On 13 May 2014 the European Court of Justice (“ECJ”) rendered a decision in a case in which the Court had to answer important questions relating to the material and territorial scope of application of the Data Protection Directive 95/46 on search engine activities and to a data subject’s “right to be forgotten”.
The situation at issue related to the Google search results’ display of links to web pages of a daily newspaper that contained announcements mentioning the plaintiff’s name and relating to a real-estate auction connected with attachment proceedings for the recovery of social security debts.
According to the ECJ, a search engine’s activity consisting in finding information that is published or placed on the Internet by third parties, indexing it automatically, storing it temporarily, and, finally, making it available to Internet users must be classified as “processing of personal data” if that information contain personal data. In this regard, the ECJ already stated in the past that loading personal data on an Internet page must be considered to be such “processing” (see Case C-101/1 Lindqvist). But, here, there is more to come: Unlike the opinion of the Advocate General who expressly argued for a reasonable interpretation of that concept, the ECJ ruled that, since the search engine operator determines the purposes and means of that activity, and thus of the processing of personal data that it carries out by itself, the search engine operator must be regarded as the “controller” in respect of that processing, notwithstanding the fact that those data were first published on third parties’ web pages.
Normally, the territorial scope of application of the Directive is triggered by either the location of the establishment of the controller in the European Union or the location of the means or equipment being used if the controller is established outside the EU. Nationality or place of habitual residence of data subjects is not decisive, nor is the physical location of the personal data. In the case here, the search engine operator argued that the processing of personal data at issue was carried out exclusively by the American mother company, without any intervention from the local European subsidiaries whose activity is limited to providing support to the group’s advertising activity, which is separate from its search engine service. Nevertheless, the ECJ found that the processing of personal data in question is not required to be carried out “by” the controller itself, but only to be carried out “in the context of the activities” of the establishment of the controller. Therefore, the processing of personal data for the purposes of the service of a search engine is carried out “in the context of the activities” of the local establishment if the latter is intended to promote and sell—in that Member State—advertising space to make the services offered by that engine profitable.
The ECJ also stated that the “right of access” to personal data processed by the controller and the “right to object” to such processing in certain situations have to be interpreted as enabling the data subject to require the search engine operator to remove from the displayed list of results, following a search made on the basis of his name, links to web pages published lawfully by third parties. Those data subject’ rights override—as a rule—in not only the economic interest of the search engine operator but also the interest of the general public in finding that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for “particular reasons” such as the role played by the data subject in public life, that the interference with the data subject’s fundamental rights is justified by the preponderant interest of the general public in having access to the information in question through the list of search results.
Also, the ECJ did not recognize the search engine’s processing of personal data to be carried out “solely for journalistic purposes”, so the operator may not benefit from derogations from the requirements laid down by the Directive.
This decision might be considered a landmark case, but it does not solve everything. On the contrary, it raises new questions, such as the search engine operators’ compliance process with other data protection obligations, and farreaching practical issues, such as the implementation of appropriate take-down mechanisms. Also, it is noteworthy that the ECJ did not refer to Article 10 of the European Convention on Human Rights which protects the freedom of expression and information, covering the freedom to receive and impart information.