In a landmark ruling last week, the European Court of Justice (ECJ) held that search engines can be forced to remove certain search results if they link to Web pages that contain information infringing the privacy of EU citizens. In effect, this creates a judicially sanctioned “right to be forgotten” that will allow data subjects to scrub their names from the public record.

The ECJ also extended jurisdiction under European data protection law to include non-EU companies that have a branch or subsidiary in the European Union and that collect data in the context of business activities in the European Union. The effect of this jurisdictional ruling on web-based business activity is potentially sweeping. Under the ruling, non-EU businesses potentially need to conform their websites to comply with EU privacy laws — including adopting cookie consent mechanisms and revamping their privacy policies — just because they have a physical presence in Europe.

The case started when a Spanish individual, invoking his “right to be forgotten,” lodged a complaint with the Spanish Data Protection Authority (the AEPD) against both a newspaper that published an article about him on its website and Google, which indexed the article in its search results. The AEPD upheld the complaint against Google Spain and Google Inc., requiring them to delete the data from their index and to render future access to the newspaper articles impossible.

Google appealed the AEPD’s decision to a Spanish court, which referred the following questions to the ECJ:

Does EU data protection law apply to Google?

According to the ECJ, Google Inc. established a subsidiary, Google Spain, to promote the sale of advertising space and act as a commercial agent for the Google group in Spain. For local law to apply, the ECJ held, the 1995 Data Protection Directive does not require that the processing of personal data in question be carried out “by” the local subsidiary itself, but only that it be carried out “in the context of the activities” of the local subsidiary. The ECJ went on to hold that the processing of personal data by a search engine operated by a non-EU business having a subsidiary in a Member State is carried out “in the context of the activities” of that subsidiary when the subsidiary is set up to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the search engine profitable.

In the light of the above, the ECJ concluded that EU data protection law applies to Google with respect to its search engine service offered in Spain.

By way of background, the Data Protection Directive has special rules on the jurisdiction of data protection law that consider as a significant factor whether data processing is closely linked to the country where the data controller is "established." Put simply, if a data controller conducts processing "in the context of the activities of an establishment" located in an EU Member State, the data protection law of that Member State will apply. If the data controller is established outside the European Union, then the data protection law of an EU Member State will apply only if the data controller makes use of "equipment" for processing in a Member State.

For more than a decade, a number of U.S.-based data controllers, particularly in the Internet space, have argued that EU law does not apply to them because they are not "established" in the European Union and do not make use of "equipment" in the European Union. In response, data protection authorities argued that the use of cookies (or similar technologies) constitutes a form of using "equipment" in the European Union triggering the application of EU data protection law (the "equipment" in question being the end user terminal on which the cookie is placed). They also adopted a broad definition of "establishment," arguing that the marketing affiliates of a U.S.-based Internet company could be considered as an "establishment" in the European Union. These theories are developed in a 2010 Article 29 Working Party opinion on applicable law,1 but had not previously been confirmed by a court of significance — until now.

The ECJ did not base its decision on a finding that the Spanish affiliate had any technical role in the search engine's data processing, but instead pointed to strong economic links: specifically, that the Spanish affiliate promoted the sale of advertising space on the search engine Web page. Consequently, the court found that "the activities of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed."2

The court admitted that its interpretation is broad, but determined that the Directive's language should be interpreted in a manner that provides effective protection for the rights of EU citizens.3

Is the activity of a search engine properly classified as “processing of personal data” and is the operator of the search engine thus a “controller” with respect to that processing?

The ECJ found that a search engine’s activities of finding personal information published or placed on the Internet by third parties, indexing it automatically, storing it temporarily, and, finally, making it available to Internet users according to a particular order of preference must be classified as “processing of personal data” within the meaning of the Directive.

According to the court, since a search engine determines the purposes and means of the above-mentioned processing operations, it must be regarded as the “controller” in respect of that processing.

Google (or its Spanish affiliate) is therefore required to perform the obligations of a data controller, including responding to requests for deletion or rectification. This aspect of the court's opinion leaves many open questions for Internet intermediaries that process publicly available data on the Internet. How can a technical intermediary such as a search engine possibly comply with all the obligations of a data controller under EU law? In an opinion preceding the ECJ decision, the court's Advocate General recommended that the Google search engine not be deemed a controller for precisely this reason. According to the Advocate General, it would be anomalous to interpret the Directive in a way that imposes obligations on an entity that the entity manifestly cannot satisfy.

May a Data Protection Authority require a search engine to remove personal data from its search results? What if the information has been lawfully published and is kept on the Web page from which it originates?

According to the ECJ, the search engine, as autonomous data controller, has the responsibility to ensure that personal data are processed fairly and lawfully; that they are adequate, accurate, relevant, and not excessive for the purposes for which they were collected; and that they are kept for no longer than necessary. Moreover, since information published on a website can be replicated on other sites and the persons responsible for its publication are not always subject to the Directive, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the deletion of the information from the publishers of websites.

Therefore, in order to comply with EU data protection law, the court ruled that a search engine is required to remove from its list of search results Web pages containing the offending personal data. This is true even where the publisher of the Web page containing the data does not erase the data before or simultaneously to the search engine’s deletion of the link, and even, as the case may be, when the publication of the data in itself on those pages is lawful.

May the data subject request that the search engine delete data from its index, even though the information in question has been lawfully published by third parties?

According to the ECJ, a data subject can require the operator of a search engine to remove from its list of search results, displayed following a search made on the basis of the data subject’s name, links to Web pages published lawfully by third parties and containing true information relating to the data subject, on the ground that that information may be prejudicial or that the data subject wishes it to be “forgotten” after a certain unspecified period of time.

In so ruling, the court held that the right of the data subject to request that the information in question no longer be made available to the general public overrides not only the economic interest of the operator of the search engine, but also the interest of the general public in finding that information as a result of a search relating to the data subject’s name.

However, according to the ECJ, the deletion right can be circumscribed if the interest in maintaining the link outweighs the data subject’s right to privacy. Such a decision can take into account factors such as the role played by the data subject in public life, or that the interference with the data subject’s privacy rights is justified by the preponderant interest of the general public in having access to the information in question. Thus, the court created an ambiguous balancing test that is sure to be interpreted differently by the different Member States, and is surely to spawn litigation when data subjects inevitably seek to delete unflattering, yet relevant, information about themselves online.

* * *

At a first reading, the ECJ's ruling appears contradictory and not in line with existing case law. The ruling raises difficult issues around freedom of expression and leaves an open question with regard to the compatibility between multiple EU directives.

What does this holding mean for businesses outside the European Union?

The opinion appears to be problematic for any U.S. or other non-EU entity doing business in Europe through a local subsidiary, as it now extends data protection jurisdiction to these entities. The net result is that companies that do not process data in Europe, but which serve EU customers, may have to review and revamp their disclosures, privacy policies, and information governance procedures to now conform to the data protection laws in the countries in which their EU subsidiary or subsidiaries are located.

Consider the example of online service providers (including cloud providers) located outside the EU but with sales affiliates in Europe. Any sales affiliate that contributes to the business of the online or cloud platform can be considered an "establishment" for purposes of triggering the application of local data protection law. Theoretically, a different local data protection law would apply in each Member State in which a sales affiliate is located, leading to a confusing matrix of compliance obligations. For such organizations it may make sense to create a main establishment in one Member State that will become the "data controller" for the processing of data in Europe. This strategy would also dovetail with the future EU Data Protection Regulation, introduced to replace the Data Protection Directive, which in its current form (although subject to much debate) creates a “one stop shop” system that would designate as a data controller’s primary regulator the data protection authority located in the country of the data controller's "main establishment."4

For brick-and-mortar businesses that simply have a website available to EU customers with no local subsidiary or marketing affiliate located in the European Union, the ECJ decision should not require a change. Data protection authorities can still argue that the use of cookies constitutes the use of "equipment" in the European Union. But the ECJ case does not address this theory. Therefore, the risk profile for these types of EU online sales-only operations has not changed.5

Otherwise, in borderline situations where a non-EU business has even remote contacts in or marketing activities specifically directed to the European Union, it may be appropriate for the business to conduct a fact-specific analysis of potential risk to the data subject if faced with a deletion request. The court's reasoning in the Google case was linked closely to the court's determination that European citizens would lack meaningful protection if U.S. law applied to Google's search activities. The court openly stretched the limits of the Directive's language to bring Google within the Spanish court's jurisdiction. Other enterprises and fact situations may not present the same risk profile.

If EU law applies, what then?

The question of whether an Internet service provider is a "data controller" or "data processor" can be complex, and the Google decision has made the situation even murkier. Without getting into the details of the controller vs. processor distinction, let us assume for a moment that EU law applies under the "establishment" theory, and that the relevant service provider is a data controller based on the court's Google decision. What next? A data controller has obligations toward data subjects, who in this case are the millions of individuals whose personal data are published elsewhere on the Internet and processed by the platform. Under the Data Protection Directive, a data controller must inform data subjects of the purpose and nature of processing and of their right to object. But how might this be done? In most cases, the platform indexes information publicly available on the Internet, and the platform has no clue whether the information is personal data and, if it is, to whom the data relates. The court in the Google decision provides no guidance on how compliance can be accomplished.

Companies who believe that the ECJ’s decision may bring them under EU law as data controllers may have no perfect solution: if they cannot individually notify data subjects, they may have to fall back to second-best solutions. One such solution may be to develop an online tool that effectively demonstrates to data subjects what data the controller has about them and to object to processing that they deem inappropriate. This will impose a significant new burden on platforms and could restrict freedom of expression because platforms will generally err on the side of deleting data.

Future changes to regulation

Elsewhere in the European government institutions, the Data Protection Directive is currently under review. The timing of any changes is uncertain as the reforms still are being debated by the EU’s political bodies.6 However, there are firm proposals to introduce revenue based fines, possibly up to 5% of global turnover for violations of the new law. It is also likely that the rules on the scope of applicability of the law will be amended, so that future EU data protection law will apply to any services that are directed at EU citizens, regardless of where the controller of the service is located. So even those businesses that conclude they are not affected by the Google decision should keep the pending changes to EU data protection law in mind as they review their compliance procedures.

Status of the decision

There is no appeal process from the ECJ decision, which is a final ruling on how the current law should be interpreted. The case itself will now be referred back to the Spanish court for a decision consistent with the ECJ’s ruling.