Google Legally Responsible for Personal Info?

The ultimate question is whether Google, in its capacity as a search engine provider, is legally required to honor individuals’ request to block personal data from appearing in search results.

GoogleWe now know the Advocate General’s Opinion in the most eagerly followed data protection case in the history of the European Court of Justice (ECJ). After the prolific enforcement actions of the Spanish data protection authority to stop Google showing unwanted personal data in search results, their court battles were escalated all the way to the ECJ. While the final decision is still a few months away, the influential Opinion of the Advocate General (AG) is a clear indication of where things are going.

The ultimate question is whether Google, in its capacity as a search engine provider, is legally required to honor individuals’ request to block personal data from appearing in search results. For that to be the case, the court will have to answer affirmatively a three-fold legal test:

1. Does EU law apply to Google? The AG’s Opinion is YES if the search engine provider has an establishment in a Member State for the purpose of promoting and selling advertising space on the search engine, as that establishment acts as the bridge between the search service and the revenue generated by advertising.

This seems like a rather artificial interpretation, as a global search engine provider may have different legal entities across the EU should not necessarily bring the data processing operations of that search engine provider within the scope of application of every single EU Member State. A more logical interpretation of the criterion that determines that applicability of EU law would be that an EU-based entity would have to be involved in the actual processing of personal data.

Unfortunately the AG does not deal with the question of whether Google Inc. uses equipment in Spain, so we don’t know whether an Internet company with no physical presence in the EU will be caught by EU law.

2. Does a search engine process personal data? The AG’s answer here is also YES, because notions of “personal data” and “processing” are sufficiently wide to cover the activities involved in retrieving information sought by users.

READ  The Industry Must Act on Auditing Food Waste

3. Is Google a controller of that data? Crucially, the AG’s answer is NO, because a search engine is not aware of the existence of a certain defined category of information amounting to personal data. Therefore, Google is not in a position to determine the uses made of that data. The key here is that Google does not identify search results data as being personal data at all. It is simply digital information that matches the search criteria but no Internet search engine can know whether the search criteria and search results include personal data unless they look at it, which they do not do.

So the conclusion, according to the AG, is that a data protection authority cannot compel Google to stop revealing personal data as part of search results.

In addition, the AG goes on to say that even if the ECJ were to find that internet search engine service providers were responsible as controllers for personal data appearing in search results, an individual would still not have a general “right to be forgotten,” as this is not contemplated in the current Directive.

Eduardo Ustaran is a partner at Field Fisher Waterhouse and the head of the Privacy and Information Law Group. He is an internationally recognized expert in privacy and data protection law. Eduardo specializes in the legal issues that derive from the use of information technology and the Internet. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK. Eduardo advises on the impact of EU data protection and e-commerce law on the operational activities of all types of organizations, including FTSE 100 companies and public sector bodies. Eduardo is executive editor of European Privacy: Law and Practice for Data Protection Professionals (IAPP, 2011), and co-author of E-Privacy and Online Data Protection (Tottel Publishing, 2007) and of the Law Society’s Data Protection Handbook (2004). Eduardo regularly lectures at the University of Cambridge as part of its Masters of Bioscience Enterprise on data protection law.