Luciano Floridi, “A Manifesto for the Future of the ‘Right to Be Forgotten’ Debate,” The Guardian, July 22, 2014, sec. Technology, http://www.theguardian.com/technology/2014/jul/22/a-manifesto-for-the-future-of-the-right-to-be-forgotten-debate.
D. Looking ahead
It is still too early to draw conclusions about the eventual impact of the Google Spain ruling. Further observations and research should make a distinction between first and second order effects. First order effects relate to the implementation of the judgment in the EU. Second order effects relate to the broader consequences and implications (e.g. on innovation, freedom of expression, or the effect of this judgment outside of the EU).
Data protection regulators – both at the national and pan-European level – are arduously working on developing a ‘dashboard’ or ‘platform’ that should ensure a proper balancing between all interests at stake.[162] A critical element in this exercise is the development of objective criteria that could be applied the same across the EU (in order to harmonies the implementation of the ruling).[163] At this stage, it is worth noting that at least some official organizations (e.g. the French data protection authority, CNIL[164]; and the Council of the EU[165]) suggest a gradual/subsidiary approach where the data subject should first approach the source page before being able to go to the search engine.
Currently, there is still insufficient information to predict the second order effects. For example, there is not enough data on specific cases and corresponding compliance rates[166] to evaluate the impact on the right to freedom of expression, or innovation. As mentioned before, we should be prudent in predicting the possible impact of the judgment on the right to freedom of expression. First of all, a search engine’s search results are very dynamic in nature and change constantly based on a plethora of factors (of legal[167], economic[168] or technical[169] nature) already. Secondly, the relevant webpage will still be findable through other – more specific – search terms (not including the name) and via other routes (e.g. different search engines, social networks, direct access, etc.). After all, we should not (over-)rely on one tool or service to constitute our (sole) window to all online information. At the same time, the judgment might encourage certain governments outside the EU to introduce more content control.
Finally, the CJEU’s ruling in Google Spain will undoubtedly have an impact on the currently on-going legislative reform of the European data protection framework.[170] The Court seems to prompt legislators to be clearer in defining the distribution of responsibilities among different online actors, as well as providing better guidance on the potential conflict with freedom of expression (and other fundamental) rights and interests. This was also echoed in the Council of the EU’s report on the Google Spain Ruling, specifically calling for the legislator’s attention to “(1) the scope of the right [to be forgotten], (2) the grounds on which this right can be exercised and (3) the need to balance this right with the freedom of expression, and (4) whether there is still a need to impose an effort obligation on initial controllers to inform second controllers of the request for erasure of data.”[171]
[162] Article 29 Working Party. “Press Release: Follow-up to the Ruling of the Court of Justice of the EU of 13 May 2014 on the ‘Right to Be Forgotten,’” September 18, 2014. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20140918_wp29_press_release_97th_plenary_cjeu_google_judgment__17sept_adopted.pdf.
[163] A concrete example of such a criterion would be the admission of a removal request when the requestor’s criminal record is expunged. Arguably, the societal goal of allowing people to start afresh after certain periods of time, would be rendered useless if reports on the underlying facts pop up among the first results when searching for a person’s name.
[164] http://www.cnil.fr/linstitution/actualite/article/article/comment-effacer-des-informations-me-concernant-sur-un-moteur-de-recherche/
[165] Council of the European Union - Working Group on Information Exchange and Data Protection (DAPIX). “Note on the Proposal for a General Data Protection Regulation - the Right to Be Forgotten and the Google Judgment,” July 3, 2014. http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2011289%202014%20INIT, 7.
[166] The only data available at the time of writing are the numbers communicated by Google to the Article 29 Working Party on July 31st, 2014. In this document, the search engine said to allow just over half of the removal requests it had received. See: Fleischer, Peter. “Questionnaire Addressed to Search Engines by the Article 29 Working Party Regarding the Implementation of the CJEU Judgment on the ‘right to Be Forgotten,’” July 31, 2014. https://docs.google.com/file/d/0B8syaai6SSfiT0EwRUFyOENqR3M/preview.
[167] E.g. Child pornography, intellectual property protection.
[168] E.g. Public image of the company, advertisement, business model.
[169] E.g. Optimalisation, fraud/spam prevention.
[170] See: http://ec.europa.eu/justice/data-protection/review/index_en.htm.
[171] Council of the European Union - Working Group on Information Exchange and Data Protection (DAPIX). “Note on the Proposal for a General Data Protection Regulation - the Right to Be Forgotten and the Google Judgment,” July 3, 2014. http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2011289%202014%20INIT.
VI. Conclusion
The EU regime regarding liability of Internet intermediaries is in need of reform. The planned Notice and Action Directive failed to reach the EU Parliament before the 2014 elections. It is to be seen whether the review of the intermediary liability regime remains on the agenda of the new Commission.
This working paper made a deep dive into the situation of search engines in the European intermediary liability regime, with a particular focus on their position vis-à-vis data protection laws. From this analysis it became clear that the situation is far from resolved. First of all, the position, role, and scope of activities of search engines is very hard to categorize. Given their inherently editorial functions on the content they refer to, they cannot just be compared to more ‘traditional’ Internet intermediaries that remain more ‘neutral’ with regard to the content on their platforms/networks. The uncertainty about their position is also reflected in the widely diverging regulation of these online service providers throughout the EU. This complexity is only amplified by the fact that most (of the biggest) search engines are actually U.S. businesses. The Google Spain ruling in particular – although focusing specifically on data protection issues – highlights the need for a pan-European approach to the regulation of search engines.