Time to Forget the ‘Right to be Forgotten’? Advocate General Jääskinen’s Opinion in C-131/12 Google Spain v AEPD

What obligations does EU data protection law impose on search engines such as Google vis-à-vis individuals who wish to suppress information about them which is lawfully available online? None according to the Advocate General as Google does not fall within the material scope of data protection law in the context of its role as a provider of free search engine services. In any event, according to the Advocate General, individuals cannot derive a ‘Right to be Forgotten’ from the current data protection rules. These were only some of the issues on which the Court was asked to adjudicate in a preliminary reference from the Spanish Audencia Nacional. Given that only a handful of cases concerning the interpretation of EU data protection rules have appeared on the Court’s docket to date, the Opinion of Advocate General Jääskinen – delivered on 25 June 2013 – was eagerly anticipated.

The facts of this case are as follows. In 1998, a newspaper published an article containing details of insolvency proceedings relating to social security debts. The relevant article was later made available online. An individual implicated in these insolvency proceedings asked the newspaper to erase this piece arguing that the proceedings had been concluded and were therefore no longer of relevance. The publisher refused to erase the data on the basis that the Ministry of Labour and Social Affairs had ordered its publication. The individual then redirected his request for erasure to Google Spain asking it to no longer show links to the newspaper in its search results when his name was entered as a search term in the search engine. The individual also addressed a complaint to the Spanish Data Protection Authority (DPA). The DPA rejected the complaint against the newspaper on the grounds that the publication of such data in the press was legally justified. However, the DPA upheld the complaint against Google Spain and Google Inc, requesting that the contested search results be removed from Google’s index of search results. Google sought the annulment of this decision before the Audencia Nacional which stayed the proceedings in order to refer a number of questions to the Court of Justice. The referred questions deal with three primary issues: the territorial application of the EU Data Protection Directive (Directive 95/46 EC), the notion of ‘data controller’ in the context of search engines and the controversial ‘right to be forgotten’.

Territorial Scope of Application of the Data Protection Directive

Article 4(1) of the Data Protection Directive (hereinafter DPD) determines the geographic scope of application of the Directive. It provides that the rules of a Member State apply when the processing is carried out by a data controller established in a Member State (or in a place where the Member State’s national law applies) or if a controller established outside the EU makes use of equipment on the territory of the Member State for the purposes of processing.

Google argued that it was neither established in Spain nor making use of equipment in Spain and therefore did not fall within the scope of Spanish data protection rules in this context. It argued that Google Spain acts only as a commercial representative of Google for its advertising activities and is not involved in the search engine activities at stake in this case. Moreover, Google Spain denied that it ‘makes use of equipment’ for the provision of search engine services in Spain: it argued that the use of web spiders to index content does not constitute ‘use of equipment’ for these purposes.

The Advocate General found, to the contrary, that Google Spain did fall within the territorial scope of the Directive. In order to justify this finding, he argued that it is necessary to analyse and take into account the business model of internet search engines. In particular, free search engine services are cross-subsidised by revenues generated by advertising keyword services. He therefore considered that a controller is established in a Member State if that Member State acts as the place of establishment for this revenue-generating limb of the enterprise and thus bridges the two (interrelated) limbs of the business, even if the technical data processing operations take place elsewhere [67]. Furthermore, he emphasised that Google should be viewed as a single economic unit for the purposes of establishing the territorial applicability of the Directive, irrespective of its distinct data processing activities or the data subjects to whom they relate. [66]

Material Scope of the Directive – The Notion of ‘Data Controller’

A ‘data controller’ is defined in the Directive as the entity which ‘alone or jointly with others determines the purposes and means of the processing of personal data’. The Advocate General noted that Google processes data by locating information published on third party internet source web pages, indexing it automatically, storing it temporarily and making it available to internet users according to a particular order of preference [70]. These source web pages often contain individuals’ ‘personal data’, which is defined by the Directive as data relating to an identified or identifiable individual. The Advocate General noted that the character of this data as personal data is not affected by the fact that the search engine does not distinguish between personal data and other data and that there may be ‘no technical or operational difference’ between source web pages containing personal data and those not containing such data. However, he argued that this distinction should influence the interpretation of the notion of controller [72].

The Advocate General sought to distinguish between entities which control the purposes and means of the processing of personal data from those which simply control the purposes and means of the processing of data [80]. He rejected the idea that the Directive should be construed to apply to Google as a data controller when ‘the object of processing consists of files containing personal data and other data in a haphazard, indiscriminate and random manner’ [81]. Instead, he held that a factual rather than a formalistic assessment was needed to determine whether an entity is responsible for the personal data processed in the sense that it is ‘aware of the existence of a certain defined category of information amounting to personal data and the controller processes this data with some intention which relates to their processing as personal data’ [82]. In this way, the Advocate General interprets a ‘knowledge’ or ‘intention’ criterion, previously unheard of in EU data protection law, into the notion of ‘data controller’ thereby narrowing the scope of this concept.

In order to support this finding that Google should not be a data controller in this context, the Advocate General made a number of observations. First, he argued that to interpret the notion literally or in a teleological manner, as proposed by the vast majority of parties before the Court, would ignore the fact that the Directive was drafted in a pre-Internet era [77] and would give rise to what the Advocate General viewed as incongruous results [81]. Second, he referred to the Court’s refusal in Lindqvist to recognise that uploading to the internet constitutes an international data transfer. He interpreted this (pragmatic) finding of the Court as a rejection of a ‘maximalist approach’ to data protection rules [79]. He also extrapolated that in interpreting the Directive in the context of new technological phenomenon, the principle of proportionality and the objectives of the Directive must be taken into account [79]. Finally, he also made some factual observations in support of his claim that Google is not a data controller in this context. In particular, he highlights that Google plays a passive intermediary role and has no relationship with the content of the third-party source web pages which it copies [86]. He relies on recital 47 of the Directive as well as Articles 12-14 of the E-Commerce Directive in support of his proposition that facilitating the technical transmission of content does not create control over this content [87].

A Right to Be Forgotten under the Data Protection Directive?

In the event that the Court should disagree with his finding that Google is not a data controller in this context, the Advocate General answered the third set of questions asked by the referring court. He first queried whether existing rights under the Directive (the right to erasure and blocking of data in Article 12(b) and the right to object in Article 14(a)) enable an individual to prevent the indexing by internet search engines of potentially prejudicial personal information available on third part webpages [102].

The Advocate General correctly noted that the right to rectification, erasure and blocking of data in Article 12(b) is subject to the proviso that the processing does not comply with the provisions of the Directive, ‘in particular because of the incomplete or inaccurate nature of the data’. The data in this case was neither inaccurate nor incomplete. It therefore remained for the Advocate General to assess whether the processing was in compliance with the Directive more generally. Article 14(a) provides that the individual can object to data processing on ‘compelling legitimate grounds’. The Advocate General therefore also examined whether there were compelling legitimate grounds on which to object to the processing. The Advocate General noted in making these assessments that, as the data processing found its legal basis in Article 7(f) of the Directive rather than the individual’s consent, a balance must be struck between the legitimate interests of the data controller and third parties and those of the individual data subject. He argued that in the absence of individual consent as a legal basis for processing, the subjective preferences of the individual concerned could not amount to a compelling legitimate ground on which to object to the data processing [108]. In this way, the Advocate General found that the Directive does not provide for a general right to be forgotten as the data subject is not generally entitled to restrict the dissemination of personal data which he considers harmful to his interests [108].

Finally, the Advocate General examined whether such a right to be forgotten could be derived by interpreting the Directive in light of the right to privacy set out in the EU Charter of Fundamental Rights. Given that such an interpretation would merely constitute a precision of existing rights, it would not breach Article 51(2) of the Charter by extending the rights granted under EU law [126]. In rejecting the idea that the Charter could imbue the Directive with a right to be forgotten, the Advocate General emphasised that such an interpretation would entail the sacrifice of the rights to freedom of information and expression [133]. Moreover, he noted the Charter’s freedom to conduct a business was at stake in the current factual scenario. He also urged the Court to reject any case-by-case resolution of this type of situation by the internet search engine provider as such discretion would be ‘likely either to lead to the automatic withdrawal of links to any objected contents or to an unmanageable number of requests’ [133].

Potential Implications of the Advocate General’s Opinion

There are a number of aspects of the Advocate General’s Opinion which provide food for thought. Most obviously, the Opinion provides a morale boost for those who oppose the introduction of a right to be forgotten in the proposed EU Data Protection Regulation, which is currently stalling before the European Parliament. Critics of this right have argued that it will have a disproportionate impact on freedom of expression online and will prove impossible to implement in practice. In this regard, it could be argued that its inclusion on the statute books would be a disingenuous window-dressing exercise. However, the Opinion’s constant reminders that the current regime was drafted and designed for a pre-Internet era and should be interpreted with this in mind (see for instance, [61] and [78]), may equally serve as a timely reminder of the need for a legislative overhaul.

Otherwise, while the conclusion reached by the Advocate General is undoubtedly a pragmatic one and might be viewed as keeping data protection rules within sensible limits, his reasoning may prove to be problematic. In particular, the Advocate General’s incorporation of a type of subjective mental element to the concept of controller (as the controller must have ‘awareness’ of the existence of personal data) departs from the current definition of controller. Indeed, the Advocate General indirectly acknowledges this in paragraph 81 of the Opinion when he notes the far-reaching grasp of the current definition of controller. However, one must question what implications this new interpretation will have in other contexts, for instance cloud computing? Also, would such an interpretation impact on the notion of personal data by narrowing it to data which an entity knows relates to an identified or an identifiable person? The English Court of Appeal has pushed for a narrower interpretation of key data protection concepts in the past but has faced significant resistance on this matter from other EU stakeholders. Given this situation, it may have been preferable had the Advocate General considered Google to be a data controller in this context but exempted it from such notice and take-down provisions on the basis of the interference with the freedom of expression.