The Advocate General of the Court of Justice of the European Union (the “CJEU”) has delivered his non-binding opinion in a case of critical importance currently pending before the CJEU. The case of Google Spain S.L and Google Inc. v Agencia Espanola de Proteccion de Datos (case C-131/12) revolves around the question of whether or not individuals have a right of erasure of links to information about them contained in a Google search result. The full Opinion of Advocate General Jaaskinen (the “Opinion”) is available here. The Opinion answers a number of questions including whether Google may be considered a data controller and whether EU law applies to it as an entity, the question of whether the “right to be forgotten” exists under current law is also addressed.
Background & facts
In 1998 a Spanish newspaper published an article on the auction of Mr Mario Costeja’s home under insolvency proceedings caused by non-payment of social security debts. Due to the fact that the newspaper made its articles available online, a Google search of Mr Costeja’s name returned links to the article. A request from Mr Costeja to remove the article from the online archive was refused by the newspaper on the basis that the Ministry of Labour and Social Affairs had ordered its publication. Following this, Mr Costeja then requested that Google Spain erase the link to the article from the search engines results (Google Spain forwarded this request to Google Inc. as it is the operator of the search engine) and also filed a complaint with Spain’s data protection watchdog the Agencia Espanola de Proteccion de Datos (the “AEPD”). The AEPD rejected the complaint against the newspaper on the grounds that the publication was legally justified, but upheld the complaint against Google Spain and Google Inc., requesting that the resulting links to the information about Mr Costeja be removed from Google’s search index.
Google then appealed the decision of the AEPD to the Spanish High Court on the following grounds;
- Google Inc. as the provider of the search engine was not within the scope of the European Data Protection Directive (the “Directive”).
- Google Spain a subsidiary of Google was not responsible for the search engine (despite the fact that it promoted advertising on the service).
- The search function did not process and personal data and even if it did, neither Google Inc. nor Google Spain could be regarded as a data controller.
- In any case, Mr Costeja had no general right to the removal of lawfully published material.
The Spanish High Court then referred a number of questions to the CJEU.
Of the questions referred, three main categories emerge; firstly the territorial application of the EU Data Protection Directive, secondly the notion of “data controller” in the context of search engines and lastly whether one has the “right to be forgotten” under the Directive. The AG gave his opinion on each of these;
Territorial scope and applicable national law
The AG rejected any notion that an organisation could come within the Directive on the basis that it targets customers or users in the EU stating that there must be grounds that bring its activities within the provisions of Article 4 of the Directive (which determines the geographic scope of application of the Directive). Article 4 provides that the rules of a Member State (a “MS”) apply when the processing is carried out by a data controller established in a MS or if a data controller established outside of the EU makes use of equipment within the MS for the purposes of processing. Google argued that it was not established in Spain (as Google Spain only acts as a commercial representative of Google for its advertising activities and is therefore not involved in search engine activities) and that Google Spain does not make “use of equipment” in Spain for the provision of search engine services.
Unfortunately the AG did not deal with the question of whether Google Inc. uses equipment in Spain but he did find that Google Spain did fall within the territorial scope of the Directive, reasoning that a controller is established in a MS if that MS acts as the place of establishment for the “revenue-generating limb” of the business and in this way bridges the two limbs of the business (even if the data processing operations take place elsewhere). He came to this conclusion by taking into account the business model of internet search engines and stressed that Google should be viewed as a single economic unit for the purposes of establishing the territorial activity of the Directive (regardless of the distinction between the actual processing activities and the data subjects to whom they relate.) Thus the AG’s opinion is that yes, EU law does apply to a search engine such as Google if it has an establishment in a MS for the purpose of promoting and selling advertising space on the search engine, as that establishment act as a bridge between the search service and the revenue generated by advertising.
Search engine providers as data controllers and / or data processors?
In answer to the question of whether or not a search engine process’s personal data the AG asserted that it does. His reasoning behind this was the fact that the notions of “personal data” and “processing” are sufficiently wide to cover the activities involved in providing links to information that is searched for by users. Crucially the AG’s answer to whether or not Google is a data controller was no. This is because a search engine like Google is not aware of the existence of personal data within the numerous websites that it indexes, for this reason, Google is not in a position to determine the uses made of that data. Thus according to the AG a search engine does not exercise control over personal data contained within a third party website. It follows from this that a data protection authority in a MS cannot compel Google to stop revealing personal data as part of search results.
The right to be forgotten
On the question of whether one can seek erasure of personal data in this context, Advocate General Jaaskinen (the “AG”) displayed unease with the whole notion of the “right to be forgotten”. He clarified that such a right is not contemplated within the current Directive, and that even if the CJEU were to find that internet search engine providers were responsible as controllers of personal data appearing in search results (the AG says they are not), then an individual would still not have this general right.
Reaction & Impact
The proposed new EU Data Protection Regulation currently gives European citizens the “right to be forgotten” (ie the right to request erasure of personal data even when in the hands of a third party) and so critics of this inclusion in the new law will undoubtedly welcome the AG’s opinion. Google has understandably welcomed the opinion with the company’s head of free expression Bill Echikson stating that “we’re glad to see it supports our long-held view that requiring search engines to suppress legitimate and legal information would amount to censorship.”
Although an opinion of the AG is not binding, the CJEU does follow his advice in about three quarters of all cases. It will be interesting to see whether the CJEU choose to follow this particular opinion. It should be noted that despite the non-binding nature of the opinion, it is a good indication of the possible reasoning of the CJEU in data protection cases and it will nonetheless influence data protection agencies and commissioners as well as courts and companies. A final decision from the CJEU is expected by the end of the year.