Case Summary and Outcome

In 2019, Spain’s National High Court reversed a ruling of Agencia Española de Protección de Datos (AEPD) in relation to three complaints alleging that Google was communicating its de-indexed search engine results to third parties. In 2016, the AEPD had imposed a fine of 150,000 Euros on Google on account of its serious breach of the Data Protection Act, each time it disclosed information in relation to queries pertaining to removal of content from the search engine pursuant to requests. The AEPD  also held that as per Article 29 Working Party Guidelines on Consent, in relation to protection of individuals with regard to the processing of personal data, the search engines did not have a legal obligation to inform web administrators of the reasons for deindexing and removal of content from the search engine. However, when the case reached the National High Court, it concluded that the procedure adopted by the AEDP was not the ideal legal mechanism to establish a general position on a generic type of  data processing operation.

Facts

On March 26, 2015, a complaint was filed with AEPD about a possible legal breach by Google following a press release by the AEPD concerning the Article 29 Working Party (WP29) Guidelines on consent (AEPD Statement). Through this document, WP29 also analyzed the rulings related to the right to be forgotten of the  Court of Justice of the European Union (CJEU), and the common interpretive criteria for their application. The complainant alleged a possible legal breach by Google’s search engine in relation to two issues addressed in the AEPD Statement. These breaches pertained to: (i) Google’s policy of warning users about incomplete results and, (ii) Google’s communication to third parties, including web masters, of the effects that the search engine had deindexed the content. The complaint referred to a website notice on the search engine which read as follows: “[the company] may provide information to webmasters of URLs that have been removed from our search results.”

On June 25, 2015, a second complaint pointed out that Google’s content removal tool enabled communication by the search engine to the source websites. The complainant contended that when he searched his name on the search engine, the following message appeared on lower end of the page: “In response to a legal requirement sent to Google, we have removed 2 results from this page. You can learn more about this requirement at ChillingEffects.org.”

A third complaint, filed on November 27, 2015, referred to the notice at the bottom page of Google search results which displayed the following content: “In response to a legal requirement sent to Google, we have removed 2 results from this page. If you wish, you can obtain more information about this requirement in LumenDatabase.org.”

On March 18, 2016, The Subdirectorate General for Data Inspection began its preliminary investigations and agreed to initiate a disciplinary procedure against Google for the alleged infringement of Articles 11.1 and 10 of the Law on Protection of Personal Data (Ley orgánica 15/1999 de Protección de Datos, LOPD), described as serious infringements in articles 44.3.k) and 44.3d).

On September 14, 2016, the AEPD rendered a verdict in which it held that Google had infringed Article 10 of the LOPD and accordingly, imposed a fine of 150,000 Euros on Google. The AEPD also directed Google to adopt necessary measures to comply with Article 10 of the LOPD. As per the AEPD, Google had committed security breach by disseminating identifiable delisting data to third party web admins. According to the AEPD, such conduct was contrary to AEPD’s Statement. Additionally, the AEDP held that the information provided by Google to web admins contained details that which made the data subjects identifiable Further, the AEPD held that Google’s policy to communicate information to website admins regarding individual’s requests to remove search results was unnecessary for management and resolution.

The AEPD also held that Google failed to meet the consent criteria established under law by sharing the details of individuals who sought to enforce their right to be forgotten with third parties. Users/ data subjects had no alternative to prevent their data from being transferred to the third party/ web admins. Thus, the user’s consent was not autonomous, unequivocal, and was devoid of  clear expression of their will as required under law.

The AEPD concluded that users had not consented Google to communicate their data to third parties simply because they requested the search engine to delete information.

On November 30, 2016, the AEPD rejected Google’s request for an appeal and upheld its previous ruling.

On February 1, 2017, Google filed an administrative appeal before the National High Court (Court), in which the present decision has been rendered.

Decision Overview

The main issue under analysis before the Court was whether AEDP had breached the national administrative law standards in issuing its order against Google.

Google sought a declaration from the Court that the AEDP disciplinary procedure was null and void. Google argued that the AEDP’s determination failed to limit it only to the facts in dispute, and instead it referred to Google’s conduct concerning the notifications to the related web admins. As per Google, the AEDP had used the decision to establish a “general criterion.” It further claimed that the AEPD should have decided the case through an administrative act, such as issuance of instruction.

Before the Court, the AEPD argued that the goal of the disciplinary procedure was to determine Google’s breach of responsibility by disclosing user data, without user’s express consent, every time Google removed URLs from its search engine, pursuant to a user request for removal. AEPD argued that implementation of the appropriate procedures to meet the criterion set out in the European Court of Justice’s decision in Google Spain SL v. Agencia Española de Protección de Datos, had resulted in interpretative queries. AEPD claimed that it was the authority empowered to resolve such queries/conflicts. Therefore, as per the AEPD, the disciplinary procedure was the appropriate channel for establishing the criterion of the AEPD for the questions raised by the complainants, in light of the WP29 Guidelines.

The Court held that a disciplinary procedure focuses on establishing a general or interpretative criterion for applying the requirements contained in the CJEU judgment and the WP29 guidelines. However, a disciplinary procedure that culminates in imposing a significant financial penalty was not the ideal approach to establish interpretative criterion in relation to such a novel and complex issue. Consequently, the Court held that establishing interpretive criterion is of greater relevance in disciplinary resolutions where certain constitutional rights are at stake. In the instant case, however, the reasoning behind the AEPD decision was inaccurate.

Regarding the procedure, the Court held that as per Article 55.2 of Law 39/2015,  the preliminary proceedings in a disciplinary procedure ought to determine, as precisely as possible, the facts likely to motivate the initiation of the legal proceeding. The Court held that the facts of the AEPD resolution did not comply with the requirements of a disciplinary procedure as the ascertained facts were seemingly disconnected from the details described by the Complainants, which supposedly motivated the preliminary investigation proceedings. Furthermore, the Court noted that in criminal and administrative disciplinary procedures, the account of all the facts surrounding a case is essential to define the nature and extent of the offense committed.  The Court remarked that considering every fact related to a case is the only way to effectively comply with the principle of strict legality (nullum crimen, nulla poena sine lege).  According to the Court, this principle reflects the need for certainty that must guide the exercise of the administrative branch’s disciplinary power, as outlined in Article 25.1 of the Spanish Constitution.

It is was further held that the assessment of evidence was an essential element of the disciplinary procedure. In the present case, however, there was no analysis or reference to the specific complaints in the AEPD resolution, nor was there any assessment of the evidence gathered in relation to the allegations set out in the complaints. The AEPD resolution failed to evaluate the evidence and disregarded the factual background by relying merely on the statements in the forms used by Google. Thus, the Court held that the AEPD had failed to initiate a disciplinary procedure based on a consideration of the detailed facts set out in the complaint and was, therefore, non compliant with the legal principles that regulate the procedure.

According to the Court, Article 70 of the General Data Protection Regulation (GDPR) established WP29 as the body in charge of interpreting the scope of the right to erasure / right to be forgotten enshrined in Article 17.2.  The Court concluded that the critical and reasonable doubts raised in relation to application of this novel precept and the irregularities detected in the disciplinary procedure did not support the imposition of sanction on Google in the contested decision. Consequently, the Court annulled the AEDP ruling.