Swedish court holds that Google can be only ordered to undertake limited delisting in right to be forgotten cases

A while ago the Swedish Data Protection Authority requested Google to delist a search query relating to an individual’s name and also that relevant search results would be delisted globally (ie for all country versions of its search engine) in respect to that individual.

The name of the individual had appeared in the context of a newspaper article where it was revealed that he had been reported to the police by several other individuals for committing fraud in relation to a property investment.

Google appealed the decision to the Stockholm Administrative Court, also seeking a review of the scale of the delisting order issued.

The Stockholm Administrative Court held this week that Google should de-index that specific search query for searches made from Sweden, and that the Swedish Data Protection Authority cannot request Google to de-index that result in respect of countries other than Sweden.

There were several issues discussed in the judgment. For the sake of this post, the discussion is limited to aspects relating to EU law, in particular the Google Spain judgment of the Court of Justice of the European Union (CJEU) and the Charter of Fundamental Rights of the European Union.

The applicability of the Data Protection Act in relation to search engines

The Stockholm Administrative Court started by clarifying the purpose behind the Personal Data Act, which is to protect people from having their personal integrity impaired by the processing of their own personal data. Personal data are defined as any information that can directly or indirectly be attributed to a physical person (Section 1 and 3). The Personal Data Act is based on Directive 95/46 (Data Protection Directive). 

In this regard, the Stockholm Administrative Court noted that the present case is similar to Google Spain, in which the CJEU specified that in the application of the Data Protection Directive one should consider the various interests at hand. In this respect, the rights of data subjects under Articles 7 and 8 of the Charter should be taken into account and balanced against freedom of expression/information and freedom to conduct a business.

Furthermore, the Stockholm Administrative Court took into account the Guidelines of the Article 29 Data Protection Working Party. The require consideration of whether:

- the data subject play a role in public life

- the data is relevant and not excessive, including whether the data relate to the working life of the data subject

- the data being is being made available for longer than is necessary for the purpose of the processing

- the indexing of the individual constitute an infringement of his/her personal integrity

The assessment of de-indexing should be based on how old the article in question was, how the article affected the claimant, if the article impacted on the claimant's professional or personal life and if the public, by having access to the information, would be protected by misconduct in professional practice.

According to the Stockholm court, the article at issue related to conditions that concern the claimant’s professional life and that the claimant in his professional capacity should be considered as a public person. Because the claimant is still active in the same field of work the broad public also has a clear interest in finding that information. At the same time, there has been a considerable amount of time between the reported crimes in the article (2006 – 2017). It is also clear that the claimant has not been convicted for any crimes since 2006.

Whether the injunction by the Swedish Data Protection Authority against Google not to show the article in question is compliant with the ban against censorship

Despite the fact that a ban may be contrary to the spreading of information – in light of Chapter 1, 3 § of the Swedish Fundamental Law on the Freedom of Expression – a ban to disclose information about a person’s name cannot always be contrary to a censorship ban.

The ban against censorship also has a wider scope than the wording of the exemption provided for in Article 9 of the Data Protection Directive. However, not all restrictions of a search engines indexing information on a newspaper's publication cannot be deemed to be incompatible with the censorship ban. In the Google Spain case, the CJEU weighed the protection of privacy and the freedom of speech against each other and it established that, in principle, the protection of privacy does not only weigh heavier than the search engine provider’s interests but also the wider public interest in accessing such information. However, the CJEU stated that the protection of privacy may end if there are special reasons. Hence, even if a prohibition affects the dissemination of information protected by the Swedish Fundamental Law on the Freedom of Expression, a ban on displaying searches on an individual’s name cannot always be regarded as incompatible with a censorship ban.

Scope of delisting

The requirement to de-index global searches – as per the order of the Data Protection Authority – would mean that the national legislation of all other Member States would be applicable, provided that there is a place of establishment in the Member State. It would also mean that the Data Protection Directive would be extended to affect the processing of personal data for searches from countries that have not given the EU any competence. 

According to the Stockholm Administrative Court (and this is probably the most interesting aspect of the judgment) Article 4(1) of the Data Protection Directive – together with the decision in Google Spain – does not support such a possibility. Considerations relating to legal certainty require that the application of the Data Protection Directive and national provisions are clear and foreseeable and that the person or company responsible for processing such data can predict whether it can be subject to an intervention. An application that implies that all Member States' national legislation – taken together – can be applicable in one simple search through Google’s search engine - does not meet the requirements of clarity and predictability. Therefore the Stockholm Administrative Court found that the injunction should be disapplied in this aspect.

A couple of points about the judgment

This decision is interesting, especially because – pending the CJEU reference regarding the scope of delisting - it is an additional piece to the puzzle that the CJEU arguably left incomplete - or at least ambiguous - in Google Spain.

The issue of the scope of de-indexing is not limited to the EU or data protection/right to be forgotten cases. One could for instance recall that recent decision in Google v Equustek Solution Inc, 2017 SCC 34 [see here], in which the Canadian Supreme Court held that Google can be ordered to de-index results from its search engine globally, ie in respect of all country versions of its search engine.

Will these decisions prompt a change in the way in which search engines delist content from search results? If so: how far would all this go? That remains to be seen.