Data protection reforms should clarify search engine responsibilities when privacy 'take-downs' are sought

Out-Law Analysis | 07 Nov 2013 | 4:15 pm | 4 min. read

OPINION: The attempts to reform data protection laws at European Union level should specifically clarify the extent to which search engines can be held liable for private information made available in search results. Otherwise, uncertainty will remain as to how far data privacy rights can extend when personal information is posted online.

In an opinion issued earlier this year, Advocate General Gonzalez, an adviser to the Court of Justice of the European Union (CJEU), raised an important discussion about the connection between the services search engines like Google Search provide, and the concept of control over information.

In his view, search engines do not control the information generated on their 'natural' search results lists. For this reason they should not generally be held liable under data protection laws. Those rules focus liability on the 'controller' of information and not directly those who only process information on behalf of others. 

It is important that this clarification, that search engines do not normally control the information displayed in search results, be maintained, because in accordance with the Advocate General's opinion, search engine service providers are not always protected by the general immunity given under European Union law to 'information society services' for content hosted or transmitted by their services.

The Advocate General said in his opinion that search engines like Google do not benefit from the immunities to liability set out under the E-Commerce Directive where they "do not provide their service in return for remuneration from the internet users." In "that capacity", as opposed to in the capacity of providing associated paid for advertising services, they fall outside the scope of the E-Commerce Directive in his opinion.

If the Advocate General's guidance is adopted by the CJEU, it would mean that under current laws it is possible for a search engine to be held liable for data privacy infringements where they misuse personal information which they control, but not for information which generally appears in search results which they do not.

This is particularly of interest in the context of the position taken by the Court of Cassation in France. It has just ruled to require Google to proactively identify and remove nine images of former Formula 1 boss Max Mosley from its search rankings after deeming insufficient Google's existing policy of only acting to remove privacy-infringing content upon notification of its existence.

Up until now, a defining feature of laws protecting data privacy has been the holding of 'controllers' of personal information directly liable when data privacy rights were affected, and not others.

But the General Data Protection Regulation proposed by the European Commission last January and recently endorsed by the Civil Liberties, Justice and Home Affairs Committee of the European Parliament alters this balance. No longer is it always important to connect who controls personal information to who should be liable for data privacy infringements. Instead, the proposed General Data Protection Regulation attaches some liability for data privacy infringements to a broader category of individuals and organisations.

The draft General Data Protection Regulation says that 'processors' of personal information, in some instances, can be primarily liable for processing activities connected with personal data. This would apply where 'the processor' is a different person or organisation to the entity that controls the data in question, and may even apply where the processor has no personal or direct business connection with the controller (although this can be debated). 

This new attachment of liability to processors places the activities of search engine providers in a dangerous position.

Whatever technical arguments can be made on the basis of the wording of existing specific laws, search engines, for the most part, do not exercise any real control over much of the information which they set out in their search results after a user has made a query. In respect of most websites there is no relationship between the search engine and the content provider for content appearing in so-called 'natural' search results. They do though process personal information which could bring their activities within the scope of the proposed Regulation even if it were accepted that they did not control that information themselves.

But placing a greater burden of liability for data privacy rights infringements on search engine service providers would be unreasonable. It would be disproportionate to the objective sought of protecting data privacy, failing to strike an adequate balance between that interest and others which are just as important.

Data privacy is a subset of a right protected as fundamental at the regional European level. But freedom of expression, freedom of information and freedom to conduct a business are equally important interests. On a conceptual level, each of these interests is to be given the same level of protection where no conflict arises. Where conflict arises, a balance must be struck that is proportionate.

In relation to the freedom to conduct business, it would be interesting to know how many European businesses have developed business models that are completely, or at least in part, reliant on search results. I suspect that many businesses would not be able to continue to exercise their freedom to conduct business without their customers having the ability to search for them online.

The General Data Protection Regulation should be crafted to acknowledge that search engines and other backbone internet providers are very different from other organisations which 'process' information, such as outsourcing providers acting on behalf of specific companies. It is these businesses at which the new 'processor liability' provisions seem to be directed.

As the Advocate General pointed out in his opinion, the existing data protection directive was drafted at a time where " [was] clear that the development of the internet into a comprehensive global stock of information which is universally accessible and searchable was not foreseen by the [European] Community legislator".

The justification for replacing the existing data protection directive was an understanding that new laws were long overdue to account for an overwhelming amount of changes in data processing technologies that have taken place since 1995.

The proposed General Data Protection Regulation does not directly address the status of processing activities by search engines. Surely this is a failure in design that must be addressed. Otherwise we will be continue to see cases across the region which question whether and when the search engine will be responsible for content posted on sites over which they have no control. 


Luke Scanlon is a technology law expert for Pinsent Masons, the law firm behind