Harvard Law Review Harvard Law Review Harvard Law Review

Cyber Law

Google Spain SL v. Agencia Espa帽ola de Protecci贸n de Datos

Court of Justice of the European Union Creates Presumption that Google Must Remove Links to Personal Data upon Request.

In 1995, the European Council passed Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (鈥渢he Directive鈥).1×1. Council Directive 95/46, 1995 O.J. (L 281) 31 (EC). Proposed in 1990, when the Internet did not yet exist in its modern form,2×2. Opinion of Advocate General J盲盲skinen 露聽10, Google Spain SL v. Agencia Espa帽ola de Protecci贸n de Datos (May 13, 2014) (Case C-131/12), http://curia.europa.eu/juris/document/document.jsf?text=&docid=138782&doclang=EN [http://perma.cc/Y7C5-65WB]. and passed three years before Google was founded,3×3. Our History in Depth, Google, http://www.google.com/about/company/history (last visited Oct. 26, 2014) [http://perma.cc/SK8Q-3K22]. the Directive was intended to regulate and supervise data controllers4×4. The Directive defines a data controller as any entity 鈥渨hich alone or jointly with others determines the purposes and means of the processing of personal data.鈥 Council Directive 95/46, supra note 1, art. 2(d), at 38. and ensure that data-processing systems 鈥減rotect the fundamental rights and freedoms of natural persons, and in particular their right to privacy.鈥5×5. Id. art. 1(1), at 38. Recently, in Google Spain SL v. Agencia Espa帽ola de Protecci贸n de Datos,6×6. Case C-131/12, Google Spain SL v. Agencia Espa帽ola de Protecci贸n de Datos (May 13, 2014), http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&doclang=EN [http://perma.cc/ED5L-DZRK]. the Court of Justice of the European Union (CJEU) interpreted the Directive as creating a presumption that Google must delete links to personal information from search results at the request of a data subject7×7. A data subject is the person to whom the data relate. See Council Directive 95/46, supra note 1, art. 2(a), at 38. unless a strong public interest suggests otherwise. Many American and European analysts have attacked the decision as a mistaken legal interpretation of the Directive that gave too much power to private entities to control public information access. These critiques raise valid concerns, yet the suggestion that it is the court鈥檚 interpretation that is at fault misses the point; the legal interpretation was a reasonable reflection of the text of the Directive and the values embodied in it. Critics seeking meaningful change should thus use the decision and the conversation it has generated to shape the debate on what values should be represented 鈥 and how 鈥 in a new regulatory regime.

On March 5, 2010, Mario Costeja Gonz谩lez, a Spanish citizen, lodged a complaint with the Spanish data protection agency, AEPD,8×8. In 1999, Spain incorporated the provisions and protections of Directive 95/46 into national legislation and established a national agency to implement the Directive and handle complaints. See Ley de Protecci贸n de Datos de Car谩cter Personal (B.O.E. 1999, 298); see also Council Directive 95/46, supra note 1, art. 28, at 47鈥48; Privacy Int鈥檒, Spain ch. I (2011), https://www.privacyinternational.org:4443/reports/spain/i-legal-framework [http://perma.cc/6DSD-9CJG]. against a Spanish newspaper, Google Spain SL (鈥淕oogle Spain鈥), and Google Inc.9×9. Google Spain SL, Case C-131/12, 露聽14. Google Spain is a Spanish subsidiary of Google that acts as Google鈥檚 鈥渃ommercial representative聽.聽.聽.聽for its advertising functions.鈥 Opinion of Advocate General J盲盲skinen, supra note 2, 露聽62. Google Spain does not process data as part of Google鈥檚 search engine function, Google Spain SL, Case C-131/12, 露聽46, so when it received Costeja Gonz谩lez鈥檚 original takedown request, the company forwarded it to Google Inc. as the provider of the search engine service, Opinion of Advocate General J盲盲skinen, supra note 2, 露聽20. An Internet user typing Costeja Gonz谩lez鈥檚 name into Google鈥檚 search engine would receive links to two newspaper pages announcing a foreclosure auction on Costeja Gonz谩lez鈥檚 home.10×10. Google Spain SL, Case C-131/12, 露聽14. In his complaint, Costeja Gonz谩lez requested first that the newspaper be required to remove his name, and second that Google Spain 鈥渞emove or conceal鈥 his personal data so that they no longer appeared in the search results.11×11. Id. 露聽15. Costeja Gonz谩lez argued that because the attachment proceedings had been 鈥渇ully resolved[,]聽.聽.聽.聽reference to them was now entirely irrelevant,鈥12×12. Id. The Directive provides that 鈥減ersonal data must be聽.聽.聽.聽adequate, relevant and not excessive in relation to the purposes for which they are collected.鈥 Council Directive 95/46, supra note 1, art. 6, at 40. and he had the right to have the data removed.13×13. See Council Directive 95/46, supra note 1, art. 12, at 42 (鈥淢ember States shall guarantee every data subject the right to obtain from the [data] controller聽.聽.聽.聽the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive聽.聽.聽.聽.鈥).

The AEPD denied Costeja Gonz谩lez鈥檚 complaint against the newspaper, but granted it against Google. The newspaper had no obligation to remove the announcements, as they had been lawfully published.14×14. Google Spain SL, Case C-131/12, 露聽16. Indeed, the paper had been ordered by the government to publish the announcements to publicize the auction. Id. However, the agency reasoned that search engine operators were data controllers, that they were thus subject to the Directive, and that Google Spain and Google Inc. were therefore required to remove links to data upon request by the data subject.15×15. Id. 露聽17. Google Spain and Google Inc. both appealed to the Spanish high court, which referred several sets of questions to the CJEU for a preliminary ruling concerning the proper interpretation of the Directive.16×16. Id. 露露聽18鈥20. National courts may refer questions on the interpretation of European Union law to the CJEU for guidance. See Ralph H. Folsom, Principles of European Union Law 87鈥88 (4th ed. 2005). The CJEU鈥檚 decisions, called preliminary rulings, are binding in the case referred and at least persuasive in other nations. Id. at 88鈥89. The first set of questions17×17. The Spanish court referred these questions in three different groups; the order reflected here is the order in which the CJEU answered. addressed whether Google should be classified as a data controller (a requirement for being subject to the Directive) and whether Google, as a non鈥揈uropean Union company, was subject to the Directive鈥檚 territorial reach. If the court answered both questions affirmatively, it was asked to then determine the scope of Google鈥檚 legal responsibility as a data controller and whether a citizen had the right to have Google erase his data 鈥 in other words, the scope of the 鈥渞ight to be forgotten.鈥18×18. Google Spain SL, Case C-131/12, 露聽20. The phrase 鈥渞ight to be forgotten鈥 has many slightly different uses but generally describes the idea that a person should have the right to escape irrelevant aspects of his past. See generally European Commission, Factsheet on the 鈥淩ight to be Forgotten鈥 Ruling 2 (2014), http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf [http://perma.cc/J5LC-K3DC].

The CJEU鈥檚 preliminary ruling was consistent with the AEPD鈥檚 interpretation of the Directive. In examining whether Google was a data controller subject to the Directive, the court determined that a search engine鈥檚 activities constitute data processing19×19. The Directive defines data processing as 鈥渁ny operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.鈥 Council Directive 95/46, supra note 1, art. 2(b), at 38 (emphasis added). because a search engine 鈥溾榗ollects鈥 such data which it subsequently 鈥榬etrieves[,]鈥 鈥榬ecords[,]鈥櫬.聽.聽. 鈥榦rgani[z]es[,]鈥櫬.聽.聽. 鈥榮tores鈥 on its servers[,] and [then]聽.聽.聽. 鈥榙iscloses,鈥欌20×20. Google Spain SL, Case C-131/12, 露聽28. and because the data clearly include personal data.21×21. Id. 露聽27. Personal data is defined in the Directive as 鈥渁ny information relating to an identified or identifiable natural person (鈥榙ata subject鈥).鈥 Council Directive 95/46, supra note 1, art. 2(a), at 38. Given that a search engine operator 鈥渄etermines the purposes and means鈥 of the data processing, a search engine operator should also be regarded as a data controller.22×22. Google Spain SL, Case C-131/12, 露聽33. The court stated that given the significant role search engines play in modern life, finding otherwise would be contrary not only to the 鈥渃lear wording鈥 of the Directive, but also to the Directive鈥檚 objective of ensuring 鈥渆ffective and complete protection of data subjects.鈥 Id. 露聽34. The court noted 鈥渢he important role played by the internet and search engines in modern society,鈥 which magnified the interference with an individual鈥檚 rights to privacy and personal data protection by providing a 鈥渟tructured overview鈥 of 鈥渧ast鈥 amounts of personal information that otherwise 鈥渃ould not have been interconnected.鈥 Id. 露聽80. As a data controller, a search engine operator must comply with the Directive.23×23. Id. 露聽38.

The court then determined that Google Inc.鈥檚 presence in Spain was sufficient to subject it to the Directive. Though all of Google Inc.鈥檚 data processing occurred outside Spain, Google Spain sold advertising space within the country; since advertising is Google Inc.鈥檚 main source of revenue, the court held that the two entities were 鈥渃losely linked.鈥24×24. Id. 露聽46. Google Spain was thus effectively an establishment of Google Inc., making Google Inc. subject to the Directive.25×25. Id. 露聽60.

Having resolved the threshold issues, the court turned to the next inquiry: what were search engine operators鈥 legal obligations under the Directive? The court noted that the Directive required a balancing test26×26. See Council Directive 95/46, supra note 1, art. 7, at 40 (establishing the criteria for legitimate data processing). : while personal data processing was permitted when it was necessary to serve the controller鈥檚 or third parties鈥 legitimate interests, it was not permitted 鈥渨here such interests are overridden by the interests or fundamental rights and freedoms of the data subject 鈥 in particular his right to privacy.鈥27×27. Google Spain SL, Case C-131/12, 露聽74. For the source of these fundamental rights, see Charter of Fundamental Rights of the European Union, art. 8, 2000 O.J. (C 364) 1, 10. Given the 鈥渟eriousness of [the] interference鈥 with a data subject鈥檚 rights, an operator鈥檚 economic interests were never sufficient to justify interference with privacy rights;28×28. Google Spain SL, Case C-131/12, 露聽81. moreover, privacy rights 鈥渙verride, as a rule聽.聽.聽.聽the interest of the general public鈥 in having access to private information.29×29. Id. 露聽99 (emphasis added). This presumption could be overcome only 鈥渂y the preponderant interest of the general public in having聽.聽.聽.聽access to the information.鈥30×30. Id. (emphasis added). This might be the case, for example, if the data subject played a significant role in public life. See id. 露聽81. The court also noted that search engine operators may be required to remove links to data even when the original publisher does not have the same obligation. Id. 露聽88. Because a search engine 鈥渉eighten[s]鈥 the level of interference with the right to privacy, id. 露聽80, the balancing test may come out differently for search engines than for original publishers, id. 露聽86. Moreover, some original publishers will not be subject to the Directive鈥檚 jurisdiction, thus compromising privacy protection if data subjects were required to simultaneously ensure the erasure of material from the primary source. Id. 露聽84.

Moreover, the court understood the data subject鈥檚 privacy interest to be so important that the subject could successfully object even if the data were in no way prejudicial. Instead, a data subject may legitimately object if information is 鈥渋nadequate, irrelevant or no longer relevant, or excessive in relation to [the] purposes [of the processing] and in the light of the time that has elapsed.鈥31×31. Id. 露聽93. Directive Articles 14(a) and 12(b) provide the authority for objection and removal, while Article 6(1)(c) establishes the relevant substantive conditions. See Council Directive 95/46, supra note 1. If that is the case, then a search engine operator must remove the links.32×32. Google Spain SL, Case C-131/12, 露聽94.

In the wake of the CJEU鈥檚 decision, there has been much criticism unified around one belief: the court got it wrong. Many of the attacks on the decision have been explicitly legal: a number of critics argue that the court incorrectly found Google a data controller subject to the Directive and that the court鈥檚 balancing test ignored basic legal principles and rights. Other critics have focused more on the opinion鈥檚 consequences, arguing that the decision transferred too much power to private entities to censor the Internet without providing sufficient implementation guidance. But critics ignore that the decision was a reasonable interpretation of the Directive鈥檚 text and the deeply held privacy values manifested therein. Critics seeking meaningful change should instead use the decision and the ensuing debate to shape the conversation on a new regulatory regime tailored to the nuances of modern privacy protection and reflective of the values these critics seem to believe are currently underrepresented.

The first line of legal criticism attacks the court鈥檚 overly broad interpretation of 鈥渄ata controllers鈥 as including search engine operators. The British House of Lords report reviewing the decision and its effects lamented that the court鈥檚 definition of a data controller was now so broad that it could include 鈥渁ny company that aggregates publicly available data鈥33×33. European Union Committee, EU Data Protection Law: A 鈥楻ight to Be Forgotten鈥?, 2014-5, H.L. 40, 露聽40 (U.K.) [hereinafter H.L. Committee Report] (quoting statement from Morrison & Foerster). and concluded that the court 鈥渃ould and should have interpreted the Directive much more stringently.鈥34×34. Id. 露聽55 (quoting Professor Luciano Floridi, who also stated to the committee that the court could have 鈥渃onclud[ed] that a link to some legally available information does not process the information in question鈥); see also Danny O鈥橞rien & Jillian York, Rights that Are Being Forgotten: Google, the ECJ, and Free Expression, Electronic Frontier Found. (July 8, 2014), https://www.eff.org/deeplinks/2014/07/rights-are-being-forgotten-google-ecj-and-free-expression [http://perma.cc/BR4Z-C2SH]. The report argued that the court鈥檚 decision led to absurd results: 鈥淚f search engines are data controllers, so logically are users of search engines.鈥35×35. H.L. Committee Report, supra note 33, 露聽41. As people determining 鈥渢he purposes and means of the processing of personal data,鈥 Council Directive 95/46, supra note 1, art. 2(d), at 38, individuals using search engines could conceivably be characterized as data controllers, see Opinion of Advocate General J盲盲skinen, supra note 2, 露聽81 & n.57.

The second line of legal criticism challenges the court鈥檚 balancing test, which prioritizes privacy rights over nearly all other rights. Critics claim that by creating a presumption toward data erasure, the court created a 鈥渟uper-human[ ]right,鈥36×36. Martin Husovec, Should We Centralize the Right to Be Forgotten Clearing House?, Center for Internet & Soc鈥檡 (May 30, 2014, 1:28 PM) (quoting Hans Peter Lehofer, EuGH: Google muss doch vergessen 鈥 das Supergrundrecht auf Datenschutz und die Bowdlerisierung des Internets, e-comm (May 13, 2014), http://blog.lehofer.at/2014/05/eugh-google-muss-doch-vergessen-das.html [http://perma.cc/4YA5-X86V]), http://cyberlaw.stanford.edu/blog/2014/05/should-we-centralize-right-be-forgotten-clearing-house [http://perma.cc/ZH87-YC5F]. even though 鈥渢here is no hierarchical relationship between the conflicting human rights.鈥37×37. Id. (emphasis omitted). By focusing so much on the right to privacy, the CJEU 鈥渇orgot that other rights [were] also applicable,鈥38×38. Steve Peers, The CJEU鈥檚 Google Spain Judgment: Failing to Balance Privacy and Freedom of Expression, EU Law Analysis (May 13, 2014), http://eulawanalysis.blogspot.co.uk/2014/05/the-cjeus-google-spain-judgment-failing.html [http://perma.cc/T8QN-W2G2]; cf. Caro Rolando, How 鈥淭he Right to Be Forgotten鈥 Affects Privacy and Free Expression, IFEX (July 21, 2014), https://www.ifex.org/europe_central_asia/2014/07/21/right_forgotten [http://perma.cc/A54Z-2TG5] (outlining the various rights at stake). including freedom of information.39×39. See EU Court Enshrines 鈥淩ight to Be Forgotten鈥 in Spanish Case Against Google, Reporters Without Borders (May 14, 2014), http://en.rsf.org/union-europeenne-eu-court-enshrines-right-to-be-14-05-2014,46278.html [http://perma.cc/6DE2-APLM].

But the court鈥檚 interpretation is firmly grounded in the text of the Directive and its underlying values. Google鈥檚 own description of how Internet search works 鈥 crawling the web, sorting and indexing the results, running algorithms to determine what to show, and displaying the final results40×40. See How Search Works, Google, http://www.google.com/insidesearch/howsearchworks (last visited Oct. 26, 2014) [http://perma.cc/U4KK-B8Q8]. 鈥 neatly mirrors both the legal and intuitive definitions of a data processor and controller. Even the highly critical House of Lords report acknowledged that many of their expert witnesses believed the court had correctly classified search engine operators based on the Directive鈥檚 language.41×41. H.L. Committee Report, supra note 33, 露露聽27鈥29. This may not have been the only permissible reading, but it did follow naturally from the text. The Advocate General proposed an alternative, narrower interpretation of the data controller provision suggesting that the Directive contemplated that the data controller have responsibility for the personal data it was processing, implying an awareness that what was being processed was personal data. Opinion of Advocate General J盲盲skinen, supra note 2, 露露聽82鈥83. Because Google鈥檚 searching functions cannot distinguish personal data, the Advocate General argued it was not proper to classify Google as a data controller. See id. 露露聽84, 89. However, this understanding was not based on the text of the Directive, previous case law, or even the intention of the parties at the time the Directive was written or passed (as search engines as such did not yet exist); instead, it was based on the views of a purely advisory working party formed after the Directive was signed. See id. 露露聽82鈥83, 88; Article 29 Working Party, European Commission, http://ec.europa.eu/justice/data-protection/article-29/index_en.htm (last visited Oct. 26, 2014) [http://perma.cc/ZH4E-VYPH] (noting that the Article 29 Working Party 鈥渉as an advisory status and acts independently鈥).

The criticism of the court鈥檚 balancing test also ignores that the lopsided rights prioritization stems from the Directive itself. Although the Directive does acknowledge the importance of the free flow of data to the economy,42×42. See, e.g., Council Directive 95/46, supra note 1, pmbl. 露聽2, at 31 (鈥淸D]ata-processing systems聽.聽.聽.聽must .聽.聽.聽contribute to economic and social progress, trade expansion and the well-being of individuals .聽.聽.聽.鈥); id. pmbl. 露聽56, at 36 (鈥淸C]ross-border flows of personal data are necessary to the expansion of international trade .聽.聽.聽.鈥). that acknowledgement is immediately subordinated by the first article of the Directive, which describes its object as 鈥減rotect[ing] the fundamental rights and freedoms of natural persons, and in particular their right to privacy.鈥43×43. Id. art. 1(1), at 38. The court鈥檚 text-based interpretation was reasonable and reflected the Directive鈥檚 underlying values.

Critics also level two significant primarily consequentialist attacks against the opinion and its real-world effects. First, critics claim the opinion grants too much power to individuals and Google to censor public materials without oversight. By submitting a form, individuals may effectively 鈥渋mpede access to facts about themselves鈥44×44. Jonathan Zittrain, Don鈥檛 Force Google to 鈥楩orget,鈥 N.Y. Times, May 14, 2014, http://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html [http://perma.cc/M8B7-QM83]. simply because they would prefer that information no longer be 鈥渆asily available.鈥45×45. H.L. Committee Report, supra note 33, 露聽8. Second, critics argue these requests should not be considered or decided upon entirely inside a private corporation, without public accountability or scrutiny.46×46. O鈥橞rien & York, supra note 34 (鈥淩estrictions on free expression need to be considered, in public, by the courts, on a case-by-case basis, and with both publishers and plaintiffs represented, not via an online form .聽.聽.聽.鈥). This is particularly concerning for critics who believe the court鈥檚 decision provides little guidance to Google and insufficient protections for the public interests in freedom of expression or information.47×47. See, e.g., Rolando, supra note 38. Critics point to some of Google鈥檚 early and controversial link removal decisions as signs of some of these negative consequences. For example, Google removed a link to an article published by The Guardian about a now-retired soccer referee who had been accused of lying about why he had awarded a penalty kick. See Mark Scott, Google Reinstates European Links to Articles from The Guardian, N.Y. Times, July 4, 2014, http://www.nytimes.com/2014/07/05/business/international/google-to-guardian-forget-about-those-links-right-to-be-forgotten-bbc.html [http://perma.cc/MJG3-GNFZ]. The paper complained, and Google eventually reinstated the links. See id. Google did not share who had requested the article be removed, why that individual made the request, or Google鈥檚 own rationale for removing or reinstating the links. See id. To critics, this episode highlighted the difficulty of applying the court鈥檚 vague balancing test and the dangers of letting these decisions happen in private, without having all parties represented or any public oversight and accountability. While this story ended happily (at least from the perspective of advocates for unrestricted information), critics doubt that a smaller news organization or website would have the clout, wherewithal, or resources to challenge Google鈥檚 decisions. See O鈥橞rien & York, supra note 34.

While these consequentialist criticisms reflect valid concerns, they too miss the clear tie between the court鈥檚 decision and the Directive鈥檚 text and values. For example, the decision鈥檚 empowerment of an individual to control the use of his personal data was derived from the prioritization of individual privacy rights in the Directive itself. Similarly, the opinion鈥檚 apparent grant of power to Google to decide what information appears in the search results48×48. It is worth noting that while critics lament Google鈥檚 supposedly new power to determine what users do and do not see in their search results, this concept is in fact both the entire premise and purpose of Google. Google 鈥 like many other search engines 鈥 ranks and displays content based on over 200 factors other than pure relevance, including country of origin, previous browsing history, and freshness of content. See Algorithms, Google, http://www.google.com/insidesearch/howsearchworks/algorithms.html (last visited Oct. 26, 2014) [http://perma.cc/45NR-ZB5B]. Google has never been an unbiased party, and the company鈥檚 decisions affect everything users see in their search results. The critical literature is notably devoid of any analysis of why this additional decision point is so much worse. traces directly to the Directive鈥檚 command that 鈥淸i]t shall be for the controller to ensure that [the principles relating to data quality are] complied with.鈥49×49. Council Directive 95/46, supra note 1, art. 6, at 40; see also id. art. 12, at 42 (鈥淢ember States shall guarantee every data subject the right to obtain from the controller: .聽.聽.聽the rectification, erasure or blocking of data .聽.聽.聽.鈥 (emphasis added)). And finally, the lack of guidance on implementation is also a result of the Directive鈥檚 broad and vague language.50×50. For example, the right to be forgotten derives from Article 12(b), which allows data subjects to request data deletion when 鈥渁ppropriate鈥 and suggests that its list of grounds for deletion is nonexhaustive. Id. art. 12(b), at 42. Even less helpfully, Article 14(a) allows objections on 鈥渃ompelling legitimate grounds鈥 and all but mandates case-by-case review by tying the validity of the objection to the subject鈥檚 鈥減articular situation.鈥 Id. art. 14(a), at 42. While the court could have taken a more active role in providing guidance, it exercised reasonable judicial restraint in allowing Google to craft the parameters of a workable test on its own.

Critics鈥 failure to fully engage with the privacy values underpinning the Directive and the decision has hindered their full participation in the policy debate. The Council of the European Union is currently considering a new Data Protection Regulation51×51. See Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012), http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf [http://perma.cc/EJP5-34QV]. that not only enshrines but also expands the rights articulated in the CJEU鈥檚 opinion.52×52. See H.L. Committee Report, supra note 33, 露聽30 (noting, with dismay, that the Regulation would provide a 鈥渞ight to erasure鈥 not just against data controllers, but against all third parties); European Commission, supra note 18, at 2鈥4 (promoting the fact that the Regulation (1) will ensure that 鈥渘on-European companies, when offering services to European consumers, must apply European rules,鈥 id. at 2, (2) will shift the burden of proof to companies to prove that data must be retained, id. at 3, and (3) will impose fines on companies that do not respect the rules, id. at 4). By attacking the opinion without fully acknowledging the underlying values the Directive and the Regulation promote, critics are losing the debate to the privacy advocates: the proposed measure enjoys widespread support across much of Europe and has already passed in the European Parliament.53×53. Originally proposed in 2012 and approved by the European Parliament in 2014, the Regulation may receive final approval as early as late 2014 or early 2015. EU Legislative Process Updates, Wilson Sonsini Goodrich & Rosati, LLP, http://www.wsgr.com/eudataregulation/process-updates.htm (last visited Oct. 26, 2014) [http://perma.cc/SXW7-QY7N]. The real debate is not on what has already been decided, but on what is yet to come; if critics hope to change the substantive outcome, they must shift their focus from secondary legal and policy arguments to the fundamental values at stake.