Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González.

• Jurisdiction: European Union
• Court: Court of Justice (European Union)
• Writing for the Court: Ilešič
• ECLI: ECLI:EU:C:2014:317
• Date: 13 May 2014
• Docket Number: C‑131/12
• Procedure Type: Reference for a preliminary ruling

JUDGMENT OF THE COURT (Grand Chamber)

13 May 2014 ( *1 )

‛Personal data — Protection of individuals with regard to the processing of such data — Directive 95/46/EC — Articles 2, 4, 12 and 14 — Material and territorial scope — Internet search engines — Processing of data contained on websites — Searching for, indexing and storage of such data — Responsibility of the operator of the search engine — Establishment on the territory of a Member State — Extent of that operator’s obligations and of the data subject’s rights — Charter of Fundamental Rights of the European Union — Articles 7 and 8’

In Case C‑131/12,

REQUEST for a preliminary ruling under Article 267 TFEU from the Audiencia Nacional (Spain), made by decision of 27 February 2012, received at the Court on 9 March 2012, in the proceedings

Google Spain SL,

Google Inc.

v

Agencia Española de Protección de Datos (AEPD),

Mario Costeja González,

THE COURT (Grand Chamber),

composed of V. Skouris, President, K. Lenaerts, Vice-President, M. Ilešič (Rapporteur), L. Bay Larsen, T. von Danwitz, M. Safjan, Presidents of Chambers, J. Malenovský, E. Levits, A. Ó Caoimh, A. Arabadjiev, M. Berger, A. Prechal and E. Jarašiūnas Judges,

Advocate General: N. Jääskinen,

Registrar: M. Ferreira, Principal Administrator,

having regard to the written procedure and further to the hearing on 26 February 2013,

after considering the observations submitted on behalf of:

— Google Spain SL and Google Inc., by F. González Díaz, J. Baño Fos and B. Holles, abogados,

— Mr Costeja González, by J. Muñoz Rodríguez, abogado,

— the Spanish Government, by A. Rubio González, acting as Agent,

— the Greek Government, by E.-M. Mamouna and K. Boskovits, acting as Agents,

— the Italian Government, by G. Palmieri, acting as Agent, and P. Gentili, avvocato dello Stato,

— the Austrian Government, by G. Kunnert and C. Pesendorfer, acting as Agents,

— the Polish Government, by B. Majczyna and M. Szpunar, acting as Agents,

— the European Commission, by I. Martínez del Peral and B. Martenczuk, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 25 June 2013,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of Article 2(b) and (d), Article 4(1)(a) and (c), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) and of Article 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

2 The request has been made in proceedings between, on the one hand, Google Spain SL (‘Google Spain’) and Google Inc. and, on the other, the Agencia Española de Protección de Datos (Spanish Data Protection Agency; ‘the AEPD’) and Mr Costeja González concerning a decision by the AEPD upholding the complaint lodged by Mr Costeja González against those two companies and ordering Google Inc. to adopt the measures necessary to withdraw personal data relating to Mr Costeja González from its index and to prevent access to the data in the future.

Legal context

European Union law

3 Directive 95/46 which, according to Article 1, has the object of protecting the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data, and of removing obstacles to the free flow of such data, states in recitals 2, 10, 18 to 20 and 25 in its preamble: ‘(2) … data-processing systems are designed to serve man; … they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to … the well-being of individuals; ... (10) … the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms [, signed in Rome on 4 November 1950,] and in the general principles of Community law; … for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community; ... (18) … in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; … in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State; (19) … establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; … the legal form of such an establishment, whether simply [a] branch or a subsidiary with a legal personality, is not the determining factor in this respect; … when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities; (20) … the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; … in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice; ... (25) … the principles of protection must be reflected, on the one hand, in the obligations imposed on persons … responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances’.

4 Article 2 of Directive 95/46 states that ‘[f]or the purposes of this Directive: (a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; (b) “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; ... (d) “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; ...’

5 Article 3 of Directive 95/46, entitled ‘Scope’, states in paragraph 1: ‘This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.’

6 Article 4 of Directive 95/46, entitled ‘National law applicable’, provides: ‘1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; (b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community. 2. In the circumstances referred to in paragraph 1(c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller...