In 1998, a Spanish newspaper disclosed certain personal data about Mr Mario Costeja González in two of its printed editions. Both of these editions were republished at a later date in the online version of the newspaper.

Mr González contacted Google Spain to request that the search results that were listed when his name and surnames were entered into the search engine should not show links to the online newspaper. The newspaper had already rejected Mr González's request that it should remove or conceal the published data.

Mr González lodged a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD), requesting that, under Spanish data protection law (which implements the Data Protection Directive (1995/46/EC) (the Directive)), the newspaper be made to remove his data. He also argued that Google Spain and Google Inc should be required to remove or conceal his data so that they no longer displayed in the Google search results.

The AEPD rejected the complaint against the newspaper on the grounds that publication of the data in the press was legally justified, but upheld the complaint against Google.

Google emphasised that its role is simply as an intermediary that provides the functionality for the relevant information published online by others (for example, newspapers) to be found by internet users. It was therefore not legally required by Spanish data protection law to block or prevent the disclosure of that information.

After the AEPD had undertaken various enforcement actions to try to prevent Google from displaying the personal data in search results, the court battle escalated all the way to the ECJ.

The specific questions referred by the Spanish court to the ECJ fell into three categories:

The AG considered the three categories of questions in turn:

Does EU law apply to Google? The AG found that it does apply if the search engine provider has an establishment in an EU member state for the purpose of promoting and selling advertising space on the search engine, as that establishment acts as the bridge between the search service and the revenue generated by advertising.

This seems a rather artificial interpretation, as the fact that a global search engine provider may have different legal entities across the EU should not necessarily bring the data processing operations of that search engine provider within the scope of application of every single member state.

A more logical interpretation would be that, for EU law to apply, an EU-based entity would have to be involved in the actual processing of personal data.

Unfortunately, the AG did not deal with the question of whether Google Inc uses equipment in Spain, so at this point it is not clear whether an internet company with no physical presence in the EU will be caught by EU law.

Does Google process personal data? The AG confirmed that it does, because the notions of "personal data" and "processing" in the Directive are sufficiently wide to cover the activities involved in retrieving the information sought by users (see box "The Directive").

Is Google a controller of that data? Crucially, the AG's answer to this question was no. The AG opined that a search engine is not aware of the existence of a certain defined category of information that amounts to personal data. Therefore, Google is not in a position to determine the uses made of that data.

The key point here is that Google does not identify search results data as being personal data at all. It simply treats the data as digital information that matches the search criteria. No search engine can know whether the search criteria and search results include personal data unless they look at the substance of the data, which they do not do.

So the AG concluded that a data protection authority cannot compel Google to stop revealing personal data as part of its search results.

In addition, the AG went on to say that even if the ECJ were to find that internet search engine service providers were responsible as controllers for personal data appearing in search results, an individual would still not have a general "right to be forgotten", as this is not currently contemplated by the Directive. The right to be forgotten addresses a perceived need for individuals to have greater control over their data on the internet, including the ability to remove information that they no longer wish to be publicly available.

While the final decision is still a few months away, the influential opinion of the AG is a clear indication of where things are heading. The ultimate question is whether Google, in its capacity as a search engine provider, is legally required to honour an individual's request to block personal data from appearing in search results. The answer, in the AG's opinion, would appear to be no.