By Dan Cooper, Mark Young and Kristof van Quathem
On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12). The decision has wide-ranging consequences regarding the application of EU data protection laws and the rights individuals are afforded under those laws.
In brief, the Court was asked to answer several questions about Google’s responsibility under EU data protection laws in relation to its online search engine. The Court interpreted the applicable law rules under the EU Data Protection Directive 95/46/EC (the “Directive”) very broadly, holding that Google Inc. is directly subject to Spanish data protection law. The Court also decided that Google is obliged, in certain circumstances – e.g., where information about an individual is inaccurate – to delete web search results that link to web pages containing information relating to that person. Further, where an individual requests it, Google must delete search results that link to information about an individual where the information – even truthful information – is prejudicial to the individual or that he or she wishes to be “forgotten” due to the passage of time. The Court appears to accept that providing access to such information for longer periods of time may be appropriate for high-profile individuals, such as celebrities.
The Court’s landmark decision has dominated headlines and is bound to spark a deluge of analysis and criticism, particularly in relation to issues concerning access to information and censorship. For many international companies that process personal data and have affiliates in Europe, the most significant element of the judgement may prove to be the Court’s finding on applicable law rules, which undoubtedly presents a compliance challenge.
The Court’s judgement follows from a data protection complaint that Spanish citizen, Mario Costeja González, brought in 2010 against Google. Google had refused to agree to de-commission links to two newspaper reports, originally published in 1998, in which González was associated with a real-estate auction and certain attachment proceedings. The Spanish Data Protection Authority upheld the complaint against Google, which then brought an action before the Spanish courts, which in turn referred several questions of law to the European Court of Justice.
Operating a search engine amount to “processing” personal data, and the operator is a controller
The Court first considered whether Google’s web-indexing activities amounted to “processing” data. The Court confirmed that Google processes personal data when providing its search service, deeming it irrelevant that the data is already available on the internet, and is only indexed and displayed by the company. The Court also found that Google is a data controller with respect to this processing, insofar as it determines the means and purposes of the processing operations fueling its search engine.
Google Inc. is subject to EU data protection laws
More controversially, the Court then considered whether Google Inc. is subject to EU law, despite the company being established in the US. The Court answered that it is – by virtue of its affiliates providing support to Google Inc.’s search business.
The relevant and rather convoluted rule, under Article 4(1)(a) of the Directive, is that an EU Member State’s national data protection law applies where processing is carried out “in the context of activities” of an “establishment” of the data controller on the territory of the Member State. For many years there have been doubts over how much or what type of data processing needs to take place within the EU-based “establishment” in order to foist the Member State’s laws upon the controller, which could be based in another EU Member State or, potentially, outside the EU.
Significantly, the Court found that only a very limited, and effectively tangential, form of processing will suffice. According to the Court, although Google’s Spanish affiliate does not process any personal data directly in connection with Google’s search engine service and display of results, its commercial contribution to the service – namely, promoting and selling advertising associated with the service – suffices to trigger the application of Spanish law to Google Inc. Or, as the Court would have it, the processing by Google Inc. and Google Spain are “inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.” (Judgement, Para. 56).
The Court thus placed significant weight upon the fact that without Google Spain’s involvement, the underlying online search service, and associated data processing, would not be economically feasible. Taken to its extreme, the Court’s theory of applicable law would subject non-resident data controllers to the data protection laws of EU Member States any time their local affiliates or agents were engaged in marketing, advertising or other related activities that lend economic support for a service offered elsewhere by the controller. Here, it follows that Google Inc. is subject to additional Member State laws, besides Spain’s, because its other European affiliates presumably also promote and sell advertising space on the search platform.
Extensive rights for individuals
The Court then turned to assess questions regarding the rights of individuals in relation to links that appear on Google in response to running a search using their name. In short, the Court was asked whether an individual could request that Google (or any other search engine, for that matter) not present certain search results on the basis of the individual’s right to object under Article 14 of the Directive. The Court addressed this question from two angles:
─ First, it discussed requests lodged before data protection authorities or judicial authorities. The Court held that these authorities must balance the interests of the individual against the rights of search engine users to the information. Where the right of the individual prevails, taking into account such factors as the nature of the data and its sensitivity, the authorities may order Google to delete search results, even if the data is still available on the relevant websites and the publication on such websites is lawful.
─ Second, the Court considered an individual’s right to ask Google directly not to display search results to lawful web pages that contain accurate information about him or her, on the basis that the individual wants this information to be forgotten after a certain period of time. Here, as well, the Court found that an individual’s interests can prevail over any countervailing interests at stake. The Court considered that general principles of data protection law require data uses to be necessary, relevant and accurate, and that after a period of time, offering access to such pages via an online search conflicts with such fundamental data protection principles.
The Court clarified that the outcome would be different if the interference with this fundamental privacy right were justified by the “preponderant interest of the general public” in having access to information, for example, because of the prominent role played by an individual in public life.
The Court’s decision has already attracted much attention, and criticism. For instance, it is difficult to understand why a search engine must delete search results, when the source data is still available on another website. Perhaps in response to such concerns, the Court pointed out that search engines provide a functionality that never existed before and raise important privacy concerns. The Court’s remarks are worth noting:
“It must be pointed out at the outset that […] processing of personal data […] carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him. Furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous […].”
Although the Court tried to balance the features of this “new” technology against the privacy rights of the individual, whether it succeeded in arriving at a sensible balance is questionable. There will be many who maintain that it failed in this endeavor.
Ultimately, the Court’s extremely broad interpretation of the applicable law rules may provide a boost for the proposed Data Protection Regulation. It is important to note that the Court’s interpretation does not only apply to data controllers outside the EU, but also in the EU. It would appear that a data controller established in France, for example, with a commercial operation in Spain (and that does not process the relevant personal data), may henceforth be subject to Spanish law.
Seen in this light, the Court’s approach to Article 4(1)(a) will prove difficult to apply in practice and certainly frustrate international companies, which now find themselves even more exposed to multiple, sometimes conflicting national data protection laws. The proposed Regulation, for all of its potential flaws and difficulties, may now come as something of a relief given that it dispenses with different national laws. On the other hand, the Court’s judgement also creates a new basis for applying EU laws extra-territorially to non-EU data controllers, weakening one of the Commission’s main arguments for the Regulation.