Privacy, Data Protection and Retention
Google Spain SL v. Agencia Española de Protección de Datos
Spain
Closed Contracts Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The General Directorate of Protection of Personal Data for Peru (GDPD) held that Google was bound by the Peruvian Law for Personal Data Protection (LPPD) both when acting through its local corporate personality, Google Peru S.R.L, and when acting through its international corporate personality, Google Inc. An individual who had been subject of a criminal investigation which had ultimately been dismissed had asked Google to remove from its indexes the links to all pieces of information concerning the dismissed investigation. Google Peru S.R.L. and Google Inc. refused. The GDPD reasoned that Google Search both (1) tracked information containing personal data from Peruvian citizens with the purpose of facilitating access to that information for its users and; (2) had a geographical location function that offered users the option to only receive information extracted from Peruvian websites. Based on this, it concluded that, in order to provide search engine services to the Peruvian market, Google visited web pages located on Peruvian servers in order to register and index information and processed personal data of Peruvian citizens without their consent and that, accordingly, Google, through both its local Google Peru S.R.L and its international Google Inc. personalities was bound by the LPPD as an entity responsible for data processing in Peru.
An individual had been subject of a criminal investigation for crimes against liberty and offenses to public decency which started in 2009 and was ultimately dismissed by the Fifth Criminal Court of Lima on August 17, 2012. On June 9, 2015 this individual filed a document asking the Fifth Criminal Court to ask Google Peru S.R.L. to remove all information and news pieces concerning the dismissed investigation from the Google search engine. The Court made the request but Google Peru S.R.L refused, claiming that the Google search engine was run by Google Inc. from the U.S. which was a different legal entity.
The individual then asked Google Inc. to remove the data concerning the investigation. Google Inc. also refused the request recommending that the individual contact the owners of all the websites directly.
After this refusal, the individual filed a complaint against both Google Inc. and Google Peru S.R.L. before the General Directorate of Protection of Personal Data (GDPD) claiming that both entities had not complied with his right to have his personal data cancelled. The GDPD issued its decision on December 30, 2015.
The issue for the General Directorate of Protection of Personal Data (GDPD) to decide was whether Google Inc. and Google Peru S.R.L. were bound by the Peruvian Law of Protection of Personal Data (LPPD) and thus whether they were required to satisfy the applicant’s request for the cancellation of his personal data.
The applicant claimed that some of the websites containing news pieces concerning the dismissed investigation did not have any e-mail or physical addresses at which he could contact them directly to request the cancellation of his personal data. He also claimed to have lost two job opportunities because the prospective employers had found about the dismissed investigation against him after searching against his name on Google’s search engine.
Google Peru S.R.L maintained that it had no control over the Google search engine and that any data protection complaints had to be addressed to Google Inc. Google Inc. provided a standard response e-mail from its Juridical Investigations Support Team acknowledging receipt of the Court’s request and stating that all requests are processed in the order they are received. However, it failed to provide a definitive response accepting or rejecting the cancellation request within the term prescribed by Peruvian Law.
The GDPD began its analysis by looking at Article 3 of the Peruvian Law for Personal Data Protection (LPPD) which stated that the law applied to public and private databases if their data processing was performed within Peruvian territory. The GDPD then proceeded to note that Google Search, for purposes of its commercial activities: (1) tracked information containing personal data from Peruvian citizens with the purpose of facilitating access to that information for its users; (2)had a geographical location function that offered users the option to only receive information extracted from Peruvian websites. Based on this, the GDPD concluded that, in order to provide search engine services to the Peruvian market, Google visited web pages located on Peruvian servers in order to register and index information and processed personal data of Peruvian citizens without their consent.
Thus, the GDPD concluded that Google, through both its local Google Peru S.R.L and its international Google Inc. personalities was bound by the LPPD as an entity responsible for data processing in Peru.
The GDPD highlighted that “the right to the protection of personal data should not be avoided based on readings and narrow interpretations of the rules on domicile, corporate separation or territorial jurisdiction, which would clearly impede the development of this branch of the law that regulates global activities that know no geographical boundaries; accepting the arguments of the defendant would allow other branches of the law to render the protection of a constitutional right worthless by the simple means of ‘formally locating’ the person responsible outside the territory of our country, when it clearly and notoriously performs commercial activities in Peru, in this case activities linked to the processing of personal data.”
Having found Google Search through both its domestic and international corporate personalities to be bound by the LPPD, the GDPD examined the applicant’s request. It noted that the applicant’s fundamental right to the protection of his personal data could not be limited just because the administrators of the websites had not provided means of communication that would enable him to exercise his right of cancellation directly; nor simply because of Google Peru S.R.L’s claim that it is not the right holder of the data over which protection is being claimed. In support of these conclusions the GDPD adopted the criteria developed by the European Court of Justice in its decision May 13, 2014 (Google Spain v. AEPD and Mario Costeja Gonzalez), explaining that “the data processing that the respondent performs in Peruvian territory is the same that it performs in Spanish territory as well as in any country of the European of Union or any other place in the world where it has a presence”.
The GDPD further highlighted that the applicant’s right to privacy had been infringed by the indexation of his personal data in a manner which allowed information concerning the dismissed investigation to be found through a search of his name and surname.
The GDPD stated that its goal was not to completely eliminate the information concerning the investigation from the internet but only to ensure that it would not be accessible through a search of the applicant’s name and surname. For this reason, it considered that it was valid for the cancellation request to be made directly to the search engine even if the applicant had not previously taken action against the websites themselves.
The GDPD went on to note that, while Google had established mechanisms for users to request the removal of content from its search engine, these mechanisms felt short of Google’s obligations under the LPPD. It also observed that Google Inc. and Google S.R.L.’s responses to the applicant’s request “exhibit a corporate policy that hinders, in a systematic manner, the exercise of the rights to cancellation and complaint of personal data rights holders”.
Based on this reasoning the GDPD ordered Google to block, within 10 days of the decision, all information concerning the dismissed investigation so it could not be found through a search against the individual’s name and surname. It also imposed a fine on Google, equivalent to 35 tax units “for neglecting, impeding or hindering, in a systematic manner, the exercise of the personal data rights of a holder”, and another fine equivalent to 30 tax units “for the processing of personal data disavowing and contravening the rights of cancellation and complaint which the law confers on personal data rights holders”. The total fine was equivalent to US$75,000.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The GDPD ruled that Google was bound by Peruvian data protection laws, even when acting through its international legal personality, Google Inc. While this may have been necessary to ensure due protection of the applicant’s rights, accepting the principle that search engine providers are always bound by domestic data protection laws independently of their place of operation could have a negative impact on freedom of expression. This could lead to search engine providers adapting their global practices to comply with the most strict domestic policies and resort to undesirable self-censorship in order to avoid potential liability.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.