Advocate General Niilo Jääskinen suggests that
national data protection legislation applies to search engine
providers when they set up an office in a Member State which
“orientates its activity” towards the inhabitants of that state,
so as to promote and sell advertising space, even if the technical
data processing takes place elsewhere.
This is his opinion in Case C-131/12, Google Spain
SL and Google Inc v Agencia Española de Protección de Datos, Mario
Costeja González. The complainant was aggrieved by the fact that
information about a legal process fifteen years ago, which was
reported at the time in the newspapers, could still be located with a
Google search. The Spanish data protection agency upheld the
complaint he made against Google (but not that against the original
publisher, as there was a legal justification for publishing the
information in the press) and Google appealed to the
excellently-named Audiencia National, or national high court, which
referred a series of questions to the Court of Justice relating to
territorial scope, the legal position of a search engine provider,
and the existence of a right to be forgotten.
As far as territorial scope is concerned, the
Advocate General says that the primary factor governing the
application of the national law is the processing of persona data
carried on in the context of the activities of an establishment of
the controller on the territory of the Member State concerned. Google
claimed that there was no processing of personal data in Spain, and
Google Spain merely acted as Google Inc’s commercial representative
for its advertising functions. But Mr Jääskinen reckons that the
question has to be decided in a way that takes account of the
business model of internet search engine providers. They normally
rely on keyword advertising, and to make this work they need a
presence on national advertising markets. It is therefore appropriate
to consider that an establishment processes personal data if it is
linked to a service involved in selling targeted advertising to
inhabitants of a Member State, even if the technical data processing
operations are situated elsewhere. The Advocate General therefore
proposes that the Court declare that processing of personal data
takes place within the context of a controller’s establishment:
national data protection legislation is applicable to a search engine
provider when it sets up an office orientated towards the inhabitants
of the Member State in which it is based, for the promotion and sale
of advertising space on the search engine.
As for the legal position of search engine
providers, back in 1995 when the Directive was adopted it was
impossible to foresee the sort of arrangements we now have. He does
not think that Google should be considered to be a “controller”
of personal data appearing on web pages it processes: provision of a
tool for locating information does not imply any control over the
content included n third party web pages. Indeed, the search engine
is not even in a position to distinguish between personal data on
those web pages and other data, so the search engine cannot in law or
in fact fulfil the obligations of the controller provided in the
Directive regarding personal data on source web pages hosted on third
party servers.
This means that a national data protection
authority cannot require a search engine service provider to withdraw
information from its index, except in very special cases – where
the service provider has failed to comply with the exclusion codes
(which indicate to search engines that the publisher of the page does
not want it indexed or stored by them) or where a request regarding
an update of cache memory has not been complied with.
Third, there is no general right to be forgotten
under the directive, even when that instrument is interpreted in
accordance with the Charter of Fundamental Rights of the European
Union. The directive does confer rights to rectification, erasure and
blocking of data, but these arise where processing does not comply
with the provisions of the directive. It also grants any person the
right to object at any time, on compelling legitimate grounds
relating to his or her particular situation, to the processing of
data about them, save as otherwise provided by national legislation.
But a mere subjective preference is not a compelling legitimate
ground, so the directive does not entitle a person to restrict or
terminate dissemination of personal data that they think is harmful
or contrary to their interests.
Secondary liability of search engine providers
under national law might impose duties amounting to blocking access
to third party websites with illegal content. However, requesting
search engine service providers to suppress legitimate and legal
information that is in the public domain would amount to an
interference with freedom of expression, censorship of the content by
a private party, which the Advocate General was not prepared to
countenance – and neither, one assumes, will the Court of Justice.