2014/06 > The protection and conservation of personal data in the digital world

In the midst of European reform of the protection of personal data that is subject to computerized processing, and discussions on a free-trade agreement between Europe and the USA, the Court of Justice of the European Union (CJEU) has just rendered, within a month of each other, two important decision, highlighting the difficulties of reconciling trade and the protection of individuals when it is necessary for their data to circulate.

This decision was rendered ​​on the basis of the Charter of Fundamental Rights of the European Union (PDF) which provides that “Everyone has the right to respect for his or her private and family life, home and communications” (Article 7) and ” Everyone has the right to the protection of personal data concerning him or her “( Article 8).

In the most recent decision of May 13, 2014 (Case C-131/12), the CJEU enshrined the principle of a “right to be forgotten”. The context was a complaint filed by a Spanish national before the Spanish Data Protection Agency (SDPA), against Google Inc. and Google Spain, to obtain the removal of personal data from their index, and prevent any access to it in the future. This Spanish national requested inter alia that his data should not appear anymore in the search results of a large-circulation Spanish newspaper in which his name was related to a real-estate auction held following attachment proceedings performed for the recovery of debts dating back to 1998. The SDPA dismissed the complaint, considering that the newspaper publisher had legally published the data. However, the SDPA asked Google companies to take all measures to remove such data and make it inaccessible in the future in their search engine. Google then appealed before the Spanish court, which itself applied to the CJEU for a preliminary ruling.

Before the CJEU, Google Inc. and its subsidiary argued that, pursuant to EU Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ No L 281, 23/11/1995), the activity performed by search engines is not “processing” of the data appearing on the third parties webpages that are in the list of search results, but only a processing of accessible information on the internet, with no distinction between mere information and personal data, and, as an operator of a search engine, it could not be held responsible for data that a priori it did not know and could not control. On this point the CJEU replied that the search engine activity of finding information published by third parties, indexing them automatically, storing them temporarily and disseminating them in an order of preference, is to be qualified as the processing of personal data.

The question was then whether Google Inc., the search engine operator, could be held responsible for this data processing. The CJEU indicated in this respect that under Article 2 d) of the Directive, “the natural or legal person […] which alone or jointly with others determines the purposes and means of the processing of personal data” must be held responsible for data processing. According to the CJEU, in this case, the activities of the parent company domiciled outside the European Union (as the search engine operator), and those of its subsidiary in Spain (selling advertising space offered by this search engine), are inextricably linked, since the activity of this subsidiary can monetize the search engine, and the search engine is at the same time the means through which the subsidiary conducts its business. According to the Court, Google Inc. cannot avoid the Directive obligations and guarantees, and must be held responsible.

Finally, the CJEU held that the links to the webpages published by third parties that contain information on a person, appearing in the results of searches conducted on the name of that person, and which in the absence of any search engine could not be interconnected, are an interference with his private life that cannot be justified by the economic interests of the search engine operator. Faced with the potential gravity that such interference may pose, the operator must remove such data if it has become inadequate or obsolete over time (except in special cases in view of the nature of the information in question, or the interest for users to have this information, especially in view of the role played by the person in public life).

In another case, following requests submitted by the Irish High Court and the Austrian Constitutional Court for a preliminary ruling on the legality and the compatibility of their national legislation transposing the “Directive 2006/24 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks”, the Court of Justice of the European Union simply invalidated this Directive for violation of the rule of proportionality. In a judgment of April 8, 2014 (Joined Cases C-293/12 and C-594/12), the CJEU held that the text of the Directive 2006/24 exceeded what is necessary to achieve its objectives, due to inaccuracies and lack of limits imposed by the text.

Indeed, this Directive allows Internet access providers to collect and retain data  with the aim of making the data accessible for research, detection and prosecution purposes, for possible transmission to the competent authorities. According to the CJEU, it leads to a large interference of particular gravity in the fundamental right to a private life and to protection of personal data. In addition, although the Directive does not allow access to the contents of communications, data retention and further use remain possible without any notification of the persons concerned. The CJEU conceded that the purpose of the Directive, which is to ensure the availability of this data in order to fight crime, has a general interest and a  public safety objective and  this data retention responds to that objective. However, the means implemented by the Directive must respect the principle of proportionality and must not exceed what is necessary to achieve the objectives of the Directive.

The CJEU then pointed out the lack of a framework in the Directive surrounding the substantive and procedural conditions for access to data by the competent authorities, the lack of prior control by an independent authority regarding this access to data, the lack of objective criteria about the length of time for retention of this data and the lack of guarantees regarding its irreversible destruction after the deadline. This lack of rules fails to ensure an “effective protection of conserved data against the risks of abuse and against any unauthorized access and use of this data.” In addition, the Directive does not require this data to be stored in the territory of the European Union so that the control might be guaranteed by an independent authority in accordance with European Union Law.

Under such circumstances, the CJEU considered that by adopting Directive 2006/24 the European legislator had exceeded the limits required by the principle of proportionality.

By these two decisions, the CJEU intended to participate in the current debate on the reform of personal data protection that has been launched by the European Commission, which includes a draft regulation on the processing of personal data (PDF) and a draft directive “Police and Justice (PDF)” accepted by a vote of the European Parliament on 12 March 2014. Within the framework of harmonization of the rules of the Member States, this draft regulation provides for:  the right to erase data, the communication of personal data being conditional on a prior authorization by a national authority, the consent of the person concerned, as well as a European-level supervisory authority with a ” one-stop shop approach”. More specifically, when it is finally adopted, in France the Regulation will replace Law 78-17 of 6 January 1978 on information technology, files and freedom (Loi informatique, fichiers et libertés).

In France, the CNIL is currently the authority in charge of ensuring the protection of personal data. It has, as such, a power of oversight and sanction, with the help of authorized agents. The law known as “Loi Hamon” has increased the powers of these agents, by providing that “Apart from on-the-spot or upon-notice checks, they can proceed to make any useful finding; notably they can use an online communication service to consult data that is publicly accessible or made accessible, including by carelessness, negligence or due to an act of a third party, if necessary by accessing and remaining connected to automated data processing systems for the time required to make the findings”.

The issue of personal data is currently an extremely sensitive issue, and as we can see, the CJEU and the French legislator intend, in the current debate, to have a strong stance, concerned for the protection of individuals.