Advocate General Niilo Jääskinen suggests that national data protection legislation applies to search engine providers when they set up an office in a Member State which “orientates its activity” towards the inhabitants of that state, so as to promote and sell advertising space, even if the technical data processing takes place elsewhere.
This is his opinion in Case C-131/12, Google Spain SL and Google Inc v Agencia Española de Protección de Datos, Mario Costeja González. The complainant was aggrieved by the fact that information about a legal process fifteen years ago, which was reported at the time in the newspapers, could still be located with a Google search. The Spanish data protection agency upheld the complaint he made against Google (but not that against the original publisher, as there was a legal justification for publishing the information in the press) and Google appealed to the excellently-named Audiencia National, or national high court, which referred a series of questions to the Court of Justice relating to territorial scope, the legal position of a search engine provider, and the existence of a right to be forgotten.
As far as territorial scope is concerned, the Advocate General says that the primary factor governing the application of the national law is the processing of persona data carried on in the context of the activities of an establishment of the controller on the territory of the Member State concerned. Google claimed that there was no processing of personal data in Spain, and Google Spain merely acted as Google Inc’s commercial representative for its advertising functions. But Mr Jääskinen reckons that the question has to be decided in a way that takes account of the business model of internet search engine providers. They normally rely on keyword advertising, and to make this work they need a presence on national advertising markets. It is therefore appropriate to consider that an establishment processes personal data if it is linked to a service involved in selling targeted advertising to inhabitants of a Member State, even if the technical data processing operations are situated elsewhere. The Advocate General therefore proposes that the Court declare that processing of personal data takes place within the context of a controller’s establishment: national data protection legislation is applicable to a search engine provider when it sets up an office orientated towards the inhabitants of the Member State in which it is based, for the promotion and sale of advertising space on the search engine.
As for the legal position of search engine providers, back in 1995 when the Directive was adopted it was impossible to foresee the sort of arrangements we now have. He does not think that Google should be considered to be a “controller” of personal data appearing on web pages it processes: provision of a tool for locating information does not imply any control over the content included n third party web pages. Indeed, the search engine is not even in a position to distinguish between personal data on those web pages and other data, so the search engine cannot in law or in fact fulfil the obligations of the controller provided in the Directive regarding personal data on source web pages hosted on third party servers.
This means that a national data protection authority cannot require a search engine service provider to withdraw information from its index, except in very special cases – where the service provider has failed to comply with the exclusion codes (which indicate to search engines that the publisher of the page does not want it indexed or stored by them) or where a request regarding an update of cache memory has not been complied with.
Third, there is no general right to be forgotten under the directive, even when that instrument is interpreted in accordance with the Charter of Fundamental Rights of the European Union. The directive does confer rights to rectification, erasure and blocking of data, but these arise where processing does not comply with the provisions of the directive. It also grants any person the right to object at any time, on compelling legitimate grounds relating to his or her particular situation, to the processing of data about them, save as otherwise provided by national legislation. But a mere subjective preference is not a compelling legitimate ground, so the directive does not entitle a person to restrict or terminate dissemination of personal data that they think is harmful or contrary to their interests.
Secondary liability of search engine providers under national law might impose duties amounting to blocking access to third party websites with illegal content. However, requesting search engine service providers to suppress legitimate and legal information that is in the public domain would amount to an interference with freedom of expression, censorship of the content by a private party, which the Advocate General was not prepared to countenance – and neither, one assumes, will the Court of Justice.