How many days a week don’t you use Google? If you’re anything like me then the answer would be “not many, hmmm, maybe not any actually:  I really should get out more”. We trust Google to help us find what we need as quickly as possible and they are clearly very good at this. However, the power that Google has and how they use that power is coming under repeated scrutiny, particularly in the data protection arena with both the French data protection authority and the Information Commissioner’s office announcing in June and July respectively, that unless Google amends its privacy policy they will take formal enforcement action.

One of Google’s recent battles has been in Spain, where several individuals are peeved with the results that come up when you type their name into the ubiquitous search engine. On 25th June the Advocate General gave his opinion on the points referred to the European Court of Justice (“ECJ”) by the National High Court of Spain and overall the result has been a good one for the chaps and chapesses at Google. (Although the ECJ has yet to give a verdict and is not bound by the Advocate General’s opinion, it would be unusual for the ECJ not to follow it.).

Several questions were referred to the ECJ but I’m going to concentrate on the parts of the debate that are likely to be of wider interest. If you want to read the full opinion, then get some coffee and click here.

Jurisdiction 

Under the Data Protection Directive (95/46/EC) (“Directive”) a member state is instructed to apply it’s national data protection laws (that enact the provisions of the Directive) where the processing of personal data is carried out in the context of the activities of an establishment of the controller in the territory of the members state; or, where the controller is not established within the European Community, where they make use of equipment (even if that use is automated) in a member state for the purposes of processing personal data (unless such equipment is only used for transit through the EC).

Google, Inc. is based in California and Google has argued that since its Spanish subsidiary does not process any personal data, but only sells advertising to its parent company, this is not sufficient activity to bring Google under the ambit of Spanish data protection law.  The Advocate General did not agree with this, and states in his opinion that, since the Directive was written without the Internet in mind, it makes sense to approach the question with the business model of Internet search engines in mind.  Since the search engines rely on keyword advertising then the entity in charge of keyword advertising, i.e. the local entity, constitutes an establishment for the purposes of the Directive.

Is the local Spanish Google entity a “controller” of the data?

The Advocate General was clear that, in his opinion, the Internet search engine provider processes personal data: he points out that personal data is very widely defined and will frequently be included on websites, and that the business of locating information published on the Internet by third parties, indexing, storing it and making it available to users amounts to processing.  (The fact that the search engine was not aware which of the data it was processing was personal and which constituted other information was irrelevant to whether the search engine was processing or not.)

Things start to get better for Google where the Advocate General looks at the concept of “controller”.  The Directive states that a controller is the person which determines the purposes and means of the processing of personal data (Article 2(d) of the Directive) and the Advocate General allows that on a literal interpretation of the Directive Google’s activities in Spain might be caught.  However, he points out that the legislation was drafted to be inclusive precisely to cover all future eventualities.  He also notes that in 1995 (when the directive was implemented), the Internet had yet to get off the ground and it was well and truly before the Internet became the all consuming beast that we know and love today.

The Advocate General allows, based on previous judgments of the ECJ, that when interpreting the Directive in relation to new technological phenomena “the principle of proportionality, the objectives of the Directive… must be taken into account in order to achieve a balanced and reasonable outcome” (paragraph 79 of his opinion).  Using this starting point he notes that the Directive’s characterisation of a controller is based on a controller being responsible for personal data and the controller being aware of what kind of personal data he is processing and why.  The Advocate General contrasts the processes used by an Internet search engine with this state of knowledge and intent and points out that a search engine is an information location tool, does not control the personal data on third party websites, and does not distinguish personal data from any other data as part of its processing and concludes that such a search engine is therefore not a data controller of the personal data on third party websites.

The Advocate General points out that to think about the position otherwise would be to characterise every person picking information off the web as a data controller and would, if taken to its logical conclusion, render Internet search engines as being illegal, for falling foul of the stricter laws surrounding the processing of sensitive personal information.

We will see whether the ECJ follows the Advocate General’s opinion in due course (judgment is expected by the end of the year).  In the meantime, as Google’s motto goes “don’t be evil”, oh and what search string will find me a decent present for me to get for my mother-in-law?