Regulators deliberate as search engine operators (“SEO”) work to assemble and implement compliant practices in the wake of the Court of Justice of the European Union’s (“CJEU”) purposive and controversial decision in last month’s Google case.
Mr Gonzáles asked Google Spain and Google Inc. to remove links to two reports regarding an historic repossession order against him which would show up in search results whenever his name was Googled. The Spanish data protection authority the Agencia Española de Protección de Datos referred a number of key questions to the CJEU, which responded as follows:
- Are SEOs ‘data controllers’ of the personal data contained in the source web-pages which they index, such that they are caught by the remit of Data Protection Directive 95/46/EC (the “Directive”)?:
YES... SEOs’ processing activities can include the collection, recording, organisation, storage, retrieval, disclosure and making available of personal data, all of which amount to ‘processing’. Further, SEOs determine the purposes and means of that processing and therefore must be regarded as “data controllers”.
- Does an online SEO fall within the territorial scope of the Directive if it sets up in a European Member State an office or subsidiary for the purpose of promoting and selling advertising space on the search engine which orientates its activity towards the inhabitants of that State?:
YES... the CJEU held that the promotion and sale of advertising space, which Google Spain attends to in respect of Spain, constitutes the bulk of Google’s commercial activity and therefore may be regarded as closely linked to Google’s search engine business Google Search. As a result of this “inextricable link”, Google’s “processing” of personal data is carried out in the context of’ Google Spain’s activities and therefore falls within the territorial scope of the DP Directive.
- Do individual data subjects have a ‘right to be forgotten’ which (if invoked) requires online SEOs to remove/delete the offending links if they are seen as infringing the DP Directive?:
YES... Where the processing of the personal data is incompatible with the Directive,SEOs are obliged to remove from the list of results displayed following a search made on the basis of a person’s name, links to web pages, published by third parties and containing information relating to that person even, as the case may be, when its publication in itself on those pages is lawful. However, the CJEU made it clear that the rights of internet users interested in accessing such search results should be considered side by side with the rights of the relevant data subject. Although, as a general rule, data subjects’ rights override the legitimate interest of internet users to access information. The sensitivity of the information involved and any public interest in access to it (e.g. where the data subject has a public role) must be taken into account.
The decision prompted concerns that the CJEU has leant too much weight to individuals’ right to privacy as opposed to the right of freedom of expression (for example, in the case of journalists and researchers) and confirmed that data subjects have the right to request SEOs to take down certain search results
This strongly purposive interpretation of the legislation was in favour of privacy and the determination on jurisdiction is of potentially wider application. Businesses may increasingly find various EU authorities asserting jurisdiction over, for example, website processing, if there is a local presence and promotions are aimed at the local market, even though the server is based elsewhere.
National regulators have been digesting the CJEU’s decision and issuing guidance accordingly. In his blog, the UK’s Deputy Commissioner and Director of Data Protection underlined the fact that the decision has been made under the existing legislation and thus shows that the current framework is still of relevance to modern data protection issues. However, he also stressed the need to keep the implications of the decision in proportion and recognise that there is no absolute right to have links removed. Further, even if a link is removed, the original publication will remain (as long as the personal data contained within it is being processed lawfully). In addition, the ICO has produced a helpful overview of key points of the CJEU judgment.
Meanwhile, Google has been inundated with requests from thousands of individuals for links to be removed from search results lists. The California based company has set up a committee to advise it on how to handle its new data protection obligations and has implemented a mechanism for dealing with such requests by way of an online form. It is also planning to flag up those search results pages which have been censored as a result of the CJEU decision.
If SEOs refuse to comply with the wishes of those individuals who request for information to be removed from results lists, the individual can seek recourse through their national data protection regulator. It will be interesting to see how regulators will approach their responsibilities in respect of such complaints and ensure consistency across the EU.