The European Court of Justice (ECJ) is considering a critical case regarding the “right to be forgotten” and the application of EU data protection law to Internet intermediaries. The case involves a Spanish individual who is seeking to require Google to delete references to newspaper articles mentioning his prior involvement in debt collection proceedings from its search results. The ECJ’s adviser, Advocate General (AG) Niilo Jääskinen, recently issued a non-binding opinion stating that although EU law should apply to Google, the company should not be deemed a “data controller” for its search engine activities. The opinion also warned that the “right to be forgotten” can adversely affect freedom of expression.
The case began when the individual – invoking his “right to be forgotten” – lodged a complaint with the Spanish Data Protection Authority against both the newspaper that published the articles on its website and Google. The Spanish DPA upheld the complaint against Google Spain and Google Inc., and called on them to delete the data from their index and to render future access to the newspaper articles impossible. Google appealed the DPA’s decision to the Spanish Court, which referred a number of questions to the ECJ. These questions relate to the right to be forgotten, but also to two questions of fundamental importance to practitioners:
- Does EU law apply to non-EU based Internet intermediaries?
- Is an Internet intermediary, such as a search engine, a “data controller” with regard to personal data contained in third-party websites?
While not binding on the ECJ, the AG’s opinion carries significant weight. The AG’s key conclusions are as follows:
Does EU law apply to Google? According to the AG, EU law applies if a search engine has an establishment in a Member State for the purpose of promoting and selling advertising space. The AG adopted a broad interpretation of “establishment,” including an affiliated sales company, regardless of the processing activity actually carried out by the local establishment and regardless of the kind of data processed. If confirmed by the ECJ, this conclusion would considerably expand the EU’s jurisdiction, subjecting many US-based companies – particularly those in the Internet space – to the application of local data protection law in one or more EU Member States. To avoid application of multiple national data protection laws, US-based multinationals would be advised to create a main establishment in one European Member State for data protection purposes, so as to benefit from the “country of origin” principle of the EU Data Protection Directive 95/46/EC. This strategy should continue to be effective under the proposed Data Protection Regulation, which will likely include a provision permitting companies to choose the country of their “main establishment” as their hub for data protection purposes.
Does a search engine process personal data? The AG answered this question in the affirmative, reasoning that wide notions of “personal data” and “processing” cover the activities involved in providing links to searched-for information.
Is Google a controller of that data? The AG found that because a search engine such as Google is not aware of the existence of personal data per se within the various websites it indexes, it is not in a position to determine how that data is used. According to the AG, a search engine does not exercise control over personal data included on third-party web pages:
the service provider is not ‘aware’ of the existence of personal data in any other sense than as a statistical fact web pages are likely to include personal data. In the course of processing of the source web pages for the purposes of crawling, analyzing and indexing, personal data does not manifest itself as such in any particular way.
Citing the ECJ’s Lindqvist decision, the AG reasoned that it would be absurd to impose the responsibilities of a “controller” on an entity that manifestly has no way to exercise those responsibilities. If confirmed by the ECJ, this conclusion will greatly assist cloud providers, and dampen DPA efforts to find “joint controller” status for cloud providers. The “awareness” criterion would exclude many cloud providers from being considered controllers of the personal data stored by their customers, because cloud providers are not “aware” of what personal data their customers store.
The right to be forgotten. The AG found that a general “right to be forgotten” is not contemplated in the EU Data Protection Directive. The AG stated that imposing an obligation to block access to legally-published content would dangerously interfere with search users’ rights to access information, as well as Google’s fundamental right to conduct a business. The situation would be different, noted the AG, if the underlying content is illegal. However, in this case, the underlying content is legal, and a right to be forgotten would therefore raise difficult censorship issues.
Regardless of how the ECJ ultimately decides the case, the AG’s opinion will influence DPAs, local courts and companies when considering how EU data protection law applies to cloud and internet-based services.