The dust has yet to settle but much has already been said about the implications of the Google Spain decision by the Court of Justice of the European Union (CJEU) and the right to be forgotten. The controversy has focused on the impact of this judgment on freedom of expression and the right of access to information, as well as the potentially devastating effect of a large amount of deletion requests. EU regulators are wondering – like everybody else – how big and unmanageable this is going to get, whilst search engines scramble for resources to deal with the unknown. With the prospect of an even more demanding EU privacy framework looming over the horizon, the right to be forgotten decision is a potential game changer for the whole Internet industry. But the CJEU did not just enable an unprecedented level of control by individuals over their data, it shook the basis on which the applicability of EU data protection law has been understood until now.
Without much hesitation, the CJEU established that Spanish data protection law applied to Google on the basis of the rule that relies on data processing carried out in the context of the activities of an establishment of a controller located in an EU Member State. In practical terms, the CJEU took the view that under this rule there were two conditions for the local law of a Member State to apply. The first one is an easy one to spot, as it simply involves having an establishment in a particular country. For these purposes, a local subsidiary – no matter how modest – will do. The second condition is fiddlier. It requires showing that the local establishment is involved in some way in the processing activities, even if that establishment is not actually doing the processing.
Aligning itself with the previous positions of the Article 29 Working Party on search engines and of the CJEU’s own Advocate General, the CJEU decided that the sales generated by Google’s local establishment in Spain were linked to the profit generated through the data processing activities – irrespective of where these actually took place – and that link was sufficient to trigger the applicability of Spanish law. The key point was that even if the local establishment is not making any real data processing decisions – as was acknowledged to be the case in this instance – that local subsidiary may still bring the whole data activity within the scope of application of the law, as long as there is some commercial connection with the data uses.
This stretching of the law may sound entirely reasonable to some and completely disproportionate to others. Many would argue that it is only fair that European law applies when Europeans data is being collected, even if the rules that determine the applicability of the law have nothing to do with whose data we are talking about. That is a different debate that is already being addressed as part of the new regulatory framework. What is more earthshattering about the CJEU’s interpretation of the existing rules is that each and every local subsidiary in the EU may be capable of triggering the applicability of the local data protection law. So here’s the critical question: would that local – Spanish, Italian, French, German… – law apply when the declared controller is in, say, Ireland or the UK?
If that were the case, it would rock the long standing argument and legal position that a controller headquartered in an EU country only needs to comply with the data protection law of that country. This is a legal argument that has driven many global businesses to ensure that data decisions are made by those employed by the EU entity asserting controllership. With this approach comes an acknowledgement that EU data privacy law is indeed applicable, but not necessarily the national laws of all EU countries where the corporate group has a presence. Will this change now? Has the CJEU irremediably moved the goalposts and disabled such a widely relied-upon doctrine?
Only the CJEU can categorically answer that question but given the traction that the one-stop-shop and lead authority concepts have had in Europe in recent years, there is still hope that appointing an EU-based controller will continue to deliver the compliance advantages sought by so many. Whilst the CJEU did not expressly confirm the beneficial effect of a self-declared EU data controllership, it pointed out that one of the reasons for taking the approach it took was that the data protection directive sought to prevent individuals from being deprived of the protection guaranteed by the directive and that protection from being circumvented. This is of course a level of protection that, unless the European Commission indicates otherwise, is afforded by any of the national laws of the EU. Therefore, in the absence of further output by the CJEU in this regard, publicly appointing an EU-based entity as a data controller should continue to be regarded as both responsible and valuable for global businesses.