Who: Advocate General Jääaskinen, the Spanish Data Protection Authority (“AEPD”), Mario Gonzalez and the Court of Justice of the EU
When: 25 June 2013
Law stated as at: 11 July 2013
A Spanish individual, Mario Costeja Gonzalez, tried to get a newspaper to remove an article which related to auctioning of his property due to social security debts. He failed, but instead tried to prevent Google Spain from providing a link to the internet version of the article when his name was searched.
The Spanish Data Protection Authority upheld the complaint against GoogleSpain. This case was then referred to the European Court of Justice in March 2012, after Google challenged the decision. It is one of 180 similar Spanish cases which are pending the court’s decision, not due before the end of 2013.
The Advocate General ruled in favour of Google, saying that the right to be forgotten does not apply, and as such Google does not have to remove personal information from its search results. The Advocate General looked at three questions – the territorial application of the EU Data Protection Directive, the definition of ‘data controller’ in the context of search engines and the ‘right to be forgotten’.
The Advocate General’s Statement is not legally binding and his role is to provide an impartial opinion for the ECJ to consider. Although not legally binding in the majority of cases the judges follow his recommendations.
Territorial Scope of Application of the Data Protection Directive (the Directive) Article 4(1) of Directive provides that the rules of a Member State apply when the processing is carried out by a data controller established in a Member State (or in a place where the
Member State’s national law applies) or if a controller established outside the EU makes use of equipment on the territory of the Member State for the purposes of processing.
Google argued that it was not established in Spain or making use of equipment in Spain and therefore did not fall within the scope of Spanish data protection rules. Google Spain stated that it was not involved in processing data and was merely a commercial representative of Google Inc for its advertising activities and therefore was not making use of equipment. The search engine also argued that the use of web spiders to index content does not constitute ‘use of equipment’ for these purposes.
The Advocate General concluded that processing of personal data is carried out “in the context of the activities” of an ‘establishment’ of the controller within the meaning of Article 4 when the undertaking providing the internet search engine sets up in a Member State, for the purposes ofpromoting and selling advertising space on the search engine, an office or subsidiary which orientates its activity towards the inhabitants of that State. He argued that this applied irrespective of data processing activities or the data subjects to whom they relate.
The Definition of ‘Data Controller’
The Advocate General stated that when an internet search engine service provider,whose search engine locates information published or included on the internet by third parties, indexes it automatically, stores it temporarily and finally makes it available to internet users according to a particular order of preference, it only ‘processes’ personal data when that information contains personal data.
The Advocate General concluded that the internet search engine service provider cannot be considered as ‘controller’ of the processing of personal data (with the exception of the contents of the index of its search engine) , provided that the service provider does not index or archive personal data against the instructions or requests of the publisher of the web page.
He rejected the idea that the Directive should be construed to apply to Google as a data controller when “the object of processing consists of files containing personal data and other data in a haphazard, indiscriminate and random manner”.
The Advocate General said that “Search engine service providers are not responsible, on the basis of the data protection directive, for personal data appearing on web pages they process”.
He concluded that under current law as Google cannot be considered a ‘controller’ of personal data it has no responsibility to remove information, unless it is false, libelous or criminal.
The Right to be Forgotten
The Advocate General concluded that the rights to erasure and blocking of data, and the right to object under existing legislation do not give individuals the right to require a search engine service provider to remove indexing relating to that individual where the information was originally published legally on third parties’ web pages, even though he considers that it might be prejudicial to him. He concluded therefore that the Directive does not provide for a general right to be forgotten as the individual is not generally entitled to restrict the dissemination of personal data which he considers harmful to his interests.
Why this Matters
The Statement by the Advocate General focusses on three key but complex areas of data protection law and his arguments in some cases move away from current interpretation, particularly in relation to determining whether an entity is acting as a data controller.
Of particular interest to marketers are the comments in relation to applicable law and the comments that where an entity sets up an operation in Europe just for marketing and advertising with no processing of personal data in that location, local law would still apply as the marketing activity is being directed at local inhabitants even if there is no local processing.
The application of European law to non EU entities is still being debated in the proposed regulation which provides that EU law will apply to an entity offering goods or services to individuals in the EU or monitoring their behaviour. In addition, the comments on the “Right to be Forgotten” are of interest and this topic is also subject of much discussion also under the Proposed regulation. The full statement can be seen by clicking here.