DOI: https://doi.org/10.18601/16571959.n26.06

THE ROLE OF SEARCH ENGINES IN COLOMBIA AFTER THE MUEBLES CAQUETÁ VS. GOOGLE INC DECISION

EL PAPEL QUE DESEMPEÑAN LOS MOTORES DE BÚSQUEDA EN COLOMBIA DESPUÉS DE LA DECISIÓN DE MUEBLES CAQUETÁ VS. GOOGLE INC.

Sarah Osma Peralta^*

^* Sarah Osma Peralta, holds a law degree from Universidad Externado de Colombia, Bogotá (2013), Colombia; and a Master of Laws (LLM) in Law and Technology from Tilburg University, The Netherlands (2015). Currently Miss Osma is a lecturer of Internet Liabilities and Data Protection at Universidad Externado de Colombia and works as a consultant on issues related to intellectual property. email: sarah.osma.peralta@gmail.com. Sarah Osma Peralta es abogada de la Universidad Externado de Colombia y un máster en Derecho y Tecnología de la Universidad de Tilburg, Países Bajos. Actualmente, es docente de pregrado de la clase de Industrias Creativas y de posgrado de Responsabilidades por el Uso del Internet y Protección de Datos en la Universidad Externado de Colombia, Colombia, y se desempeña como consultora en temas relacionados con la propiedad intelectual. Bogotá D. C. (Colombia). Correo electrónico: sarah.osma.peralta@gmail.com.

Fecha de recepción: 16 de octubre del 2018. Fecha de aceptación: 23 de octubre del 2018.

Para citar el artículo: Osma Peralta S. "The role search engines in Colombia after the Muebles Caquetá vs. Google Inc. decision", Revista La Propiedad Inmaterial n.° 26, Universidad Externado de Colombia, julio-diciembre 2018, pp. 143-169.

ABSTRACT

Considering the relevance of personal data protection, this research will focus on the identification of the criteria used by Colombian Courts regarding the rights to access, modification and erasure personal data within the context of information made available through search engines. This framework will expose the different cases ruled by both, the Colombian Constitutional court and the Colombian Supreme Court, as it attempts to highlight which was the criteria used to rule that search engines are mere intermediaries between the content makers and data subjects. Finally, this study attempts to contribute not only to the data protection legal literature in Colombia, but also, to improve the possibilities to effectively implement user's rights of online search engines in Colombia.

Keywords: search engines, personal data, data protection, regulation, fundamental rights, right to be forgotten.

RESUMEN

Teniendo en cuenta la importancia de la protección de datos personales, esta investigación se centrará en la identificación de los criterios utilizados por los tribunales colombianos respecto a los derechos de acceso, modificación y supresión de datos personales en el contexto de la información disponible al público a través de los motores de búsqueda.

Este marco de referencia expondrá los diferentes casos puestos en conocimiento de la Corte Constitucional de Colombia y de la Corte Suprema de Justicia de Colombia, en tanto que intenta resaltar cuál fue el criterio utilizado por estas para determinar que los motores de búsqueda son simples intermediarios entre los creadores de contenido y los titulares de datos personales.

Finalmente, este estudio intenta contribuir no solo a la literatura legal de protección de datos en Colombia, sino también a mejorar las posibilidades de implementar efectivamente los derechos de los usuarios de los motores de búsqueda en línea en Colombia.

Palabras clave: motores de búsqueda, datos personales, regulación, derechos fundamentales, derecho al olvido.

"We use our past experiences in our decision-making, hoping
that what we remembered from the past makes up for the lack of
information about the present and the future"¹
Viktor Mayer-Schönberger

BACKGROUND

Nowadays, due to the abundance of digital data storage and accessible online information, we face a situation that can be described as "forgetting by choice" and moved to "remembering by default"²; where remembering has become the norm, while forgetting is the exception.

With this new scenario, the distinction between the concept of the right to erasure and the right to be forgotten must be clear: The right to erasure is related to the control that data subjects have over their personal data and can be enforced through rights such as the right to access and to delete³, while the right to be forgotten, is related to past convictions and the possibility to have a new start⁴.

The concept of the so-called 'right to be forgotten' has its origin in the notion of a "right to oblivion", in French the "droit à l'oubli"⁵, in Italian the "'diritto al' oblio"⁶, understood as 'the right to silence on past events in life that are no longer occurring'. In this case a man was granted pardon and the court ruled that the disclosure of information related to previous convictions of the subject was not justified by any actual public interest⁷. In Spain, this right is known as "derecho al olvido" and has been described as a "right to make mistakes and start again"⁸.

Part of the problem with the definition of the right to be forgotten has been the misunderstanding of the scope of application of the Italian and French legal systems explained above, which related to the rights of criminals, the aim was to allow the criminals with spent convictions to leave those convictions in the past and not taken into account by potential employers⁹.

The right under discussion now is more about the right of every data subject to delete the information that they consider irrelevant about themselves¹⁰ which has come to the forefront due to all types of data becoming available due to existence and popularity of search engines, such as consumer credit scoring and criminal records, even when said information was originally stored in specific data bases and meant to be consulted for specific purposes and by specific institutions only.

As was set out by Koops, the right to be forgotten can be invoked by the data subjects against those individuals that process data about their past, once the unwanted information is made public. Therefore, the deletion of outdated and irrelevant data is crucial since "people must be able to shape their own lives, and therefore should not be fixed in the perception of others by their past"¹¹. Individuals must have certainty that data controllers will delete their data after it served its purpose.

Given the recent implementation of the General Data Protection Regulation, (hereinafter: GDPR) which includes in its territorial scope processors and controllers from Colombia, as provided by Art 3¹² and the decision by the Colombian constitutional Court to declare null ruling T-063A/17¹³, it is compulsory to address the key elements of this regulation in order to stablish the responsibilities of search engines regarding personal information and the right to erasure personal data.

In order to clarify the landscape of the responsibilities for search engines, we will explain what those are and what is their role in relation to the rights of access, modification and erasure of personal data, since online search engine operators play a crucial role in the dissemination of information, which implies a series of obligations in the field of data protection that have to be met in order to process personal data.

This Article will focus on the role of search engines according to the Colombian Constitutional Court after the Muebles Caquetá vs. Google Inc. decision that will be explained in depth in the following paragraphs.

SEARCH ENGINES

Attempting to understand the legal implications of the operations carried out by search engines, therefore, the following paragraphs have the objective of explaining in a basic level what a search engine is and what are the methods they use to collect, organize and make available information.

WHAT IS AN ONLINE SEARCH ENGINE? AND HOW DO THEY WORK?

The early 1990's marked the beginning of a mechanism that we use now on a daily basis called search engines, which emerged as tools for indexing files that were available on the web and made part of databases. These devices operated with a method of storing and retrieving files online¹⁴. In 1995 appeared the first full text crawler-based search engine, the WebCrawler, that used algorithms based only on keywords and text to classify websites and select them with the criteria of context and relevance¹⁵. Other search engines were developed and introduced in the market before Google, which arrived in 2001 and has maintained as the indisputable leader in the search engine sector with a worldwide market share of 89.8% and 86.3% in Europe¹⁶.

As stated by Sergey Brin and Lawrence Page, creators of Google the difference between them and the other competitors was that their Navigator had more precision in terms of the number of relevant documents and commercial services¹⁷. Another element that contributed to Google's success was in the introduction of PageRanks, a feature that facilitates the USe of link structures for filtering data using an algorithm that "can compute up to 26 million web pages in few hours on a medium size workstation"¹⁸.

CRAWLING, INDEXING & QUERY

Crawling is the process of navigation over the millions of results available on the web made by the search engine with the USe of a crawler or robot that determines which sites should indexed after it reads and analyses the content¹⁹. The process starts with a selection of URLS that is under constant improvement, once the crawler detects new related URLS it adds them to previous ones and that way refines the information contained in the index²⁰.

Once the crawling processes is completed, the robots compile in an index all the information and their IP's including tags to identify the information, this step allows the search engine to make quick examinations after the USer introduced his query. After the search engine receives the query a series of programs search for results based on algorithms that weigh unknown factors to finally select the most relevant pages that will appear displayed in a final ranking of results²¹.

To sum up, an online search engine is a program that allows internet users to search information on the web by following links; those links are determined by an algorithm²². Algorithms are programs that decide the pages that are going to be selected as part of the search engine's index because of their relevance and quality to finally be displayed as results²³.

COLOMBIAN DATA PROTECTION REGULATION

The fundamental rights to intimacy, reputation and data protection were stabilized in Art. 15 of the Colombian Constitution. As well, as Law 1266 of 2008 that regulates the collection, use and transfer of personal information regarding unfulfilled credit obligations and banking services.

Subsequently, Law 1581 of 2012 is the general personal data protection regulation, it implements the constitutional right to access, rectify and update personal information contained in databases, based on Art. 15 of the Constitution as described above. The scope of implementation of this Law are: Public and private databases; any personal data processing that takes place in Colombia and every data processing activities carried out by individuals outside of Colombia on territories under Colombian jurisdiction according to international standards and treaties. This Law clarified concepts regarding personal data, it also qualified the consent that must be given to data processors by data subjects in order to collect personal data and carry out the data processing.

A secondary regulation was Decree 1377 of 2013 which regulates: Authorization that must give data subjects for personal data treatment; the treatment of sensitive personal data; policies required for data processing; the conditions in which data subjects can exercise their rights to access, rectify and update personal information; cross border transfer and transmissions of personal data and the implementation of the accountability principle.

SEARCH ENGINES IN COLOMBIA: LEGAL REVIEW

The following paragraphs will address the case law about search engines in Colombia and offer a comment aiming to raise awareness regarding the incidence of the activities carried out by search engines in the life of data subjects; it also aims to contribute to personal data awareness especially from the USer's perspective.

In the ruling T- 040 of 2013, the plaintiff requested the removal of the article titled "Los hombres de la mafia en los llanos" where he was mentioned as the presumed author of punishable conducts. The plaintiff requested the deletion because the publication infringed his fundamental rights to a good name, to honor, to a due process and his presumption of innocence.

The company Google Inc. participated in the procedure because its search engine was the tool that made the article available to the public; once users entered the name of the applicant in the search engine, the results led them to the article entitled "Los hombres de la mafia en los llanos". However, the Court disassociated Google from the case and concluded that Google is a mere indexer of information. For the Court Google Colombia ltd. is not responsible for the content in the article "Los hombres de la mafia en los llanos", because Google only provides an information search service, therefore it cannot be considered liable for the veracity of the contents listed as results after a search.

On a different case from 2015, the plaintiff requested to a newspaper the erasure of all the entries available on Google.com that mentioned her as the presumed author of punishable conducts related to human trafficking, arguing that those criminal proceedings had been fully resolved which was confirmed by a non-guilty sentence. The newspaper denied the request to erasure the article from the search engine Google.com and affirmed that the newspaper does not have any control over the online search engine.

Google Colombia Ltd. alleged that it should not be a part of the case since the company is not a branch of Google Inc. and stated that in case there was a conviction against Google Inc.; Google Colombia Ltd. would not be able to fulfill it since it does not have control over the shares of the parent company. The company also explained that its activities are related to the indexation of articles available on the Internet, in that light, in this case the only responsible for the content of the publication was the newspaper.

The Court noted the suggestion made by Google Colombia Ltd. about the possibility the newspaper had to use tools such as "robots.txt" and "metatags" to avoid the listing of certain results on Google's search engine, even when the content was indexed and available. In the end, the Court ruled that aiming the protection of the plaintiff's fundamental rights, the newspaper had to limit the access to the article attached to her name titled "Empresa de trata de blancas". The Court also stated that although this remedy limits the newspaper freedom of expression, this measure was less taxing for them that requesting the erasure of the content from the Internet.

From the considerations made by the Court, it is concluded that the constitutional solutions in these rulings refer to search engines in the following terms:

1. Google as a search engine is a mere intermediary, therefore it cannot be held responsible for the information listed in the results.
2. The considerations to delist information is based on the protection of the net neutrality principle, in consequence the delisting is restricted and reserved to exceptional situations, the Court opts for other means to protect the plaintiffs fundamental rights.
3. The remedies entail obligations for the media outlets that created the infringing content.

The foregoing study, leads to the conclusion that there is a lack of involvement on behalf of the search engines in the attention to users rights and requests. Given the responses provided by the company in all the cases, it is clear their desire to be considered a mere intermediaries, we can also conclude that delisting policies or guidelines are required so that search engines can acknowledge and manage the USers' inquiries. This absence of procedures make evident, as will be addressed in the next part of the study, that search engines must be seen as data processors and data controllers in order to have obligations regarding users rights to access, erasure and modification of their personal data.

MUEBLES CAQUETÁ VS. GOOGLE INC. DECISION

1. FACTS

Google Inc. is a multinational corporation that provides a wide variety of services and operates all over the world. The company was founded in 1998 and has its headquarters in the United States²⁴. One of the businesses of Google is the service of Google Search. The major operations for Google Search are crawling, indexing and storing of information that is available online²⁵.

Mr. John William Fierro Caicedo is the owner of "Muebles Caquetá" a furniture store, with headquarters in the city of Ibagué and branches in the municipalities of Florencia and San Vicente del Caguán.

Mr. Fierro filed a tutela, a public action to protect fundamental rights, against Google Inc., and Google Colombia Ltda, seeking the protection of his fundamental rights to privacy, good name and honor, which he considered were violated as a result of an anonymous publication on an internet blog hosted in the platform www.blogger.com, owned by the company Google Inc. The blog post stated that the company "Muebles Caquetá" and its owner were unlawful to their customers.

The claim was based on the following:

On January 30, 2014, a user of the online platform "Blogger.com" owned by the company Google Inc. anonymously published a blog under the title "Do not buy at furniture Caquetá! Scammers!" followed by the URL http://muebles-caqueta.blogspot.com.co.

According to the plaintiff's libel, the blog contained the following statements about his company, which he considered false:

As it says in the image, Muebles Caquetá, which is run by the swindler William Fierro, swindles people through several means. They ask the full payment in advance and after you hand it over they disappear with your money

Please share this message to prevent more people from being scammed. If you were the victim of the scammer William Fierro and his company Muebles Caquetá, report them in the links bellow and in the comments of this blog.

The Muebles Caquetá vs. Google Inc. case started with several complaints lodged by William Fierro to Google's servers, as the proprietary company of Blogger.com. The complaint was based on the affirmation made by Mr. William Fierro stating that the content of this blog affected him, his family and his business in a financial and a moral level. In addition to this detriment Mr. Fierro draws attention to the fact the blog post was anonymous and how this makes impossible for him to identify the author or the origin of the blog, making impossible for him to reach out to this person and request him/her to remove the false allegations in the post about him and his company.

The requests made by Mr. Fierro were denied by Google Inc. because according to Google's policies the content was not inappropriate nor was unlawful and informed him that the only way Google would remove the blog from their service was through a judicial order demanding the removal.

As a result, Mr. Fierro requests to the constitutional judge to protect his fundamental rights to privacy, the good name and honor, and requests that Google Inc. or its representatives in Colombia must remove the blog with the content about him and his company from the internet.

The Court acknowledged the cause and notified Google Inc. and the Ministry of Information Technology and Communications about the claim, Google Inc. replied the claim and clarified that Google Inc. and Google Colombia Ltd. have separate legal personality, each one with a different seats and separate economic activities. Google Colombia Ltd. affirms that they do not have control over the products commercialized by Google Inc. like www.blogger.com, furthermore the legal representative stated that Google Colombia Ltd. is in charge exclusively of the sale, distribution, marketing and development of products and services of hardware, related to Internet and advertising space generated on the website www.google.com. Therefore, there is no legal legitimacy for them to be considered part of the case.

On August 2016, the constitutional judge denied Mr. Fierro's claims because neither Google Inc, nor Google Colombia Ltd. were responsible for the infringement of Mr. Fierro's fundamental rights to privacy, good name and honor since the companies are not responsible of rectifying, correcting, eliminating o completing the information uploaded by the platform users. In summary for the Constitutional judge, the companies are not directly responsible for the information or the contents shared by the USers of www.blogger.com.

This is the context in which as part of the judicial review, the Constitutional Court answered the following question:

Does the company Google Inc. violate the plaintiff's fundamental rights to privacy, good name and honor when it refuses to remove from the Internet an anonymous blog which storages content claiming a fraud carried out by the plaintiff, arguing that this fact does not violate its content policy?

The Court confirmed that when an internet user entered the words "muebles Caquetá" on Google's search engine, the search results consisted of links to the blogger entry under the title "Do not buy at furniture Caquetá! Scammers!". The Court also emphasized that publishing information through Internet tools and online platforms such as blogs, can not only have a high impact, but also transcend the private sphere of the individual and put him in a defenseless position, even more if whoever created the defamatory, slanderous or degrading content did it anonymously.

The Court noted that although Google Inc. is not responsible for the publication, the company does own "Blogger.com", the online platform where the defamatory content against the plaintiff and his company was published. The Court commented on the power held by Google Inc. over Blogger.com, which goes to the extent of eliminating blogs, when the company considers there is a violation of their content policy.

The Court concluded that the defamatory, disproportionate and slanderous statements made on the aforementioned blog, affected the applicant's dignity and honor as a person and his fundamental rights to privacy, good name and honor.

The Colombian Constitutional Court rejected Google's claims, and clarified that search engines cannot be seen as mere intermediaries between data subjects and publishers in this context. From now on search engines must assume their role as proprietaries of an online platform that refused to remove from the internet an anonymous blog containing slander statements about the plaintiff, harming his constitutional right to presumption of innocence.

As to the territorial element of the case, the Court noted that Google Colombia Ltd. had a different legal personality than Google Inc., but as a subsidiary of Google Inc. on Colombian territory, it was an "establishment" of the company, according to the certificate of existence and legal representation of Google Colombia Ltda. Therefore, the company must comply with the Colombian regulation regarding consumer's rights.

2. CORE OF THE DECISION

The Court ruled that Google Colombia Ltd. must carry out all the necessary activities to make sure that Google Inc. withdraws the content identified in the plaintiff's claims and ruled that Google Colombia Ltd. must send a report about said activities to the Constitutional Court within the month after the notification of this ruling.

The Constitutional Court concluded that Google Inc. as the owner of the online platform www.blogger.com must delete the online address http://muebles-caqueta. blogspot.com.co within a month after the ruling notification, since the content of the blog entry anonymously attributes the plaintiff with the commission of fraud and other expressions that considered slander against him and his company.

Additionally, the Court states that if a new anonymous blog with the same characteristics, against the same person and in the same or similar slanderous and dishonorable terms is created on the "Blogger.com" platform, Google Inc. must proceed as instructed in the judgement.

Finally, the Court encouraged the Ministry of Information Technology and Communications to create a national regulation aiming to protect internet users rights from abusive, defamatory, dishonorable, slanderous and insulting publications, in the same vein, ordered that said regulation must provide counselling to the victims of this type of abusive publications before the online platforms where those were published.

3. APPEAL BEFORE DE COLOMBIAN SUPREME COURT

Google Inc., Google Colombia Ltd. and the Ministry of Information Technology and Communications appealed the Constitutional Court decision that upheld Mr. Fierro's claim against Google Inc. and Google Colombia Ltd. The Ministry argued that the instructions given by the ruling ignored the competence norms that rule the Ministry because it does not have the faculty to issue new regulation regarding internet consumer's rights.

As to Google Inc. and Google Colombia Ltd. both companies requested the previous ruling to be declared null, arguing that there were several procedural defects that violated the principle of due process and stated that this ruling made a sudden change in the Court's case law on the subject. The companies also argued that the ruling contained inconsistencies between the arguments made by the Court and the decision, as well as the wrong implementation of networks and telecommunications regulation to internet companies such as Google Inc. and Google Colombia Ltd. On the subject of the remedies, the companies argued that the actions imposed by the Court are unjustified and disproportionate remedies that show the arbitrary circumvention of analysis made by the Court of matters with constitutional relevance.

On may 2018, the Supreme Court declared the omission of study of matters with constitutional relevance in the present case, declared the nullity of the sentence by the Constitutional Court and ordered that it shall be replaced with a sentence issued by the Full Court.

With the ruling T- 063A de 2017, the Constitutional Court had the opportunity to decide whether search engines can be liable for the information, they make available on the Internet and to strike a balance between the interest of the search engine and the right to privacy granted by Constitution to every individual.

As we await for the new ruling, we will continue this study with a brief description of the European legal framework to enforce the right to erasure personal data, followed by the analysis of the landmark case Google inc. vs. Aepd and complete the study with recommendations and notes for the new decision.

EUROPEAN LEGAL FRAMEWORK

As mentioned in the introduction, this article will study the position of the European Regulation regarding the right to erasure, since data controllers and data processors in Colombia must observe this regulation before processing personal data of European citizens and users located in Europe.

Within this regulation, we note that the principle of territoriality has an adaptable quality to a technological context that is constantly changing. As Moerel pointed out this principle now has a "more or less virtual nature" ²⁶ in the sense that it allows the application of EU regulation to conduct that take place abroad through a virtual connection with activities in the EU member states, similar to the principle of "territorial extension" in International Law²⁷.

In this part of the analysis, we will review the right to erasure personal data; it will include the following areas:

- The right to erasure and data protection as a human right under the Charter of Fundamental Rights of the European Union and the European Convention of Human Rights.

- The right to erasure under the General Data Protection Regulation.

THE LEGAL PROVISIONS OF THE RIGHT TO ERASURE

Articles 7 and 8²⁸ of the Charter of Fundamental Rights of the EU grant individuals the right to request from the data controllers the removal of information from the search results listed on search engines, as they set the requirement of consent in order to carry out the data processing and provide data subjects. Art 8 paragraph 2 grants any person the right to object the data controller's data processing relating to him/her at any time, on compeling and legitimate grounds relating to his/ her personal situation.

GENERAL DATA PROTECTION REGULATION

A systematic interpretation of the legal provisions is required, especially when assessing if the right to access, rectification and erasure as described in Article 15²⁹, 16 and 17 of the GDPR, can also be enforced against search engines.

In 2012, the European Commission aiming to replace the previous dpd launched the proposal for a new Data Protection Directive³⁰. This section will examine how this regulation that came into force in 2018 will deal with the right to erasure after the adoption of the GDPR. With the proposal, the European Commission did not create a new right to erasure personal data but strengthen the existing provisions by acknowledging the right and providing users with tools to enforce it.

As stated by Sartor³¹ the GDPR makes clear the scope of the right to erasure in Article 17.As noted above, the first ground to request the deletion is the lack of purpose related to the principle of specification of purposes contained in Article 5.1 (b) of the GDPR stating that the data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes"³².

The second scenario allows the USer to request the erasure of data when the individual withdraws its consent, this requirements enforces and makes more effective the consent mechanisms already existent in the EU legislation. In the drafting of this article can be noted the echo of the opinions expressed by scholars as Mayer-Schönberger regarding the setting of an expiration date on a previously given consent³³.

The Council of Ministers of the European Union made an interpretation of the provision regarding the subject of consent, which provoked the removal from the provision of the requirement for "explicit consent" in order to carry out the processing of ordinary personal data, nevertheless, the requirement for "explicit consent" remains in relation to the processing of sensitive personal data.³⁴

The existence of two different levels of consent, "explicit consent" and let's call it "regular consent", disregards the recommendation made by the WP 29 requiring that there should be only one definition of consent, informed, given for an specific purpose, freely and explicitly³⁵.

The third condition deals with the processing to which the data subject "validly objects". This objection relates to the situations addressed in Article 19 of the regulation, meaning those situations in which the individual objects on the basis of the processing of personal data concerning him or her and the data controller "does not demonstrate compelling grounds for the processing which override the interests or fundamental rights and freedoms of the data subject"³⁶.

Finally, the last legal basis to ask the deletion are that the processing violates the Data Protection Directive because the data was unlawfully processed, as well as the scenario in which the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

The second paragraph of Art 17 of the GDPR describes all the obligations that must be met by the data controller, including the technical measures that must be taken into account for the publication, such as "take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data"³⁷.

As noted byAusloos, Graux, and Valcke, paragraph 3 of the same Article, provides exceptions to the erasure³⁸, those exceptions are: (a) to protect the right of freedom of expression and information (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health (d) for historical, statistical andscientific research purposes; (e) for the establishment, exercise or defence of legal claims³⁹.

Art 18 of the GDPR, contains the right to restrict the processing of their personal data and states that data subjects shall have the right to obtain it from the controller when: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing⁴⁰.

To sum up within the wording of the EU GDPR the data controllers must facilitate the exercise of the right to erasure personal data. The rationale behind this obligation is to provide data subjects with procedures in accordance with the principles that guide the data processing and give data subjects' mechanisms to control their personal data.

THE GOOGLE INC. VS. AEPD DECISION

As to whether search engines such as Google can be considered data processors and data controllers, as stated in the Google Inc. vs. Aepd decision, also known as the Costeja case, search engines should be considered data processors since their activities must be classified as "processing". In that sense, Google Inc. does qualify as 'processing of personal data' when the company automatically retrieves, records, indexes and stores information that contains personal data, as noted in Lindqvist⁴¹.

Google Search does not merely give access to content hosted on the indexed websites, but takes advantage of that activity and includes, in return for payment, advertising associated with the internet users' search terms, for undertakings which wish to use that tool in order to offer their goods or services to the internet users⁴². The Google group has recourse to its subsidiary Google Spain for promoting the sale of advertising space generated on the website www.google.com.

The Google Inc. vs. AEPD case started on March 5 of 2010 with a complaint lodged to the Data Protection Authority in Spain (Spanish DPA) by a Spanish national, Mario Costeja Gonzalez against Google Inc., Google Spain and the Spanish newspaper La Vanguardia.

The complaint was based on the fact that when an internet user entered Mr. Costeja's name in the search engine of Google, the search result consisted of links to articles on the website of the newspaper La Vanguardia, published in 1998 announcing real estate auctions aiming to recover Mr. Costeja's social security debt⁴³.

Mr. Costeja González requested La Vanguardia to remove or alter the pages containing his personal data arguing that those proceedings had been "fully resolved for a number of years" and the information was "now entirely irrelevant," and also requested Google to remove the links to the articles from the results provided by Google's search when users entered a search query using his full name⁴⁴.

On 30 of July 2010, the AEPD rejected Mr. Costeja's complaint against La Vanguardia, concluding that the publication made by the newspaper was and remained lawful, but upheld Mr. Costeja's claim against Google Inc. and Google Spain. The AEPD noted that both entities are subject to Spanish Data Protection Law since they carry out data processing⁴⁵.

In the Costeja case, the CJEU confirmed that Google is as a "data controller" with respect to the personal data from data subjects because the company determines the purposes and means of the processing of the data that appears listed as results after a search made on basis of the USers name.

Google argued that the activity of search engines does not constitute a processing of the data available on third parties web pages, since the search engines carry out the processing of information available on the internet without distinguishing between personal information and other information⁴⁶.

The CJEU disagreed with Google's reasoning, arguing that the activity of a search engine plays a decisive role in the process of dissemination of personal data by making the data accessible to any internet user and by providing a structured overview of the information relating to an individual with a more less detail profile of him. As a result the activity carried out by a search engine affects significantly the fundamental rights to privacy and to the protection of personal data of data subjects⁴⁷.

At this point, we want to address the comments made by the Article 29 Data Protection Working Party, which is an advisory body to the EC and is an independent actor from the institutions of the EU. Back in 2014 the WP 29 studied the Google Inc. vs. AEPD case and issued an opinion on how it should be implemented by search engines⁴⁸.

Among their recommendations, the WP 29 first celebrated the fact that this ruling recognizes search engines operators as data controllers and raised awareness about the future territorial effects of delisting personal data from a search engine.

This leads us to the analysis of:

a. The territorial scope of EU Data Protection Directive

In order to determine if the EU Data protection Law is applicable to Google it is pertinent to deconstruct and identify if an entity is an "establishment" and acts as a "controller", without neglecting the equally important reference to the "context of activities", in the sense that the establishments of the controller must be involved in activities related to the processing of personal data. As noted with the Costeja case the advertising activities of Google Spain had a direct economic impact on the processing of data carried out by Google Inc⁴⁹.

The CJEU decided that the processing carried out by the Google search took place in the context of the activities of Google Spain, therefore, the EU legislation is applicable, this based on the consideration that the aim behind the EU legislation on Data Protection was to prevent individuals from being deprived of the protection guaranteed by the directive⁵⁰.

b. The responsibility of a search engine operator

The CJEU confirmed that the operation of processing personal data carried out by search engines represents a serious interference with the fundamental rights of privacy and data protection when the search engine provides on the basis of an individual's name an organized list of information concerning a vast number of aspects of his/ her private life, which leads to the creation of a detailed profile of the individual⁵¹.

The Court also stated that due to the significant role played by search engines in modern life, if state members don't treat them as data controllers, it would be contrary to the "clear wording" of the Directive, and the Directive's objective of ensuring "effective and complete protection of data subjects"⁵². Given the entry into force of the GDPR, the reader must bear in mind that this obligations and requirements are still under construction with the EU GDPR.

The previous considerations and study of the reasoning made by the CJEU make crystal clear that online search engines fall in the category of data controllers under the scope of Article 2 of the Data Protection Directive. This means that they must comply with the obligations of Article 6 of the Directive and ensure that the data is: (a) processed fairly and lawfully; (b) Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that the Member States provide appropriate safeguards; (c) Adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data that are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; and (e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed⁵³.

Thus, this judgment creates a responsibility for the search engines, but to what extent?

The Court interpreted Article 12(b) and subparagraph (a) of Article 14 of the Directive 95/46, that states that data subject have the right "to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses"⁵⁴.

This means that, in order to comply with the rights of the rectification, erasure or blocking, "the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful"⁵⁵.

Indeed, the ruling obliges the search engine operators to handle, process and evaluate requests from individuals that want those links removed from the list of results displayed as part of the search results, even in the cases where the publication was lawful or the information is not erased beforehand or simultaneously from those web pages⁵⁶.

The CJEU indicates that the right to erasure or blocking of data exists if, regarding all the circumstances of the publication, the information seems to be inadequate, irrelevant, no longer relevant, or excessive in relation to the purposes of the processing by the operator of the search engine. The Court stated that the processing cannot be justified only by Google's economic interests and the interest of the general public to access information and pointed out that the exercise of these rights does not depend on the source publication of the information that is affecting the data subject in the list of results⁵⁷.

The Court did not address the question of whether the ruling applies to the search results globally or if it applies exclusively within the EU geographic jurisdiction, this point deserves especial attention since it would mean that after a erasure request is granted the search engine must modify all the lists of results displayed in the .com domain name and not only in the European ones as Google has been doing so far.

The CJEU sustained that "the operator of the search engine as the person determining the purposes, and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46/EC in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved"⁵⁸.

And subsequently stated that "Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person"⁵⁹.

Concerning the efficient exercise of the right, the Court concluded that the requests must be filed directly by individuals to the data controller who must then duly examine their merits. If the controller does not grant the request, the individual may still resort the request to the data protection authority or court, which still has the competence to order the erasure of the links⁶⁰.

Finally, as described above the primary obligation for search engine operators derived from this case is to delist the information from the search results associated to an individual's name, not to delete the actual information.

The judgment made by the Court in Google Inc. vs. AEPD also emphasized that one exception to the right of the data subject to request the removal of information from the search results of search engines is the role played by the data subject. In case the data subject is a public figure then the interference with his/her fundamental, rights would be justified by the general public's interest in having access to said information⁶¹.

FINAL REMARKS AND RECOMMENDATIONS

To sum up the new ruling that will replace T- 063A de 2017, must clarify how data subjects are going to exercise their rights to access, modification and erasure of their personal data, furthermore the Court should established guidelines regarding personal data and state who is in charge of the obligation to determine whether personal data considered irrelevant o no longer relevant. This will not be an easy task yet is mandatory for the current state of affairs.

It must be said that this task will represent a challenge even for traditional authorities in the field of communication, such as newspapers editors and data protection authorities⁶², taking into account that for example journalistic rules are not applicable since the purpose behind that type of publication is different, this ruling will not be about historic events or historic archives, it is going to be about all the personal data available on the internet.

One of the biggest challenges brought up by the Muebles Caquetá vs. Google Inc. case, is therefore to develop jurisprudence and new cases in order to achieve a more stable interpretation of what must be understood as irrelevant and no longer relevant information, as well as who has the obligation to erase or limit the access to said content, is it going to be the original source or the search engine, moreover when there are cases in which the original source of the information is undetermined as seen in the Muebles Caquetá case.

Considering that, the Colombian Constitutional Court has considered search engines as mere intermediaries, meaning they do not have to rectify, correct, eliminate or complete the information listed in the results they provide.

We want to draw attention to the decision made by the CJEU in C-131/12, which recognised that the operation of processing personal data carried out by search engines represents a serious interference with privacy and data protection rights when the search engine provides on the basis of an individual's name an organized list of information concerning a vast number of aspects of his/her private life and creates a detailed profile of the person.

All in all, it must be noted that this interference makes clear the existence of a right to request the erasure of links⁶³ and the necessity of procedures provided by the search engines to do it effectively without erasing or altering the content of the website.

This highly needed delisting process should not be arbitrary⁶⁴, in consequence, the creation of conditions that allow data subjects to ask the erasure of links associated with their names is required. In the European Union the conditions to get those results delisted are: inadequacy, irrelevance, or excessiveness in relation to the processing purposes.

With the Muebles Caquetá case the Court must point out the importance of the activities carried out by online search engines, and force them to face the implications of being a "controller" of the processing of personal data that takes place within their services. Ifthe Court acknowledges that search engines are not mere intermediaries, these very important servers will have to assume responsibility for providing a service that has several privacy implications, like processing of personal data and making personal data available to the public through a list of results.

For all the above reasons, it can be said that the current position of the Constitutional Court about the search engines role and their responsibilities does not protect the USer's fundamental rights to privacy, good name and honor. Therefore, a more committed study on behalf of the Court is required.

In that light, I suggest that impartial experts and the local Data Protection Authority should draft the delisting guidelines⁶⁵. These guidelines will give the basis for the decision to delist based on privacy law and regulations. Nevertheless, the decision to keep or erase a link should be made by the search engine⁶⁶.

The decisions made by the search engines regarding the erasure requests must be "informed", meaning that search engines must inform sufficiently data subjects about the considerations behind the delisting request and explain why the criteria is applicable or not, having provided the above analysis, search engines must also craft an additional procedure to oppose a decision to delist considering the due process principle. Therefore there must be an opposition procedure to the resolution made by the search engine on the erasure request, considering that data subjects must have the opportunity to be heard and to respond to a decision regarding their rights, in this case their right to erasure.

Once the search engine carried out the opposition procedure, those decisions would have an appeal procedure in the Courts with the counsel of the local Data Protection Authority.

Finally, we must reaffirm that in order to strike a balance of all the interest involved, the development of this procedure is mandatory, even more if we realize that it would benefit all the parties involved, including the search engines because this is the easiest way to establish and implement lawful guidelines for an erasure procedure they should carry out.

NOTES

¹ Mayer-Schönberger, V. Delete: The Virtue of Forgetting in the Digital Age (Princeton: Princeton: Princeton University Press, 2011).
² Korenhof, P. Stage ahoy! Deconstruction of the "Drunken Pirate" Case in the Light ofimpression management. Reloading Data Protection Multidisciplinary Insights and Contemporary Challenges. Springer. (2014).
³ Andrade, N. N. Oblivion: The right to be different from oneself, Reproposing the Right to be Forgotten. In Ghezzi A., Pereira Â.G., VesniAQUI VA SIGNO-AlujeviAQUI VA SIGNO L. (eds), The Ethics of Memory in a Digital Age. Palgrave Macmillan Memory Studies (London: Palgrave Macmillan, 2014), 122-137.
⁴ Ambrose, M. L. (2014). Speakingofforgetting: Analysis ofpossible non-EU responses to the right to be forgotten and speech exception. Communication, Culture & Technology, Georgetown University, 3520 Prospect St. NW, Suite 311, Washington, DC 20057, USA.
⁵ Commission National de L'informatique et des libertes. (2009). www.cnil.fr. Retrieved September 6, 2018, from https://www.cnil.fr/sites/default/files/typo/document/CNIL-30erapport_2009.pdf
⁶ Italian Supreme Court Case n.° 3679 of 1998. Retrieved from s.sica and V. Zenozencovich, Legislazione, giurisprudenza e dottrina nel diritto dell'Internet, in Il diritto dell'informazione e dell'informatica, (2010), 387.
⁷ Pino, G. The Right to Personal Identity in Italian Private Law: Constitutional Interpretation and Judge-Made Rights. Conference; edited by Mark Van Hoecke and Francois Ost, European private law in context; The harmonisation of European private law; 1999; Oxford; (2000), 225.
⁸ Simon Castellano, P. El reconocimiento del derecho al olvido digital en España y en la UE. Madrid: Efectos tras la sentencia del TJUE de mayo de 2014 (Barcelona: Wolters Kluwer, 2015).
⁹ Pino, G. The Right to Personal Identity in Italian Private Law: Constitutional Interpretation and Judge-Made Rights. Conference; edited by Mark Van Hoecke and Francois Ost, European private law in context; The harmonisation of European private law; 1999; Oxford; (2000), 230.
¹⁰ Bernal, P. The EU, the US and Right to be forgotten. Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges. ed. / Serge Gutwirth; Ronald Leenes; Paul De Hert. Springer, (2014), 61-77 2.
¹¹ Koops, B. J. Forgetting Footprints, Shunning Shadows: A Critical Analysis of the 'Right to Be Forgotten' in Big Data Practice. (2011), 234.
¹² Art 3, EU GDPR. "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) The monitoring of their behaviour as far as their behaviour takes place within the Union".
¹³ Colombia, Case T-063A from 2017. Retrieved from http://www.corteconstitucional.gov.co/relatoria/2017/t-063a-17.htm on October 16 2018.
¹⁴ Gasser, U. Regulating Search Engines: Taking Stock and Looking Ahead. Yale Journal of Law and Technology 8, Article 7 (2006): 203.
¹⁵ Gasser, U. Regulating Search Engines: Taking Stock and Looking Ahead. Yale Journal of Law and Technology 8, Article 7 (2006): 203.
¹⁶ Karma Snack. Retrieved on October 12, 2018, from http://karmasnack.com/about/search-engine-market-share/
¹⁷ Brin, S. & Page, L. The Anatomy of a Large-Scale Hypertextual Web Search Engine. (1997). Retrieved on October 5 2018, from http://ilpubs.stanford.edu:8090/361/1/1998-8.pdf
¹⁸ Brin, S. & Page, L. The Anatomy of a Large-Scale Hypertextual Web Search Engine. (1997). Retrieved on October 5 2018, from http://ilpubs.stanford.edu:8090/361/1/1998-8.pdf
¹⁹ Google www.Google.com. Retrieved September 9, 2018, from https://www.google.com/about/company/
²⁰ Google www.Google.com. Retrieved September 9, 2018, from https://www.google.com/about/company/
²¹ Evans, M. "Analysing Google rankings through search engine optimization data", Internet Research 17, Issue: 1 (2007):21-37, available at https://doi.org/10.1108/10662240710730470
²² Article 29 Data Protection Working Party. (2008). Opinion 1/2008 on data protection issues related to search engines. Brussels. Retrieved on September 23, 2018 http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp148_en.pdf
²³ Google, www.Google.com. Retrieved September 9, 2018, from https://www.google.com/about/company/
²⁴ Google www.Google.com. Retrieved September 9, 2018, from https://www.google.com/about/company/
²⁵ Brin, S. & Page, L. The Anatomy of a Large-Scale Hypertextual Web Search Engine. (1997) Retrieved on October 5 2018, from http://ilpubs.stanford.edu:8090/361/1/1998-8.pdf
²⁶ Moerel, E.M.L. The long arm of eu data protection law: Does the Data Protection Directive apply to processing of personal data of eu citizens by websites worldwide? International Data Privacy Law, (2011), 29.
²⁷ Alsenoy, B. V. & Koekkoek, M. (2015). Retrieved on September 29 of 2018 from http://ghum.kuleuven.be/ggs/publications/working_papers/new_series/wp151-160/wp152-alsenoy-koekkoek.pdf
²⁸ "Article 7 of the Charter of Fundamental Rights of the European Union grants the right of respect for private and family life, home, and communications.
While Article 8 of the Charter of Fundamental Rights of the European Union holds that:

1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority."

REFERENCES

Alsenoy, B. V. & Koekkoek, M. http://ghum.kuleuven.be/. 2015. Retrieved from http://ghum.kuleuven.be/:http://ghum.kuleuven.be/ggs/publications/working_papers/new_series/wp151-160/wp152-alsenoy-koekkoek.pdf

Ambrose, M. L. Speaking of forgetting: Analysis of possible non-EU responses to the right to be forgotten and speech exception. Communication, Culture & Technology, Georgetown University, 3520 Prospect St. NW, Suite 311, Washington, DC 20057, USA (2014).

Andrade, N. N. Oblivion: The right to be different from oneself, Reproposing the Right to be Forgotten. In Ghezzi A., Pereira Â.G., VesniAQUI VA SIGNO-AlujeviAQUI VA SIGNO L. (eds.), The Ethics of Memory in a Digital Age. Palgrave Macmillan Memory Studies. London: Palgrave Macmillan, 2014.

Article 29 Data Protection Working Party. (2008). Opinion 1/2008 on data protection issues related to search engines. Brussels. Retrieved September 23, 2018 http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp148_en.pdf

Article 29 Data Protection Working Party, guidelines on the implementation of the Google Spain case. (2014, November 26). Retrieved September 23, 2018, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf

Bernal, P. The EU, the US and Right to be forgotten. Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges. ed. / Serge Gutwirth; Ronald Leenes; Paul De Hert. Springer, 2014.

Brin, S., & Page, L. The Anatomy of a Large-Scale Hypertextual Web Search Engine. (1997) Retrieved on October 5 2018, from http://ilpubs.stanford.edu:8090/361/1/1998-8.pdf

Case Bodil Lindqvist C-101/01. (2003, November 6). Retrieved on October 5 of 2018 from http://curia.europa.eu/juris/document/document.jsf?docid=48382&doclang=

Case Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González C-131/12, C. 2014. Retrieved on October 10 of 2018, from Case C-131/12 [2014] Retrieved on October 10, 2018: http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir&cid=437838

Commission National de L'informatique et des libertes. 2009. www.cnil.fr. Retrieved September 6, 2018, from https://www.cnil.fr/sites/default/files/typo/document/CNIL-30erapport_2009.pdf

Commission to the European Parliament. (2010, November 4). http://ec.europa.eu/justice/news/consulting_public/0006/contributions/organisations/beuc_en.pdf. Retrieved September 2, 2018, from http://ec.europa.eu/justice/news/consulting_public/0006/contributions/organisations/beuc_en.pdf [hereinafter Comprehensive Approach on Personal Data Protection].

Council of Europe. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Strasbourg, 1981.

ECHR. (2010, June). http://www.echr.coe.int/. Retrieved on September 12, 2018, from http://www.echr.coe.int:http://www.echr.coe.int/Documents/Convention_ENG.pdf

European Parliament and Council. (1995, Octubre 24). http://eur-lex.europa.eu/. Retrieved on September 20 of 2018 from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

Evans, M. Analysing Google rankings through search engine optimization data. Internet Research 17, (2007): 21-37. Available at https://doi.org/10.1108/10662240710730470

Gasser, U. Regulating Search Engines: Taking Stock and Looking Ahead. Yale journal of Law and technology 8, (2006): 203. Article 7.

EU GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Retrieved on September 26 of 2018 from https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504

Google www.Google.com. Retrieved September 9, 2018, from https://www.google.com/about/company/

Google Annual Meeting of Stockholders. (2014, October 16). Google Annual Meeting of Stockholders. Retrieved on October 12, 2018, from https://www.youtube.com/watch?v=wcFTklq2-lI

Google's response to Art 29 WP requests. (2014, july 31). www.google.fr. Retrieved from www.google.fr. Retrieved on October 12 of 2018 https://docs.google.com/file/d/0B8syaai6SSfiT0EwRUFyOENqR3M/edit

Graux, Ausloos and Valcke. 2012. The right to be forgotten in the internet era, working paper. Retrieved on October 12, 2018, from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2174896

Handbook on European data protection law . 2014. http://www.echr.coe.int/.

Retrieved October 12, 2018, from https://www.echr.coe.int/Documents/Handbook_data_protection_02ENG.pdf

Italian Supreme Court Case no. 3679 of 1998. Retrieved from S.SICA and v.ZENOZENCOVICH, Legislazione, giurisprudenza e dottrina nel diritto dell'Internet, in Il diritto dell'informazione e dell'informatica, 2010, p. 387

Karma Snack. Retrieved October 12, 2018, from Retrieved from http://karmasnack.com/about/search-engine-market-share/

Koops, B. J. Forgetting Footprints, Shunning Shadows: A Critical Analysis of the'Right to Be Forgotten'in Big Data Practice. 2011. SCRIPTED, p. 234.

Korenhof, P. Stage ahoy! Deconstruction of the "Drunken Pirate" Case in the Light of impression management. Reloading Data Protection Multidisciplinary Insights and Contemporary Challenges. Springer. 2014.

Mayer-Schönberger, V. Delete: The Virtue of Forgetting in the Digital Age. Princeton: Princeton: Princeton University Press, 2011.

Mayer-Schönberger, V. (2012, June 2). Oxford Internet Institute. Retrieved from www.youtube.com:https://www.youtube.com/watch?v=0b-RT42uDYI

Moerel, E.M.L. The long arm of EU data protection law: Does the Data Protection Directive apply to processing of personal data of EU citizens by websites worldwide? International Data Privacy Law, (2011): 28-46.

Patrick Van Eecke, google advisory council. (2015). Retrieved on October 5 of 2018 from https://www.google.com/advisorycouncil/

Pino, G. The Right to Personal Identity in Italian Private Law: Constitutional Interpretation and Judge-Made Rights. Conference; edited by Mark Van Hoecke and Francois Ost, European private law in context; The harmonisation

Posner, E. Slate.com. Retrieved Retrieved on October 5 of 2018 from Slate.com: http://www.slate.com/articles/news_and_politics/view_from_chicago/2014/05/the_european_right_to_be_forgotten_is_just_what_the_internet_needs.html

Reding V. The European data protection framework for the twenty-first century. International Data Privacy Law 2, (2012): 119-129. https://doi.org/10.1093/idpl/ips015

Sartor, G. The Right to be forgotten in the Draft Data Protection Regulation. International Data Privacy Law. 2014. Retrieved on September 20 of 2018, from https://brusselsprivacyhub.eu/Resources/Sartor_Presentation_Right_To_Be_Forgotten_Bruxelles_28102014.pdf

Simon Castellano, P. El reconocimiento del derecho al olvido digital en España y en la UE. Madrid: Efectos tras la sentencia del TJUE de mayo de 2014. Barcelona: Wolters Kluwer, 2015.

Zittrain, J. (2014, may 14). http://www.nytimes.com/. Retrieved On October 12 of 2018 from https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html 95/46/EC, D. (1995, October 24). http://eur-lex.europa.eu/. Retrieved from http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

ANNEX I. ABBREVIATIONS

DPD: Data Protection Directive (Directive 95/46/EC)

ECD: Directive on electronic commerce. Directive 2000/31/EC

ECHR: European Convention on Human Rights.

ECJ: European Court of Justice.

EDPS: European Data Protection Supervisor.

ENISA: European Network and Information Security Agency.

EUC: Charter of Fundamental Rights of European Union.

EU GDPR: European Union General Data Protection Regulation.

WP29: Article 29 Working Party.

COLOMBIAN CASE LAW: CONSTITUTIONAL COURT

C-442 de 2011.

T-040 de 2013.

T-277 de 2015.

T-725 de 2016.

T-063A de 2017.