In a recent opinion, an Advocate General of the EU Court of Justice, the EU’s highest court, expressed the view that the EU Data Protection Directive applies to Internet search engines which contain data about EU citizens, regardless of the location of the servers which carry out the technical processing of the data. The Advocate General, however, considered that Internet search engine service providers are not responsible for the personal data appearing on the web pages they process.
In 2009, Google Spain was requested by a Spanish national (the data subject) to remove a link to a newspaper notice from 1998 reporting that a property he owned was up for auction due to his failure to pay certain debts. The link appeared when a Google search was carried out using the data subject’s name and surname. As the legal proceedings against him had been resolved, the data subject argued that the information was no longer relevant. The Spanish data protection authority ordered Google Spain and Google Inc to withdraw the data from its index and to render future access to it impossible. Google appealed to the Audiencia Nacional (the National High Court of Spain), which referred a number of questions to the EU Court on the applicability of the Data Protection Directive to Internet search engine providers.
Google sought to argue that the EU Directive did not apply as its Internet search service is provided by Google Inc, which is based in California, and no processing of personal data relating to its search engine takes place in Spain.
While the EU Court has yet to deliver its judgment in the case, the independent legal adviser assisting the Court, Advocate General Jääskinen, has delivered his opinion. Mr Jaaskinen took the view that an establishment processes personal data in a particular member state (and is accordingly subject to its data protection legislation) if it sets up an office or establishes a subsidiary in that member state for the purpose of selling targeted advertising to the persons living there, even if the technical processing happens in another country.
However, the Advocate General was of the opinion that Internet search engine providers are not ordinarily “data controllers” within the meaning of the Directive. Accordingly, a national data protection authority cannot, save in certain limited circumstances, require an Internet search engine service provider to withdraw information from its index.
The Advocate General also expressed an opinion on whether the Directive provides “a right to be forgotten”, ie whether a data subject can contact an Internet search engine service provider directly in order to prevent the indexing of information that appears on a third party website and which relates to him personally. He noted that a data subject has a right to the rectification, erasure and blocking of data, the processing of which does not comply with the provisions of the Directive, in particular where the data is incomplete or inaccurate. However, Mr Jaaskinen considered that there is no general right under the current Directive to restrict the dissemination of personal data which a data subject considers to be harmful to his interests.
The opinion is not binding on the Court, which is expected to deliver its decision later in the year.