Who: Google Spain SL and Google Inc vs M. Gonzalez and Agence Espanola de Proteccion de Datos
Where: EU Court of Justice, Luxembourg (“ECJ”)
When: 13 May 2014
Law stated as at: 16 June 2014
The ECJ has handed down a remarkable judgment on data protection that is already being vigorously debated.
The court not only established a “right to be forgotten” according to which an individual can claim removal of certain search results from search engine operators, it also extended the application of EU data privacy laws to non-EU data controllers – with as yet unforeseeable consequences. The judgment therefore has major implications for all US and other non-European companies and their affiliated marketers within the EU who are advertising, promoting and selling their products and services.
1. Facts of the case:
By way of a quick summary of the facts behind the case, in 1998 a Spanish newspaper published an announcement in which the name of a Spanish national resident, was mentioned in an announcement of a real-estate auction connected with attachment proceedings for the recovery of social security debts. When the Spaniard’s name was entered into Google Search, two links to pages of the newspaper containing this announcement were displayed as search results (even in the year 2010). The Spanish national resident therefore lodged a complaint against Google Spain and Google Inc. by which he requested to remove or to conceal his personal data from these links. In the end the case was referred to the ECJ.
2. The decision of the ECJ:
The ECJ decided on three important issues in its judgment:
a. Processing of personal data by a search engine operator
Not surprisingly, the ECJ found that a search engine operator processes personal data within the meaning of Art. 2 lit. b of the EU Data Protection Directive, as it explores the Internet automatically, constantly and systematically in search of the information which is published there, retrieves records and organises this data by indexing programmes, stores it on its servers and discloses it and makes it available to its users in form of lists of search results.
The ECJ also came to the conclusion that a search engine operator must be regarded as the data controller (who is responsible for the lawfulness of the use of the data) because it determines the purposes and means of the respective data processing. Data processing by search engine operators would in particular qualify them as data controllers as they facilitate a user’s access to information and enable them to establish a detailed profile on a data subject.
b. Removal of Links
The Court established an obligation on the search engine operator to remove a link to a certain website, irrespective of whether the data is (still) accessible on the original website. The court held that, whilst the processing of data by a website operator might be permitted if it processes the data solely for journalistic purposes, a search engine operator might not benefit from this privilege. Consequently, the search engine operator might be obligated to remove links although the sites the links refer to may still be published on the internet (see paragraphs 83 et seqq.).
And, most surprisingly, a request to remove a certain link might even be legitimate if the information is true and legal! According to the ECJ this must be determined on a case-by-case basis taking into account whether the interests of the individual to remove a link override the economic interests of the search engine operator and the interests of the general public in finding that information upon a search relating to the individual’s name.
The interests of the general public may override this position, the Court said, if the data subject plays an important role in public life. In the present case however, the judges found the interests of the claimant to have priority because the information would be sensitive, the announcement was published 16 years ago and there would be no particular interests of the general public that would be served by these links being displayed in the search results. Therefore, the links must be removed by the search engine operator, even though the information the links refer to were true.
c. Extraterritorial application of the EU Data Protection Directive
While the issue of extraterritorial application of EU privacy rules has been hotly debated in the negotiations for a new EU Data Protection Regulation (originally proposed by the European Commission in January 2012), the ECJ has via its judgement put itself firmly in the driver’s seat on this question.
The judgement’s conclusion is that non-European businesses should be subject to EU data privacy rules just for the mere reason that they have a subsidiary within the EU whose activities are “intended to promote and sell, in the EU Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable”.
Accordingly, the processing of personal data for the purposes of the service of a search engine would be carried out in the context of the activities of the subsidiary in an EU Member State – which is a condition for European data protection law to be applicable – even if the subsidiary only promotes and sells advertising space offered by the search engine and is not itself involved in the processing of data.
In this case the activities of the search engine operator and those of its subsidiary established in an EU Member State would be inextricably linked. The ECJ found that it is not necessary for the subsidiary to be involved in the processing of data itself (see paragraphs 55 et seqq.).
3. What the judgement means for marketers
Although the wording of the judgment only refers to search engine operators, especially to Google, the decision will have a huge impact on the processing of data by marketers within the EU who advertise, promote or sell products or services for non-EU affiliates which collect and process personal data in carrying out their business activity.
Accordingly, all US and other non-EU businesses with a subsidiary in the EU are likely to be impacted:
- An EU Member State’s data protection laws will in future likely be held applicable, if any entity – not just a search engine operator – established in a non EU Member State (1) processes data, and (2) has a subsidiary established in any EU Member State that engages in substantial advertising or promotional activities which are directed to inhabitants of that EU Member State. This will foremostly affect all foreign search engines, social networks and website operators selling advertising space through EU subsidiaries.
- Due to the general wording and lack of depth to the Court’s assessment, far more widely, any foreign business can now be subject to EU data protection laws if a member of its group based in the EU “serves to make the service of-fered by that foreign business profitable” – something which every marketer would likely agree to be the core of its activity…
- Also, EU businesses might in future need to look at more than their local data privacy regime, if they use marketers from the same group of companies in other EU Member States. Normally, the EU Data Protection Directive brought about a privilege for EU businesses: they need only adhere to their national data protection rules, unless the data processing is carried out “in the context of” an establishment in another EU member state (which leads to the applicability of another national law as far as the subsidiary is concerned). Now, this differentiation is blurred. If an entity has its seat in one EU Member State but for instance engages establishments in another EU Member State for advertising activities directed to inhabitants of that Member State, the entity may be obligated to comply with further national laws.
- Finally, online marketing companies which for themselves collect and process or even only organize and make accessible personal data from other publicly available sources (such as the internet) may generally be under an obligation to erase or block this data upon request by the data subject, even if the data is correct. In these cases the operator of the respective service would – like a search engine operator – have to decide on a case-by- case basis whether the legitimate interests of the data subject or its own (financial) interests or the interests of the general public prevail.
It is highly recommended for every company marketing its services through an establishment in the EU to assess the implications of this judgment on its business and – possibly – adapt the way business is being done within the EU in order to avoid the application of various national EU data privacy laws or being subject to removal requests.
The full text of the judgment (Case C-131/12) is available here.