In a November 2014 decision, a French judge ruling in injunctive proceedingsreconsidered the position previously adopted by the Paris Civil Court in the so-called “right to be forgotten” debate by finding that Google France could not be held liable for the processing of personal data carried out by Google Inc., the US parent companythat operates the search engine.
On September 16, 2014, the Paris Civil Court had found Google France liable for the processing of personal data carried out by Google Inc. (see here for earlier blog post on this topic). The guidelines on the right to be forgotten later adopted by the Article 29 Working Party (“WP29?) are slightly ambiguous, stating that “[T]he effective application of the ruling and of data protection law requires that data subjects may exercise their rights with the national subsidiaries of search engines in their respective Member States of residence.” These interpretations raise many concerns in respect of the scope of liability faced by European subsidiaries of non-European search engine operators, notably:
- European subsidiaries usually do not operate the search engines and are therefore not in a position to give effect to any de-indexing order.
- Holding the European subsidiary liable instead of the non-European search engine operator infringes the fundamental principle in France of independent legal personality.
On November 24, 2014, in a different case, the same court addressed both these issues, reasoning that because Google France and Google Inc.’s operations are inextricably linked, Google France may be considered an establishment of Google Inc. pursuant to Article 5-1 of French data protection law, which triggers the application of that law to Google Inc. Nevertheless, contrary to the September order, the court ruled Google France may not be held liable as it does not operate the search engine and is therefore not the data controller. The judge added that, from a practical viewpoint, Google France cannot be ordered to de-index because Google France does not operate the search engine.
This decision is consistent with the ECJ’s ruling in Costeja v. Google (case C-131/12 of May 13, 2014), which referred to Google Spain to justify the application of Spanish data protection law to personal data processing carried out by Google Inc., but did not hold Google Spain liable for de-indexing.
Although the WP29 guidelines do not specifically assert that European establishments should be liable in fine, the WP29's interpretation arguably goes beyond the CJEU’s ruling. The WP29 seeks to offer greater protection to individuals by allowing them to enforce European data protection laws “with” local subsidiaries of search engines. At least with respect to the Paris cases, Google Inc. has submitted to the jurisdiction of French courts, requesting a permissive joinder in the November case; Google Inc. has also indicated that it will comply with the court’s order.
This decision is also an interesting example of how national judges use the ECJ’s ruling in Costeja v. Google to allow a plaintiff to request, under certain conditions, the removal of links to web pages containing information infringing the plaintiff’s privacy.