On 13 May 2014, the ECJ has handed down a remarkable judgment on data protection that is already being debated very controversially (Case C-131/12, the full text is available here).
The court not only established a „right to be forgotten“ according to which an individual can claim removal of certain search results from search engine operators, it factually also extended the application of EU data privacy laws to Non-EU data controllers – with as yet unforeseeable consequences. The judgment therefore has major implications on all US and other non-European companies and their affiliated marketers within the EU who are advertising, promoting and selling their products and services.
- Facts of the case:
A quick summary of the facts behind the case: In 1998 a Spanish newspaper published an announcement in which the name of a Spanish national resident appeared for a real-estate auction connected with attachment proceedings for the recovery of social security debts. When the name of this Spanish national resident was entered into Google Search, two links to pages of this newspaper containing this announcement were displayed as search result (even in the year 2010). The Spanish national resident therefore lodged a complaint against Google Spain and Google Inc. by which he requested to remove or to conceal his personal data from these links. At the end this case was referred to the ECJ.
- The decision of the ECJ:
The ECJ decided on three important issues in its judgment:
Processing of personal data by a search engine operator
Not surprisingly, the ECJ found that a search engine operator processes personal data within the meaning of Art. 2 lit. b of the EU Data Protection Directive, as it explores the Internet automatically, constantly and systematically in search of the information which is published there, retrieves records and organises this data by indexing programmes, stores it on its servers and discloses it and makes it available to its users in form of lists of search results. The ECJ qualified this as processing of personal data in terms of the EU Data Protection Directive.
The ECJ also came to the conclusion that a search engine operator must be regarded as the data controller (who is responsible for the lawfulness of the use of the data) because it determines the purposes and means of the respective data processing. Data processing by search engine operators would in particular qualify them as data controllers as they facilitate user’s access to information and enable them to establish a detailed profile on a data subject.
Removal of Links
The Court established an obligation of the search engine operator to remove a link to a certain website, irrespective of whether the data is (still) accessible on the original website. The court held that, for example the processing of data by a website operator might be permitted as it processes the data solely for journalistic purposes, whereas the search engine operator might not benefit from this privilege, so that the data processing by that operator might not be permitted. Consequently, the search engine operator might be obligated to remove links although the sites the links refer to may still be published on the internet (see paragraphs 83 et seqq.).
And, most surprisingly, a request to remove a certain link might even be legitimate if the information is true and legal! According to the ECJ this must be determined on a case-by-case basis taking into account whether the interests of the individual to remove a link override the economic interests of the search engine operator and the interests of the general public in finding that information upon a search relating to the individual’s name.
The interests of the general public may override this position, if the data subject plays an important role in public life. In the present case however, the judges found the interests of the Spanish national resident to have priority because the information would be sensitive, the announcement was published 16 years ago and there would be no particular interests of the general public to have these links displayed in the search results. Therefore, the links must be removed by the search engine operator, although the information the links refer to were true.
Extraterritorial application of the EU Data Protection Directive
While hotly being debated in the negotiations for a new EU Data Protection Regulation which was originally proposed by the European Commission in January 2012, the ECJ has via its judgement put itself firmly in the driver’s seat regarding the question of extraterritorial application of EU privacy rules. The judgement’s conclusion is that non-European businesses should be subject to EU data privacy rules just for the mere reason that they have a subsidiary within the EU whose activities are „intended to promote and sell, in the EU Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable“.
Accordingly, the processing of personal data for the purposes of the service of a search engine would be carried out in the context of the activities of the subsidiary in an EU Member State – which is a condition for European data protection law to be applicable – even if the subsidiary only promotes and sells advertising space offered by the search engine. In this case the activities of the search engine operator and those of its subsidiary established in an EU Member State would be inextricably linked. The ECJ found that it is not necessary for the subsidiary to be involved in the processing of data itself (see paragraphs 55 et seqq.).
- What the judgement means for marketers
Although the wording of the judgment only refers to search engine operators, especially to Google, the decision will have a huge impact on the processing of data by marketers within the EU who advertise, promote or sell products or services for Non-EU affiliates which collect and process personal data in carrying out their business activity. Accordingly, all US and other non-EU businesses with a subsidiary in the EU are likely to be impacted:
- An EU Member State’s data protection laws will in future likely be held applicable, if any entity – not just a search engine operator – established in a non EU Member State (1) processes data, and (2) has a subsidiary established in any EU Member State that engages in substantial advertising or promotional activities which are directed to inhabitants of that EU Member State. This will foremostly affect all foreign search engines, social networks and website operators selling advertising space through EU subsidiaries.
- Due to the general wording and lack of depth to the Court’s assessment, far more widely, any foreign business can now be subject to EU data protection laws if a member of its group based in the EU „serves to make the service offered by that provider profitable“ – something which every marketer would likely agree to be the core of its activity…
- Also, EU businesses might in future need to look at more than their local data privacy regime, if it uses marketers from the same group of companies in other EU Member States. Normally, the EU Data Protection Directive brought about a privilege for EU businesses: they need to adhere to their national data protection rules only, unless the data processing is carried out „in the course of“ an establishment in another EU member states (which leads to the applicability of another national law as far as the subsidiary is concerned). This differentiation is blurred, now. If an entity has its seat in one EU Member State but engages establishments in another EU Member States for advertising activities directed to inhabitants of that Member State, the entity may be obligated to comply with further national laws.
- Finally, internet marketing companies which for themselves collect and process or even only organize and make accessible personal data from other publicly available sources (such as the internet) may generally be under an obligation to erase or block this data upon request by the data subject, even if the data is correct. In these cases the operator of the respective service would – like a search engine operator – have to decide on a case-by- case basis whether the legitimate interests of the data subject or its own (financial) interests or the interests of the general public prevail.
It is highly recommended for every company marketing its services through an establishment in the EU to assess the implications of this judgment on its business and – possibly – adapt the way business is being done within the EU in order to avoid application of various national EU data privacy laws or to be subject to removal requests.