On 25 June, the Advocate General (the “AG”) submitted an Opinion on a set of questions that a Spanish court referred to the Court of Justice of the European Union (the “Court”). This is the first time that the Court has been asked to interpret the European Data Protection Directive 95/46/EC (the ‘Directive’) in the context of internet search engines. The questions concern three main issues:
- the territorial scope of and the applicable national law under the Directive;
- whether search engine providers are data controllers; and,
- whether there is a right to be forgotten.
The proceedings were triggered by an individual who was the subject of some press reports in a newspaper in early 1998. In 2010, he requested Google Spain not to show any links to the newspaper when users entered his name in the Google search engine. The publisher, whom the individual also contacted, refused to erase the relevant data. The individual therefore lodged a complaint with the Spanish data protection authority, which subsequently ordered Google Spain and Google Inc. to take the measures necessary to withdraw the data from their index and to render future access to the data impossible. Google appealed the decision to a Spanish court, which referred the aforementioned questions to the Court for a preliminary ruling.
Territorial scope of application and applicable national law
The AG asserts that the fact that Google’s search engine targets Spanish users in whose eyes the individual’s reputation may have been harmed cannot trigger the application of Spanish data protection law. In particular, it would not be possible to add an entirely new criterion (such as the “centre of gravity of the dispute”) to Article 4 (1) of the Directive, which fully harmonizes the territorial scope of application of the Directive.
Rather, the relevant question would be whether Google carries out data “processing in the context of the activities of an establishment of the controller” in Spain within the meaning of Article 4. The AG answers this question in the affirmative although – as Google claimed – no processing of personal data relating to its search engine takes place in Spain and Google Spain acts as commercial representative of Google for its advertising functions. However, the AG suggests approaching the question of territorial applicability:
from the perspective of the business model of internet search providers. This […] normally relies on keyword advertising […]. The entity in charge of keyword advertising […] is linked to the internet search engine. […] [and] needs presence on national advertising markets.
In the present case, Google Spain acts as the bridge for the referencing service to the advertising market of Spain, which in the AG’s view provides sufficient nexus. The AG thus proposed that the Court declare that processing of personal takes place within the context of the establishment of a controller when:
the undertaking providing the search engine sets up in a Member State for the purpose of promoting and selling advertising space on the search engine, an office or subsidiary which orientates its activity towards the inhabitants of that State.
Importantly, the AG does not consider it necessary for the establishment to be involved in the technical data processing operations, which could take place elsewhere or even outside of the EU. The AG also seems to support the view that groups of companies should be treated as a single unit rather than separate legal entities (single concept of controller), suggesting that an economic operator must be considered as a single unit and must “not be dissected on the basis of its individual activities relating to processing of personal data.”
Search engine providers as controllers?
Secondly, the AG discusses the question of whether or not Google can in fact be considered a controller. In this respect, the AG rather cursorily also deals with the question whether Google processes personal data. In particular, the copying, indexing, caching and display of source web pages which may and often do contain personal data, such as names, images, addresses, telephone numbers and descriptions, would constitute processing. The fact that “their character as personal data would remain ‘unknown’ to internet search engine service provider[s]” or that “the presence of personal data in the source web pages is in a certain sense random” would not change this conclusion. Moreover, the indirect identification of a natural person through the combination of a given name and surname as a search term would suffice as “the search result […] reveals a limited set of links permitting the internet user to distinguish between persons with the same name.”
As to whether internet search engine providers are controllers of personal data, the AG proposes that the Directive be interpreted based on the principle of proportionality “in order to achieve a balanced and reasonable outcome” and to avoid an overly broad application of the Directive which has not been drafted with the internet in mind (to “virtually everybody owning a smartphone or a tablet or a laptop computer”). In the AG’s view, the Directive does not intend to cover a situation
where the object of processing consists of files containing personal data and other data in a haphazard, indiscriminate and random manner” but is rather based on the assumption “that the controller knows what he is doing in relation to the personal data concerned, in the sense that he is aware of what kind of personal data he is processing and why.
That said, the AG distinguishes between the following two situations:
(1) The internet search engine service provider merely supplying an information location tool does not, in the AG’s view, exercise control over personal data included on third-party web pages. Rather, their role would be a passive intermediary function similar to telecommunications providers and other transmission service providers, whereas the principal controllers would be the information providers. Internet search engine service providers would neither be aware of the existence of personal data “in any other sense than as a statistical fact” and could not in law or in fact fulfill the obligations of controllers. Also, the internet search engine service providers would not in principle control the contents of the cache memory, except in certain cases.
(2) In contrast, search engine service providers would be controllers of the personal data contained in the index of the search engine which links key words to the relevant URL addresses. They would also be controllers of the contents of the cache memory, if they decide not to comply with the exclusion codes on a web page or not to update a webpage in the cache despite a request received from the website. In these cases, internet search engine service providers have to comply with all the obligations imposed on controllers in the Directive, including:
- the requirement for a legal basis for the data processing – in the AG’s view, the providers can in principle rely on the legitimate interest criterion pursuant to Article 7(f) of the Directive; and,
- the data quality principles in Article 6 of the Directive – in this respect, the AG considers it to be sufficient if the data corresponding to the search term really appears or has appeared on the linked web pages.
On this basis, the AG comes to the conclusion that a national data protection authority cannot require an internet search engine provider to withdraw information from its index except for the cases where this service provider has not complied with the exclusion codes or where a request emanating from the website regarding update of cache memory has not been complied with.
No right to be forgotten
The AG also discusses the general question whether the rights to erasure and blocking of data and the right to object as provided for in the Directive confer on data subjects a right to be forgotten, which he answers in the negative. In particular, a data subject would have no right to address a search engine service provider in order to prevent the indexation of information relating to him, which has been published legally on third parties’ web pages, merely based on the data subject’s subjective preference. In contrast to the proposed General Data Protection Regulation, the current version of the Directive would not provide for such a right.
Nor would such a right to be forgotten be warranted by the fundamental right to the protection of personal data as enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and the corresponding provision in the European Convention for the Protection of Human Rights and Fundamental Freedoms. To the contrary, the rights to protection of personal data and private life are not absolute but must be balanced with other fundamental rights, including the freedom of expression, the freedom of information and the freedom to conduct business. In the AG’s view, a generalized right to be forgotten would sacrifice these pivotal other rights, resulting, among other things, in the censuring of published content by a private party.
The AG’s Opinion contains some rather innovative ways of interpreting some of the key notions and principles of the EU Data Protection Directive, which could have implications well beyond the search engine context. As the AG recognizes in his Opinion: “It is no wonder that data protection experts have had considerable difficulties in interpreting [Article 4 of the Directive] in relation to the internet” and it is therefore hoped that the Court will shed some light in its ruling.