Privacy, Data Protection and Retention
Lillo-Stenberg v. Norway
Closed Contracts Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The Mexican Federal Institute of Access to Information and Protection of Data (FIAIPD) ordered Google Mexico to de-index certain URLs from the Google Mexico search engine and delete personal data relating to an individual from its databases. It also ordered the initiation of proceedings for the imposition of sanctions against Google Mexico. The order was based on a request from an individual who claimed that a search of his name on a Google Mexico search engine provided links to URLs that disclosed his name, the name of his (deceased) father, the names of his brothers, and information pertaining to his business activities. Citing the European Court of Justice’s decision Google Spain v. AEPD and Mario Costeja Gonzalez ,the FIAIPD concluded that enabling the public to find someone’s private information through an online search engine was a form of data processing, and that Google Mexico was responsible for the processing of the applicant’s personal data in these circumstances, despite Google Mexico’s contention that the search engine was run by Google Inc. in the United States.
In July 2014, an applicant filed a request to Google Mexico to delete his personal data and he opposed the continued dissemination of his personal data. The applicant listed a number of URLs indexed by the Google search engine which, according to him, contained his name, the name of his (deceased) father, the names of his brothers, and information pertaining to his business activities. He claimed that the dissemination of this data had a detrimental impact on his privacy and dignity, as well as his commercial and financial relations. He also claimed that its dissemination endangered his personal security and physical integrity. He noted that the information had been indexed on the Google Mexico search engine without his consent. On this basis, the applicant requested Google Mexico to proceed with the deletion, blocking and suppression of his personal information contained in the listed URLs.
Google Mexico never responded to the applicant’s request. For this reason, the applicant filed a request for a decision from the Federal Institute of Access to Information and Protection of Data (FIAIPD) to protect his right of opposition. The applicant’s request was received in September 2014, and the FIAIPD issued its decision in January 2015.
The FIAIPD had to decide whether Google Mexico was responsible for the processing of the applicant’s personal data and, if so, whether it was required to comply with the applicant’s request for the deletion, blocking and suppression of his personal data.
Google Mexico argued that it was a legal entity distinct from Google Inc., which was the legal entity based in the United States that was responsible for managing and controlling the Google search engine. It also argued that it had no relation with Google Inc., beyond Google Inc. being one of Google Mexico’s shareholders. Taking this into account, they argued that they were unable to respond to the applicant’s request which should instead be directed to Google Inc.
The applicant counter-argued by stating that (i) “Google Mexico” was the name that appeared on the search website where he found the relevant links, not Google Inc.; (ii) that Google Mexico was a provider of search engine services in Mexico; (iii) that, in any case, whether Google Inc. was the entity who directly ran the search engine was irrelevant for the purposes of determining responsibility because Google Inc. acted in Mexico through its affiliate Google Mexico; and (iv) that search engine operators should always be held responsible when a person’s right to privacy and dignity are impaired because of the results displayed by their search engines.
The FIAIPD began its analysis by looking at whether Google Mexico could be considered responsible for the processing of the applicant’s data under the Mexican law on data protection. The FIAIPD took into account the following in finding Google Mexico responsible: (i) that the provision of search engine services was listed as one of Google Mexico’s objectives in its articles of incorporation; (ii) that Google Mexico and its physical address in Mexico were listed in the “acerda de” (“about”) section of the Google Mexico search engine; and (iii) that personal information pertaining to the applicant could be found by conducting a search of his name through the Google Mexico search engine (i.e. www.google.mx). The FIAIPD concluded that facilitating the public’s ability to find someone’s private information through the provision of a search engine constitutes a form of data processing, and that Google Mexico was responsible for the processing of the applicant’s personal data in these circumstances. The FIAIPD cited the Court of Justice of the European Union’s decision in Google Spain v. AEPD and Mario Costeja Gonzalez to support these conclusions.
After finding Google Mexico responsible for the data processing, the FIAIPD proceeded to note that the company had failed to respond to the applicant’s request within the time period prescribed by law. Also, even though the law provided a number of exceptions under which an entity responsible for data processing could refuse an individual’s request for deletion or opposition to their personal data being processed, the FIAIPD noted that Google Mexico had failed to present any evidence supporting reasons why any of these exceptions applied in this case.
In light of the above, the FIAIPD ordered Google Mexico to make effective the applicant’s right to opposition, which meant that it had to de-index the URLs listed by the applicant so that they could no longer be found through a search of the applicant’s name on the Google Mexico search engine. The FIAIPD also ordered the company to give effect to the applicant’s right to deletion, meaning that Google Mexico had to delete the personal data of the applicant from its databases. Further, it also ordered for a procedure to be initiated for the imposition of sanctions against Google Mexico.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
This decision contracts expression by holding that a search engine is required to de-index URLs from search results where an individual has exercised their right to opposition. This case clarifies that the indexing of URLs by search engines so that they can be found when a search is made of an individual’s name amounts to the processing of personal data. As a result, an individual can object to such processing in exercise of their right to opposition. This case also found a national subsidiary of a search engine liable for the data processing that takes place in the provision of that search engine, despite the fact that the national subsidiary had no direct involvement in the provision of the search engine. This finding could make search engines more inclined to de-index when asked by users to do so in order to avoid liability, which would be detrimental to the public’s right of access to information as search engines may over censor their search results.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.