EU Ruling Against Google Creates Privacy Uncertainty For US Companies

A recent case involving a Spanish lawyer and his lawsuit to remove information about decade old yet repaid debts from a widely-circulated Spanish newspaper and Google Internet search engine results, was a case of first impression for the European Court of Justice (ECJ), requiring the examination of the EU Privacy Directive in the context internet search engines.

Of note to U.S. companies are the ECJ’s discussions relating to the legal position of an Internet search engine service provider and the so-called “right to be forgotten,” e.g., the right to request that some or all search results related to the individual be removed. More specifically, the classification of Google’s search engine as a “Data Processor” has broad implications for digital business applications such as cloud services and web-based information.

By statute, the European Union (EU) protects the personal data of individuals and regulates both the processing and free movement of such data. Generally known as the EU Privacy Directive, this law applies to defined players called “Data Processors” and “Data Controllers.” A Data Controller is a legal person or any other entity that determines the purposes and means of the processing of “personal data.” A Data Processor is one who processes data on behalf of a Controller.

For companies doing business on the Internet, the ECJ’s decision has four key take-aways: 1) certain automated processes conducted over the Internet are inherently “data processing” subject to the Directive; 2) it is almost axiomatic that a service operator will also be a “controller” because the operator determines the purpose and method of processing the data; 3) a territorial nexus to an EU member state exists where the data processing is in relation other commercial activities that occur within or are directed at the member state; and 4) an individual has the right to request removal of links to information related to his name because the additional information has the potential to create a broader data profile affecting the subject’s privacy rights.

1. Certain Automated Processes Are Inherently “Data Processing”

The ECJ began its analysis by discussing the services offered by Google. The ECJ held that by searching automatically, constantly and systematically for information published on the Internet, by indexing, storing and retrieving those information records, by organizing the data in question, and storing it on servers and, ultimately, disclosing and making it available in the form of structured lists of results, Google is expressly and unconditionally a “Processor” of data, regardless of the fact that it conducts these activities without distinguishing personal data from other types of information, even under circumstances that exclusively concern material that has already been published as it stands in the media.

For U.S. companies the implication is clear. Whether providing or utilizing most, if not all, of today’s cloud-based digital business services, the acts of automatically searching, indexing, storing, organizing, retrieving, disclosing or otherwise making data available, makes such companies data processors subject to the Directive.

2. A Service Operator Will Almost Always Be A “Controller”

After determining that Google was a data processor, it was nearly a forgone conclusion that Google was also a “Processor” of data. According to the ECJ, Google is the controller since it determines the purposes and means of the processing. Without saying as much, the ECJ concluded that Google’s activity of locating, indexing, storing and retrieving information published by third-parties (e.g. original source web sites such as the newspaper) was in addition to that of publishers of web sites and, therefore, liable to affect the fundamental rights to privacy and to the protection of personal data. Google’s liability was derivative of the original publisher with the same responsibilities, powers and capabilities, to ensure compliance with the Directive.

3. Commercial Activities Directed At A Member State Create A Territorial Nexus

U.S. based companies would do well to note the territorial scope of the Directive since a U.S.-based company could be subject to the ECJ’s jurisdiction on questions of compliance with the Directive. With respect to the territorial scope, the ECJ stated that Google Spain – a subsidiary of Google Inc. – was located on Spanish territory and, therefore, an ‘establishment’ within the meaning of the Directive. Importantly, the ECJ explicitly rejected the argument that processing of personal data by Google Search is not carried out as part of the business activities conducted in Spain. According to the ECJ “data processed for the purposes of a search engine operated by an entity that has an establishment in a Member State [has] a nexus if [it conducts] other commercial activities within in the Member State.” For example, Google search engine results were connected to Google’s commercial activity of selling advertising to users located in Span.

4. An Individual Has The Right To Request Removal Of Personally-identifiable Links

One aspect of the judgment has gotten the most media coverage: “the right to be forgotten.” This stems largely from the fact that there is no U.S. equivalent. Given our broad freedom of speech and press, enshrined in the nation’s Constitution, the idea that one’s past can be ‘scrubbed’ is anathema to most U.S. citizens. Nevertheless, given the broad EU focus on protecting the privacy of the individual, the ECJ upheld an individual’s right to request removal of links to information related to the individual’s name on the theory that the additional information has the potential to create a broader data profile affecting the subject’s privacy rights. According to the Court the real risk is that an Internet user, who searches an individual’s name, can obtain other information concerning “a vast number of aspects” of his private life enabling Internet users to establish a detailed profile of the person. This “profiling effect is heightened since the Internet and search engines now make access to such information ubiquitous. Hence, Google is, in certain circumstances, obliged to remove links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name. The ECJ underscored that the obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even when its publication on those pages is lawful.

A Murky Future

Recognizing that the information sought may affect a legitimate interest in having access to that information, the ECJ cautioned in its holding that “a fair balance should be sought in particular between [the data subject’s privacy] interest and the data subject’s fundamental rights, in particular the right to privacy and the right to protection of personal data.” Unfortunately, the ECJ’s framework for achieving that balance was anything but clear: “the balance may … depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.” The touchstone inquiry appears to be an examination of whether “even initially lawful processing of accurate data may, over time, become incompatible … where the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.” The ECJ gave no insight as to how or under what circumstances that would occur.

If you find this content useful or if you believe that your colleagues or other members of your network might find it useful please feel free to share thank you.