On 25 June 2013, Advocate General Jääskinen (the "AG") delivered his opinion in case C-131/12 Google Spain and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González before the Court of Justice of the European Union ("ECJ"). This case is the first to address the European Data Protection Directive 95/46/EC (the 'Directive') in the context of internet search engines.
The opinion arose in the context of a reference for a preliminary ruling by the Audiencia Nacional (the National High Court of Spain) in the course of proceedings between Google Spain and Google Inc., the Spanish national data protection authority (the "AEPD") and Mario Costeja González, the data subject. The data subject had had information regarding social security debts printed in a Spanish newspaper, which was subsequently made available on the internet. The data subject sought to have this information removed from the search results presented by the internet search operated by Google. He first addressed his query directly to the publisher to have this information removed from the online version of the newspaper. He then contacted Google Spain, seeking to have the search results amended. Mr. Costeja González did not want any links to the newspaper to be shown when a search was conducted on the basis of his name and surname.
Mr. Costeja González presumably received no satisfactory response and lodged a complaint with the AEPD, which was upheld. The AEPD called on Google Spain and Google Inc. to take measures to withdraw the data subject's information from the index and to make future access impossible. This decision was appealed by Google before the national court, which stayed the proceedings and referred several questions to the ECJ.
The questions concern three main issues: the territorial scope of and the applicable national law under the Directive; whether search engine providers are data controllers; and whether there is a right to be forgotten.
In examining the first question regarding territoriality, the AG pointed out that the mere fact that Google's search engine targeted Spanish users could not trigger the application of Spanish data protection law. The AG also rejected the possibility of adding an entirely new criterion (such as the "centre of gravity of the dispute") to Article 4 (1) of the Directive, which fully harmonises the territorial scope of application of the Directive.
The AG instead considered that the relevant question would be whether Google actually carried out data "processing in the context of the activities of an establishment of the controller" in Spain within the meaning of Article 4, which he believed it did. This was contrary to what Google claimed. The AG suggested approaching the question of territorial applicability from the perspective of the business model of internet search providers. The AG considered that the role of Google Spain acting as the bridge for the referencing service to the advertising market of Spain was sufficient to conclude that the processing took place in "the context of the activities of an establishment of the controller" in Spain (i.e., assuming that Google Inc. acted as the controller (cfr. infra)). In this regard, the AG was of the opinion that it was irrelevant that the actual processing activities took place outside of Spain.
The AG also proposed that groups of companies should be treated as a single unit rather than separate legal entities, suggesting that an economic operator must be considered as a single unit and must "not be dissected on the basis of its individual activities relating to processing of personal data."
Turning to the second issue, the AG went on to discuss whether Google Inc., as a search engine operator, could be considered as a "controller" within the meaning of Article 2(d) of the Directive. In particular, the AG considered that the copying, indexing, caching and displaying of source web pages which may and often do contain personal data, such as names, images, addresses, telephone numbers and descriptions, would constitute processing of personal data which falls within the scope of the Directive. The fact that "their character as personal data would remain 'unknown' to internet search engine service provider[s]" or that "the presence of personal data in the source web pages is in a certain sense random" would not alter this conclusion.
Taking into account the above processing activities, the AG made a distinction between two situations. The first was the case in which the internet search engine service provider merely supplying an information location tool did not, according to the AG, exercise control over personal data included on third-party web pages. In this case, their role would be a passive intermediary function similar to telecommunications providers and other transmission service providers, whereas the principal controllers would be the information providers. Internet search engine service providers would neither be aware of the existence of personal data "in any other sense than as a statistical fact" and could not in law or in fact fulfil the obligations of controllers. The AG appeared to focus more so on the concept of "control" over the data and stated that the "provision of an information tool does not imply any control over the content." This is in line with the position of the Article 29 Working Party (Opinion 1/2008) which has previously stated that "a search engine provider acts purely as an intermediary [...] the principal controllers of personal data are the information providers".
The second scenario would consist of search engine service providers as controllers of the personal data contained in the search results listed in the index of the search engine linking key words entered by the user to the relevant URL addresses relating to the desired internet content. They would also be controllers of the contents of the cache memory, if they decided not to comply with the exclusion codes on a web page or not to update a webpage in the cache despite a request received from the website. In these cases, internet search engine service providers would have to comply with all the obligations imposed on controllers in the Directive, including the requirement for a legal basis for the data processing and the data quality principles of Article 6 of the Directive. The AG considered that the provision of internet search engine services pursued the legitimate interests criteria outlined in Article 7 of the Directive, in the absence of the data subject's consent. The AG considered that the index of a search engine complies with the criteria of adequacy, relevancy, proportionality, accuracy and completeness. Moreover, the AG pointed out that the interests of the controller and the data subject should be weighed in light of the above factors.
On this basis, the AG reached the conclusion that a national data protection authority cannot require an internet search engine provider to withdraw information from its index except for the cases where this service provider has not complied with the exclusion codes or where a request emanating from the website regarding update of cache memory has not been complied with.
Right to be forgotten
The AG then moved on to discuss the true extent of the rights to erasure and blocking of data and the right to object as provided for in the Directive and whether these provisions confer a right to be forgotten on data subjects. The AG decided that, without prejudice to the unequivocal right granted under the proposed data protection Regulation, there is no general right to be forgotten and a data subject would have no right to address a search engine service provider in order to prevent the indexation of information relating to him, which has been published legally on third parties' web pages, merely based on the data subject's subjective preference.
The AG also considered the fundamental right to the protection of personal data contained in Article 8 of the EU Charter of Fundamental Rights and the corresponding provision in the European Convention for the Protection of Human Rights and Fundamental Freedoms. However, the AG determined that the right to protection of personal data and private life is not absolute and must be balanced with other fundamental rights, including the freedom of expression, the freedom of information and the freedom to conduct business. In the AG's view, a generalised right to be forgotten would sacrifice these rights, possibly resulting in the censorship of published content by a private party. Finally, the AG recommended that the Court decline to accept a "case-by-case" approach to the present case, as it would open up internet search providers to unmanageable numbers of requests.
The opinion of the AG is not binding on the ECJ. The ECJ's judgment is expected early next year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.