In May 2014, the highest court in the European Union’s legal system, the Court of Justice of the European Union (“CJEU”), released a decision that has significantly changed the way third-party information is processed and disseminated by organizations. The decision may impact Canadian companies that conduct business in Europe.
The Luxembourg based CJEU held in Google Spain SL and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González (case no. C-131/12, May 13, 2014) that individuals possess what has become dubbed as “the right to be forgotten” in certain circumstances where the information appearing in online search engine results is “excessive” or “no longer relevant”.
In addition to concerns over the potential chilling effect on free speech, the decision also raises the question of whether a similar right to be forgotten principle could benefit Canadians. From a business perspective, the decision has direct implications on Canadian companies carrying on business in the EU or handling the personal data of EU citizens. These issues will be discussed below.
The CJEU Decision
In 2010, Mario Costeja González, a Spanish citizen, complained to the national Data Protection Agency, Google Spain and Google Inc. that Google’s links to an auction sale notice of his home from 1998 infringed his right to privacy as proceedings had been resolved and the notice was no longer relevant.
Mr. Costeja González alleged that failure to remove the notice, or links to it, infringed his right to privacy under Article 12 of the EU’s 1995 Data Protection Directive 95/46/EC (the “Directive”), which provides that individuals can ask a “data controller” for information to be deleted if it is “incomplete or inaccurate”. The Spanish court referred the matter to the CJEU for a preliminary ruling, a decision on the interpretation of EU law undertaken upon request by a court or tribunal of an EU Member State.
In the decision, the CJEU held that as search engines such as Google are in fact “controllers of personal data” they are not exempt from the requirements of EU law when handling an individual’s personal information. As a result, Google Inc., a US company not ordinarily subject to EU law, was obliged to follow the Directive and adhere to the CJEU’s decision. Although Google was the subject of the decision, the ruling has the same application to all online search engines and data controllers.
Territorial Scope of the CJEU Decision
The CJEU held that even if the server which processed the data in question was physically located outside of the EU, EU law would apply to the operator of the search engine (such as Google) if it had an affiliate set up in the Member State. In the case of Google Inc., a subsidiary in Spain (Google Spain SL) which did little more than sell advertising space was sufficient to bring the US company within the ambit of the Directive and the CJEU. Canadian business owners should therefore be cognizant of the fact that if they conduct business in the EU via a branch or subsidiary, regardless of the scale or tangential relation of the operation to the parent company, the collection, use and storage of the data is subject to the Directive.
Canadian Businesses Collecting Data in the EU
The CJEU was asked to opine on whether Google was a “data controller” under the Directive. Controversially, and contrary to the belief of many that Google had always been merely a “neutral intermediary”, it was held that Google was a data controller. While the facts of the decision specifically involve the role of search engines in the marketplace, the wider implications are that Canadian businesses and organizations offering products or services to individuals within the EU or conducting business with an EU-based company may also fall within the scope of the Directive and should therefore be aware of how the Directive may affect them.
Canadian Privacy Law
Canadians enjoy several layers of privacy protection. The manner in which our personal data is handled and stored is protected at the federal level by the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which governs how private sector organizations may collect, use or disclose personal information in the course of commercial activities. Private sector organizations are made accountable by PIPEDA’s guiding principles which include consent and limiting the use, disclosure and retention of personal information. Principle 5 of PIPEDA provides that where the retention of an individual’s information is no longer needed to fulfill the identified purpose, it “should be destroyed, erased, or made anonymous”. The Privacy Act regulates how federal government departments and agencies handle personal information. Individuals must be granted a reasonable opportunity to access any personal information retained by a federal institution. The Regulations under the Privacy Act set out data disposal procedures to be complied with by the institution.
Each province and territory also has its own privacy legislation – in Manitoba, The Freedom of Information and Protection of Privacy Act governs public bodies, while The Personal Information Protection and Identity Theft Prevention Act (“PIPITPA”), which is still awaiting proclamation, will regulate the private sector. PIPITPA is similar to PIPEDA, and with certain exceptions, will require an individual’s informed consent prior to the collection and handling of personal data. PIPITPA contains breach and enforcement provisions that provide for damages should an organization fail to protect an individual’s personal information.
Canadian privacy legislation offers rigorous protection of the handling of personal data by public and private organizations. While we may not have a strict right to be forgotten principle in Canada, time will tell if the courts are required to decide on a gap in the legislation. For the time being, the Google Spain decision is a reminder of the surprising reach of foreign court decisions, and that Canadian businesses operating in Europe should develop best practices for the collection, use, storage and disposal of an individual’s personal data.
As a Lex Mundi member law firm, TDS can help clients across Europe with legal matters related to this article.
This article was written by Russell Dufault, who is no longer at TDS. Please visit our Corporate and Commercial Law page for more information and a list of TDS Corporate and Commercial lawyers.