A new decision of the Court of justice of the European Union (case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos) raises very interesting points with regard to the application of data protection rules (namely Directive 95/46/EC) to search engines. The PR of the court is here.
The case started with a series of complaints filed with the Spanish Data Protection Agency (AEPD). A specific claim concerned some information, published on the popular newspapers La Vanguardia, reporting financial difficulties of the claimant (the sale of some estates). The claimant wished such information to disappear from the web, because the financial difficulties had been solved, and therefore he asked the newspaper to remove it and Google to disable the links when googling his name. Remarkably, the case against the newspaper was lost, because AEPD found that such information were true and lawful and therefore one could interfere with the freedom of the newspaper. By contrast, AEPD upheld the complaint against Google and its Spanish subsidiary, Google Spain, calling the dominant search engine to take the necessary measures to withdraw the data from their index and to render future access to the information impossible via their search engine. Google and Google Spain appealed against that decision before the Spanish courts and the case was then submitted to the CJEU in Luxembourg.
The application of European data protection rules to Google and, in general, to extra-EU Internet operators
According to the European judges, a search engine is subject to European data protection rules even if it is establihed outside the EU, provided that the relevant business is directed to European users. Therefore, the simple circumstance that headquarters, main establishment, servers, ecc of a search engine are located abroad, in an extra-european country, is not a reason to skip the European jurisdiction. The European Court held, in this regard, that where personal data are processed to promote and sell in a given Member State (such as Spain, in the case at stake) advertising space offered by the search engine in order to make a revenue, then European rules apply. This conclusion is not surprising, however one should note that the technical details of the case (i.e. the fact that the technogical establishment of the data processing are located in the US) had been invoked by Google to dismiss the European/Spanish jurisdiction. Google normally maintains that its search engine business is run by Google Inc., based in California, and then it is subject only to US data protection legislation. In the case at stake, it argued that Google Spain is only responsible for selling advertising on US Google and has no role in the operation of the search engine itself. However, AEPD pointed out that Google Inc. indexes Spanish websites using crawlers and robots and uses a Spanish domain name. Moreover the centre of gravity of the litigation was in Spain, concerning information published on a Spanish website, in Spanish language, about Spanish residents.
Remarkably, the issue of the European jurisdiction over Google Inc. had been already debated in a similar case fought in Italy about data protection and minors protection (the famous Vividown case). There the national courts reached similar conclusions (although the finally lost in the merits of the case): the national laws apply to Google because of the territorial target and effects of its business activity. Today’s CJEU’s decision confirms this approach.
The search engine and the right to be forgotten: an attempt to regulate Google?
The merits of the case is more intriguing and rise some legitimate questions. As stated above, the personal data as stake were lawfully published on Spanish newspapers and have not been removed from there. Therefore, one should wonder why the right to be forgotten rule should be applied only to Google, with respect to data stored in servers outside its control. Google respectfully invoked the intermediary liability set forth by the Electronic commerce Directive (directive 2000731/EC). The CJEU, by contrast, took another view:
“… the Court holds that the operator is, in certain circumstances, obliged to remove links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name. The Court makes it clear that such an obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”
Thus, the court refers to “certain circumstances” which must considered by the search engine, or eventually by the national judge in case of disagreement, on the basis of a balance evaluation between the data subject’s rights and those of other internet users with legitimate interests in finding information.
The decision sounds a bit political. The CJEU seems to suggest that in the current Internet ecosystem search engines counts much more than the source of the data:
“….Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites”
According to the European court, without the indexing and searching activity of Google, such data continue to exist but they are substantially not accessible, thus they are like non-existing. One should wonder whether this conclusion is driven by the fact that Google is the dominant operator in the online search sector. In a very competitive search market, i.e. with a plurality of search engines, the only workable solution would be to remove the information directly at the source. However, in the current markets structure, dominated by Google, the decision of the CJEU seems to be driven by a practical opportunism rather than by a solid legal reasoning.
The interferences with other frameworks
We will continue to talk about this sentence, because it may originates consequences which have not been fully considered by the court. The assumption that a search engine, as in the case of Google in the present case, must be seen as a data controller, opens the doors to large consequences for a wider range of operators, not only search engines. The impact on the Electronic commerce Directive (2000/31/EC) should be also analyzed as well as the regime of ISP liability: was Google acting as a caching, hosting operator, or what else? In addition, the idea that intervening upon indexing rather than removing a content at the source also appears problematic from technological point of view.
In any case, the finding of the CJEU (you may like it or not; I do not like it so much) is remarkable and may be seen as the recognition of the paramount position achieved by search engines, and in particular by Google, in the Internet. Without the search activity as developed until now, information and data disseminated in the Internet have little importance because they cannot be easily found: “I am indexed, then I exist“. The existence of individuals’ data in the Internet is the result of the capability to be reached by third parties, and search engines (Google in particular) enable, and somehow control, such capability.