Great Expectations from the Court of Justice
How the Judgments on google and data retention raised more Questions than they answered
In spring of 2014, the Court of Justice published two rulings that are remarkable for different reasons and share one common trait: both judgments fall short of expectations. One of the tasks of the Court of Justice is interpretation of EU legal acts by means of preliminary rulings. National judges may request the Court to clarify provisions of EU law or even the validity of an EU legal instrument. In the past decades, this has led to several landmark rulings that have shaped EU law.1 Through its jurisprudence, the Court has established a number of fundamental principles by giving elaborate explanations that the Member States’ courts could rely on as guidelines for interpreting and applying the disputed legal provisions. Throughout the years, the Court has become a reliable guide offering indications to national judges – and indirectly also to policy makers – on how to apply principles such as the ne bis in idem rule, dual criminality, and non-discrimination. The two rulings of spring 2014 however fall short of such guidance.
Even though both cases are inherently different, the Luxembourg judges the chance to take a clear stand in two ongoing debates. First, the reform of the data protection legal framework triggers many additional questions on how to deal with data protection related issues in a new virtual reality. The storing of telecommunication data for longer periods of time as well as the responsibility of online search engines both fit into this debate. Yet the Court did not give satisfying indications on how these questions should be answered or dealt with on a national level. This would have been not only appropriate but also necessary in the context of the second ongoing debate that has Member States’ trust as its focal point. Arguments on the lack of mutual trust between the Member States have been voiced before, particularly in the context of the European Arrest Warrant. What is new is that this trust deficit seems to be accompanied by a lack of trust in the EU institutions themselves − as demonstrated by difficulties in executing mutual recognition instruments on a national level, by Member States’ reactions to the establishment of the European Public Prosecutor’s Office, and by the recent European elections showing a growing support for so-called Eurosceptic narratives.
It is not clear what the root cause of this fading trust is and more thorough research is necessary than can be accomplished within the scope of this paper. It is obvious, however, that confusion exists on the level of the Member States, which is why all eyes are on the Court of Justice for guidance. The two 2014 decisions highlighted in this contribution were preceded by several significant cases in 2013 in which the Court did not consider national constitutional guarantees where citizens’ protection is concerned. In an area of law that has such as strong link to fundamental rights as criminal procedure law, it is remarkable that the Court makes an unmistakable choice for the fundamental rights in the EU Charter over citizens’ safeguards encompassed in the Member States’ laws and constitutions when these offer stronger protection.2 This is also an alarming development from the point of view of national sovereignty and limited EU legislative competence.
I. Background
The most recent European elections were held against a background of not only growing Eurosceptic political parties but also growing dissatisfaction with the functioning of the EU on several levels, going from the yellow card procedure against the legislative proposal establishing the EPPO to a legal problem as regards the newly adopted European Investigation Order. What has been going on much longer is the lack of mutual trust among Member States that should endorse mutual recognition of legal instruments such as the European Arrest Warrant. The latter has been the subject of national procedures with respect for fundamental rights at the heart of the discussion.3 Increased attention to the Charter of Fundamental Rights and Freedoms would, at first glance, be a good thing, in particular when backed up by the Court of Justice. However, the Court is treading on thin ice by placing the Charter over national constitutional guarantees where citizens’ protection is concerned.
As former third pillar matters, legislative proposals on judicial and police cooperation in criminal matters were originally debated and adopted in an intergovernmental decision-making procedure. For an area that is as sensitive and closely connected with the identity of a country as criminal law, supranational decision-making power was unthinkable. In the post-Lisbon era, the co-decision legislative procedure reins over all former pillars with “limited” competence for the Commission to submit legislative proposals on aspects of substantive and procedural criminal law. In addition, mechanisms were introduced to protect Member States when a proposal would affect fundamental aspects of its criminal justice system.4 The yellow card procedure was used when 14 national parliaments submitted reasoned opinions claiming that the legislative proposal for establishing the EPPO was in breach of the subsidiarity principle. In general, participating Member States argued that the Commission had not adequately considered the option of strengthening existing agencies (e.g., Eurojust or OLAF) or alternative mechanisms, that it had failed to substantiate the need and the added value of a EPPO, and that the protection of EU financial interests could be better achieved by strengthening and intensifying existing mechanisms of cross-border cooperation between criminal justice authorities.5 With reference inter alia to OLAF’s annual statistics indicating that national criminal proceedings are not effective and with reference to the limited competences of Eurojust and Europol, the Commission responded to Member States’ concern that EU competence went too far in the proposed text on the establishment of the EPPO. The Commission decided to maintain the proposal.6
The European Arrest Warrant is another legal instrument that has caused concern in the Member States on the level of protecting the citizen against whom an EAW is issued. Several court procedures are known in which citizen’s safeguards were tested before national judges.7 In the 2013 Melloni case, such a test was submitted to the Court of Justice.8 The Court ruled that the Framework Decision on the European Arrest Warrant precludes the executing judicial authorities from making the execution of a European Arrest Warrant conditional upon the conviction rendered in absentia being open to review in the Member State that issued the arrest warrant. Provided that the level of protection provided for by the Charter (as interpreted by the Court) and the primacy, unity, and effectiveness of EU law are not thereby compromised, national authorities and courts remain free to apply national standards of protection of fundamental rights whenever an EU legal instrument calls for national implementing measures.
The 2013 Fransson judgment9 introduced the idea that the fundamental rights guaranteed by the Charter must be complied with where national legislation falls within the scope of EU law. With reference to the Melloni case,10 the Court then stated that, when a national court is called upon to review whether fundamental rights are being complied with by means of a national provision or measure implementing EU law, in a situation where action of the Member States is not entirely determined by EU law, national authorities and courts remain free to apply national standards of protection of fundamental rights. However, the level of protection provided for by the Charter (as interpreted by the Court) and the primacy, unity, and effectiveness of EU law should thereby not be compromised. The Court thus draws a line between national legislation falling within the scope of EU law on the one hand and national legislation that is not entirely determined by EU law but implements EU law on the other. This is a very fine line and difficult to apply in practice, which is why more indications on the part of the Court would be helpful for Member States’ authorities.
II. Annulment of the Data Retention Directive
On 8 April 2014, the Court of Justice declared Directive 2006/24/EC invalid. This ruling did not come as a big surprise, considering the criticism the Directive had received since its adoption. Obliging telecommunication providers to collect and store the traffic data of Internet users for periods of time between six months and two years for possible future use in criminal investigations and prosecutions could not be justified by the necessity and the proportionality principles. Storing personal data for longer than is necessary for the purposes they were collected for is in accordance with the applicable data protection standards only allowed when this is legal and necessary to preserve a legitimate interest. The lack of nexus between the data subject to blanket retention on the one hand and a specific criminal investigation on the other, gave rise to procedures on a national level declaring the national implementation legislation of the Directive unconstitutional.11 Some Member States did not have such proceedings but still did not transpose the Directive into national law. Many data protection experts and academics also reacted with criticism, mostly focused on the lack of necessity and proportionality of this blanket data retention measure.12
When the reform of the data protection legal framework was started in the EU, the Data Retention Directive was not part of the reform package. Only the two basic legal instruments governing data protection in the EU – the 95/46/EC Directive and the 2008 Framework Decision – were to be revised in a first stage. After this was finalized, the Data Retention Directive was also to be reformed, but this is no longer necessary.
The reasons for the annulment by the Court are rightfully centered on the necessity and proportionality requirements and the lack of objective criteria in the Directive on the time periods for retention. Moreover, according to the Court, the Directive should also offer criteria for maintaining the data on servers located on EU territory.
Member States have reacted quite differently, with Swedish telecom operators immediately terminating all data retention.13 In contrast, the UK Home Office insisted that retention of communications data is absolutely fundamental to law enforcement, and telecom operators should continue to observe their obligations in accordance with national data retention laws.14
III. Google and the Right to Delete
The “right to be forgotten” was introduced as a catchphrase in 2012, when the data protection legal framework reform was launched. Two mistakes were made here. First, the phrase itself is essentially misleading. There has never been a right to be forgotten and there never will be. Regardless of whether one refers to individual memory or the collective memory of a society, forcing people to forget – leaving any medical manipulation aside – is impossible. What can be done, however, is to erase, correct, or update personal data that are inaccurate. The right to be forgotten was confused with the right to accurate personal data. Second, the right to be forgotten was introduced as something new. This is also not the case. In 1981, the Council of Europe introduced data protection standards, including the rule that personal data should be correct, up to date, adequate, relevant, and not excessive in relation to the purpose they are collected or processed for. This standard still exists today and has not been amended in the reform.
A preliminary question regarding the right to be forgotten was brought before the Court of Justice by the Spanish National High Court.15 The Court ruled on 13 May 2014 that the world’s most popular online search engine Google is responsible for removing links to personal data that are no longer relevant to the purpose they were processed for. The data subject in the case was Mario Costeja González, a Spanish citizen who had social security debts in the late nineties. A real-estate auction was organized to recover the debts. In accordance with an order by the Ministry of Labour and Social Affairs, the auction was announced in a national newspaper with a view to giving it maximum publicity and to attract bidders. In 1998, however, most newspapers only existed in printed form. In the meantime, one would be hard-pressed to find a paper that does not have an online version. Many countries have legal provisions on the publication of certain announcements or judgments that entered into force before the Internet and Google became household names. In the meantime, the concept of publication itself has evolved. It now also includes online publication, making newspapers available on a wider scale and for a possibly indefinite period of time.
The newspaper that published the auction announcement, including the name of Costeja González, was made available online as well as its archive. It is this archive that is searchable by using Google. By typing his name into the search engine, Mario Costeja González discovered that the old announcement would come up. Since he had been negatively affected by these personal data still being available online, he filed a complaint against the newspaper and against Google with the Spanish data protection authority. Since the newspaper publication was legally justified by the Ministry of Labour and Social Affairs, the complaint was rejected. The complaint against Google and the request that Google remove the links to the published personal data was brought before a national judge, who sent a request for a preliminary ruling to the Court of Justice. The Court considered Google a data controller for the activity, which consisted in finding information published or placed on the Internet by third parties, indexing it automatically, storing it temporarily, and, ultimately, making it available to Internet users according to a particular order of preference. Secondly, the Court also considered the search engine responsible for removing the links making the personal data regarding Costeja González available on the Internet.
This case should not be misunderstood. The personal data identifying Mario Costeja González were not contested because they are not incorrect. What was contested is the current relevance of personal data in an announcement for a real-estate auction held in 1998. In accordance with the data protection standards of 1981, personal data should be relevant for the purpose they were processed for and should not be stored in a database longer than is necessary for that purpose. The Court of Justice confirmed this and thus far the Court’s ruling is acceptable. Nonetheless, holding Google responsible for the fact that the personal data and the announcement are still available today is focusing on the wrong target. What Google does is to make information that already exists searchable and to create an index of search results. The company did not create the data nor was it the source of the data. From a data protection point of view, making Google responsible for removing the links to these data is not the correct approach. Even after removal of the link, the information is still available on the website of the Spanish newspaper, and other search engines can be used to find it besides the newspaper’s own search function. The contested issue here is the fact that personal data identifying an individual are still publicly available two decades after it was legally necessary to publish them. The correct target therefore is the national Spanish law and its data retention provisions, not search engine Google. The Court of Justice was limited by the scope of the request for a preliminary ruling, but ruling that Google is responsible for removing the links in question is not a correct conclusion.
Also, making a private company with a commercial interest responsible for deciding on the relevance of certain personal data is a risky development. Search engines such as Google make their profits not by making personal data searchable and available but by connecting these searches to specific advertisements. Such companies do not have a mandate to decide which personal data should be made available, and they should not be given such a mandate as their interest is not protecting the rights of the data subject. This is a task for a data protection authority, not a private company.
Since the Court’s ruling was published, Google has reportedly received over 120,000 requests from individuals wishing to have links to – embarrassing – information on them removed.16 Media reports include examples of business competitors trying to abuse removals processes to reduce each other’s’ web presence or a medical doctor trying to hide negative patient reviews. Overwhelmed with these requests and confused on whether certain personal data are relevant or not, Google has even reinstalled links to newspaper articles from the Guardian after the British newspaper protested their removal.17 This shows how difficult it is for a private company to be in the position of deciding on the relevance of (links to) personal data.
IV. Guidance for Legislators on Adapting their Provisions to Today’s Internet Society
A fairly new virtual reality calls for answers to new questions. Law and jurisprudence are traditionally slow mechanisms in reacting to new developments in reality. Nevertheless, an institution such as the Court of Justice is in the appropriate position to give the necessary guidance to Member States’ authorities as well as to the EU legislator to answer these questions. As the Court’s task is to interpret EU law, it could have offered more precise indications in the judgment on the Data Retention Directive on how to organize proportionate retention that has appropriate time limits or on how to develop objective criteria with regard to cloud computing and the data being stored on EU servers. The ruling on Google and the right to be forgotten could firstly have taken a better turn if the Court had followed the elaborate opinion of its Advocate General. Secondly, even though one cannot expect the Court to give guidelines to private companies on how to deal with the right to delete irrelevant data by means of a preliminary ruling, the Court could assist legislators in dealing with this new challenge. When the Charter of Fundamental Rights and Freedoms18 is indeed above national constitutional guarantees, the Court should also assist national authorities in implementing it as such.
For example Case 26/62, N.V. Algemene Transport- en Expeditie Onderneming van Gend & Loos v. Nederlandse Administratie der Belastingen, 5 February 1963 and Case 6/64, Case 6/64, Flaminio Costa v. ENEL, 15 July 1964.↩
See J. Vogel, “Radu – Melloni – Åkerberg Fransson: »Staatsstreich« in Luxemburg?”, Strafverteidiger, 5/2013, 1.↩
See inter alia A. Tinsley, “Note on the Reference in Case C-399/11 Melloni”, NJECL 1/2012, 19-30; C. Heard and D. Mansell, “The European Arrest Warrant: The Role Of Judges When Human Rights Are At Risk”, NJECL 2/2011, 133-147 and G. Vermeulen and T. Vander Beken, “Uitlevering Basken aan Spanje: Juridische Bedenkingen bij een Politieke Zaak”, Rec. Cass. 1995, 221-230.↩
Arts. 82 and 83 TFEU. See also E. Herllin-Karnell, “The Lisbon Treaty. A Critical Analysis of Its Impact on EU Criminal Law”, eucrim 2/2010, 61-64.↩
Council, Proposal for a Regulation on the establishment of the European Public Prosecutor's Office (EPPO) - "Yellow card", 16624/13, 28 November 2013.↩
COM(2013) 815 final.↩
Idem.↩
Case C-399/11, Stefan Melloni v. Ministerio Fiscal, 26 February 2013.↩
Case C-617/10, Åklagaren v. Hans Åkerberg Fransson, 26 February 2013.↩
See for an elaborate overview: M. Borowsky, “Artikel 53 Schutzniveau”, in J. Meyer (ed.), Charta der Grundrechte der Europäischen Union, Nomos, 2014, 4th ed., 813-825.↩
Courts in Germany, Romania and Czech Republic declared the Directive unconstitutional.↩
Cases C 293/12 and C 594/12, Digital Rights Ireland and Seitlinger and Others, 8 April 2014↩
European Data Protection Supervisor, Opinion of 31 May 2011 on the Evaluation report from the Commission to the Council and the European Parliament on the Data Retention Directive (Directive 2006/24/EC), O.J. C 279/01, 23 September 2011, 1; E. De Busser, Data Protection in EU and US Criminal Cooperation, Maklu, 2009, 160-168; K. de Vries; R. Bellanova; P. De Hert and S. Gutwirth, “The German Constitutional Court Judgment on Data Retention: Proportionality Overrides Unlimited Surveillance, Doesn’t It?”, in S. Gutwirth, Y. Poullet, P. De Hert and R. Leenes (eds.), Privacy and data protection : an element of choice, Springer, 2011, 3-24.↩
L. Tung, “Four of Sweden's telcos stop storing customer data after EU retention directive overthrown”, Norse Code, 11 April 2014.↩
A. Hern, “British government 'breaking law' in forcing data retention by companies”, The Guardian, 24 June 2014.↩
S. Schechner and D. Roman, “Google Seeks Views in Europe on Right to be Forgotten”, Wall Street Journal, 9 September 2014 and S. Gibbs, “France requests most 'right to be forgotten' removals from Google”, The Guardian, 1 August 2014.↩
D. Lee, “Google reinstates 'forgotten' links after pressure”, BBC News, 4 July 2014.↩
For a full and thorough analysis of the EU Charter of Fundamental Rights and Freedoms, see J. Meyer (ed.), Charta der Grundrechte der Europäischen Union, Nomos, 2014, 4th ed.↩