Google data protection ruling has implications for multi-faceted global businesses

Out-Law News | 13 May 2014 | 2:04 pm | 5 min. read

Businesses set up in an EU country to provide a service must ensure that any processing of personal data for a related service targeted to that country conforms to EU data protection laws even if that processing takes place elsewhere, Europe's top court has ruled.

The Court of Justice of the EU (CJEU) has ruled that Google's search engine business is that of a 'data controller' and therefore subject to EU data protection laws. It found that the company processes personal data when it finds, indexes, temporarily stores and makes available information published on the internet by third parties.

The CJEU said that Google is subject to Spanish data protection laws for its search engine business despite the processing of personal data undertaken as part of that service taking place in unknown locations in other parts of the world. This is because Google has a Spanish subsidiary based in Madrid that promotes and sells advertising space for the search service and because the company targets its search services at the Spanish public, it said.

"[The EU's Data Protection Directive] is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a member state ... when the operator of a search engine sets up in a member state a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that member state," the CJEU said in its judgment.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said the ruling may have implications for other global businesses.

"The CJEU has in a very matter of fact way found that Google processes data - a fact that is difficult to deny, that the data which it processes through its search engine usually contains both information that identifies people and information that does not identify people, another fact difficult to deny and that when Google Search is viewed on screen, Google ads appear within view of the search results, a third fact that is difficult to deny," Scanlon said. "On this basis Google is a controller of personal information in the search lists in the Court’s judgment and its subsidiary in Spain that promotes the advertisements that appear next to search lists is responsible for the legal implications of users accessing those lists."

"But the court’s interpretation raises the issue of whether regulators and local member state courts will view the judgment as applying simply to the activities of search engines or more broadly to other activities of global businesses that occur within EU jurisdictions that are in some way related to data processing activities that take place outside the EU," Scanlon said.

"As businesses look to enable their people to ignore borders and are becoming increasingly dependent on people working collaboratively together wherever they are located, they may now need to review the extent to which services relating to personal data processed in one jurisdiction are, in the words of the court, ‘served by’ services that take place in other jurisdictions to fully understand their legal obligations," he said.

The CJEU was ruling in a case referred to it by a Spanish court in which it was asked to determine whether Google can be considered to be a 'data controller' that is required to comply with the data protection regime in Spain.

Google argued that as its search engine business is based in the US neither the EU's Data Protection Directive nor Spain's national data protection law should not be applied to it. It said that the fact it has a Spanish subsidiary is irrelevant because that business is only responsible for selling advertising on Google and has no role in the operation of the search engine itself.

The Spanish case concerns Google's failure to adhere to an order issued by the data protection authority in the country, the AEPD. It had ordered Google to "take the necessary measures to withdraw" information about some individuals from its search index and to "render future access to the information impossible via their search engine" after ruling that the continued availability of that information on Google's search engine infringed those individuals' privacy rights.

Under current EU data protection laws organisations are generally allowed only to collect and store personal data that is strictly necessary and proportionate for its purposes. An individual has the "right to obtain, at his request ... the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued" by organisations responsible for, and in control of, their personal data – 'data controllers'.

After determining that Google's search business is that of a data controller and that it is subject to Spain's data protection regime, the CJEU issued some guidance on when search engines must adhere to this qualified 'right to be forgotten' for individuals.

It said that search engine businesses have a general duty to stop lawfully published content being available to read via their search rankings where individuals seek the erasure of their data from those indexes. This duty even extends to information that may not be prejudicial to a person’s interests. According to Luke Scanlon, this is consistent with a recent trend of decisions made by European courts. 

"We have seen a trend within courts in Germany and France, in the Max Mosley cases for example, requiring Google to react to the posting of images that can be viewed as prejudicial to a person's interests. But in this case, the court has chosen to specifically point out that people can request that Google remove information about them even if that information is unlikely to cause them prejudice if it continues to be publicly accessible," Scanlon said.

"The CJEU’s approach may mean that in the context of the internet, data protection law is becoming a much sharper sword than the law of defamation, at least in terms of the practical ability to remove information from public view, if not in terms of compensation," he said.

However, the CJEU said that there would be circumstances in which search engines would be justified in refusing individuals' requests for their data to be removed from the rankings.

"When appraising the conditions for the application of [the Directive's rules on rectification, erasure or blocking], it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject," the CJEU said.

"As the data subject may, in the light of [EU privacy rights], request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name," it said.

"However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question," the CJEU said.