The Advocate General’s Opinion in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González has been published. The Opinion states that search engine service providers are not responsible under the Data Protection Directive for personal data appearing on web pages they process. But the Advocate General does consider that national data protection legislation is applicable to them when they set up an office in a Member State which orientates its activity towards the inhabitants of that State, so as to promote and sell advertising space, even if the technical data processing takes place elsewhere.
Background
In early 1998, a newspaper widely circulated in Spain published in its printed edition two announcements concerning a real-estate auction connected with attachment proceedings prompted by social security debts. A person was mentioned as the owner. At a later date, an electronic version of the newspaper was made available online by its publisher.
In November 2009 this person contacted the publisher of the newspaper asserting that, when his name and surnames were entered in the Google search engine, a reference appeared linking to pages of the newspaper with these announcements. He argued that the proceedings had been concluded and resolved many years earlier and were now of no relevance. The publisher replied that erasure of his data was not appropriate, given that the publication was effected by order of the Spanish Ministry of Labour and Social Affairs.
In February 2010, he contacted Google Spain and requested that the search results show no links to the newspaper when his name and surnames were entered into the Google search engine. Google Spain forwarded the request to Google Inc., whose registered office is in California, United States, taking the view that the latter was the undertaking providing the internet search service.
Thereafter he lodged a complaint with the Agencia Española de Protección de Datos (Spanish Data Protection Agency, AEPD) against the publisher and Google. By a decision on 30 July 2010, the Director of the AEPD upheld the complaint against Google Spain and Google Inc., calling on them to withdraw the data from their index and to render future access to them impossible. The complaint against the publisher was rejected, however, because publication of the data in the press was legally justified. Google Inc. and Google Spain have brought two appeals before the Audiencia Nacional (National High Court, Spain), seeking annulment of the AEPD decision. In this context, this Spanish court has referred a series of questions to the Court of Justice.
Opinion
In his Opinion, Advocate General Niilo Jääskinen addresses first the question of the territorial scope of the application of national data protection legislation. The primary factor that gives rise to its application is the processing of personal data carried out in the context of the activities of an establishment of the controller on the territory of the Member State. However, Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts merely as commercial representative of Google for its advertising functions. In this capacity it has taken responsibility for the processing of personal data relating to its Spanish advertising customers.
The Advocate General considers that this question should be examined taking into account the business model of internet search engine providers. This normally relies on keyword advertising which is the source of income and the reason for the provision of a free information location tool. The entity in charge of keyword advertising is linked to the internet search engine. This entity needs a presence on national advertising markets and that is why Google has established subsidiaries in many Member States. Hence, in his view, it must be considered that an establishment processes personal data if it is linked to a service involved in selling targeted advertising to inhabitants of a Member State, even if the technical data processing operations are situated in other Member States or third countries. Therefore, Mr Jääskinen proposes that the Court declare that processing of personal data takes place within the context of a controller’s establishment and, therefore, that national data protection legislation is applicable to a search engine provider when it sets up in a Member State, for the promotion and sale of advertising space on the search engine, an office which orientates its activity towards the inhabitants of that State.
Secondly, as for the legal position of Google as an internet search engine provider, Mr Jääskinen recalls that, when the Directive was adopted in 1995, the Internet and search engines were new phenomena and their current development was not foreseen by the Community legislator. He takes the view that Google is not generally to be considered as a ‘controller’ of the personal data appearing on web pages it processes , who, according to the Directive, would be responsible for compliance with data protection rules. In effect, provision of an information location tool does not imply any control over the content included on third party web pages. It does not even enable the internet search engine provider to distinguish between personal data in the sense of the Directive, which relates to an identifiable living natural person, and other data. In his opinion, the internet search engine provider cannot in law or in fact fulfil the obligations of the controller provided in the Directive in relation to personal data on source web pages hosted on third party servers.
Therefore, a national data protection authority cannot require an internet search engine service provider to withdraw information from its index except in cases where this service provider has not complied with the publisher’s exclusion codes[i] or where a request emanating from a web site regarding an update of cache memory has not been complied with. This scenario does not seem pertinent in the present case. A possible ‘notice and take down procedure’ concerning links to source web pages with illegal or inappropriate content is a matter for national civil liability law based on grounds other than data protection.
Thirdly, the Directive does not establish a general ‘right to be forgotten’. Such a right cannot therefore be invoked against search engine service providers on the basis of the Directive, even when it is interpreted in accordance with the Charter of Fundamental Rights of the European Union.[ii]
The rights to rectification, erasure and blocking of data provided in the Directive concern data whose processing does not comply with the provisions of the Directive, in particular because of the incomplete or inaccurate nature of the data. This does not seem to be the case in the current proceedings.
The Directive also grants any person the right to object at any time, on compelling legitimate grounds relating to his particular situation, to the processing of data relating to him, save as otherwise provided by national legislation. However, the Advocate General considers that a subjective preference alone does not amount to a compelling legitimate ground and thus the Directive does not entitle a person to restrict or terminate dissemination of personal data that he considers to be harmful or contrary to his interests.
It is possible that the secondary liability of the search engine service providers under national law may lead to duties amounting to blocking access to third party websites with illegal content such as web pages infringing intellectual property rights or displaying libellous or criminal information. In contrast, requesting search engine service providers to suppress legitimate and legal information that has entered the public domain would entail an interference with the freedom of expression of the publisher of the web page. In the Advocate General’s view, it would amount to censorship of published content by a private party.
The full text of the Opinion can be found here. SCL members will not need reminding that the Advocate General’s Opinion is merely advisory.
Comments
Kim Walker, Partner on the technology team at Thomas Eggar, comments:
‘The reports of the opinion have had the “right to be forgotten” as their focus. This is something which the European Parliament is debating as the EU planned updates for the Data Protection Directive. In the years since 1995 when the Data Protection Directive was issued, the growth of online and the role played by search engines in making such data available has changed beyond anything which could have been anticipated back then.
For the time being, data which is accessed via a search engine will continue to be available and it is the responsibility of the publisher of a source web page to make sure that data is accurate and, in keeping with the data protection principle of fair use, is not kept for longer than is necessary.
But if data forms part of a published and publicly available report, there is little that an individual can do about this. Archived copies of websites are being created and will be available in the future, the contents of which will not differentiate personal data from other information.
The opinion is also interesting for “Google watchers” in the light of the decision Google has taken about where it does business and pays tax. Google may have argued otherwise but the opinion concluded national data protection legislation (in Spain) is applicable to a search engine provider when it sets up in a member state and Google Spain was clearly doing this with the promotion and sale of advertising space on the search engine.’
Laurence Eastham comments:
It is perhaps unfortunate that the CJEU test case on search engine liability for its results, if this case can properly be ascribed that status, has arisen from these facts. Of course, the CJEU’s ruling will be based on the general principles but some applicants attract more sympathy than others and that can skew rulings. Here, the original report was accurate and derives from a court order and is thus unimpeachable. Not all web content that is returned by search engines is in that category.
I do wonder whether the finding that Google Inc must comply with Spanish data protection law is the more important aspect of this Opinion. It might very well be argued that it espouses a principle that might even impact upon Google’s tax liability.
[i] The publisher of a source web page can include ‘exclusion codes’, which advise search engines not to index or store a source web page or to display it within the search results. Their use indicates that the publisher does not want certain information on the source web page to be retrieved for dissemination through search engines.
[ii] In particular, the rights of respect for private and family life (Article 7) and protection of personal data (Article 8) versus freedom of expression and information (Article 11) and freedom to conduct a business (Article16).