Search engine activities are subject to data protection rules when processing online personal data
02/09/2014

On 13 May 2014 the European Court of Justice (“ECJ”) rendered a decision in a case in which the Court had to answer important questions relating to the material and territorial scope of application of the Data Protection Directive 95/46 on search engine activities and to a data subject’s “right to be forgotten”.

The situation at issue related to the Google search results’ display of links to web pages of a daily newspaper that contained announcements mentioning the plaintiff’s name and relating to a real-estate auction connected with attachment proceedings for the recovery of social security debts.

According to the ECJ, a search engine’s activity consisting in finding information that is published or placed on the Internet by third parties, indexing it automatically, storing it temporarily, and, finally, making it available to Internet users must be classified as “processing of personal data” if that information contain personal data. In this regard, the ECJ already stated in the past that loading personal data on an Internet page must be considered to be such “processing” (see Case C-101/1 Lindqvist). But, here, there is more to come: Unlike the opinion of the Advocate General who expressly argued for a reasonable interpretation of that concept, the ECJ ruled that, since the search engine operator determines the purposes and means of that activity, and thus of the processing of personal data that it carries out by itself, the search engine operator must be regarded as the “controller” in respect of that processing, notwithstanding the fact that those data were first published on third parties’ web pages.

Normally, the territorial scope of application of the Directive is triggered by either the location of the establishment of the controller in the European Union or the location of the means or equipment being used if the controller is established outside the EU. Nationality or place of habitual residence of data subjects is not decisive, nor is the physical location of the personal data. In the case here, the search engine operator argued that the processing of personal data at issue was carried out exclusively by the American mother company, without any intervention from the local European subsidiaries whose activity is limited to providing support to the group’s advertising activity, which is separate from its search engine service. Nevertheless, the ECJ found that the processing of personal data in question is not required to be carried out “by” the controller itself, but only to be carried out “in the context of the activities” of the establishment of the controller. Therefore, the processing of personal data for the purposes of the service of a search engine is carried out “in the context of the activities” of the local establishment if the latter is intended to promote and sell—in that Member State—advertising space to make the services offered by that engine profitable.

The ECJ also stated that the “right of access” to personal data processed by the controller and the “right to object” to such processing in certain situations have to be interpreted as enabling the data subject to require the search engine operator to remove from the displayed list of results, following a search made on the basis of his name, links to web pages published lawfully by third parties. Those data subject’ rights override—as a rule—in not only the economic interest of the search engine operator but also the interest of the general public in finding that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for “particular reasons” such as the role played by the data subject in public life, that the interference with the data subject’s fundamental rights is justified by the preponderant interest of the general public in having access to the information in question through the list of search results.

Also, the ECJ did not recognize the search engine’s processing of personal data to be carried out “solely for journalistic purposes”, so the operator may not benefit from derogations from the requirements laid down by the Directive.

This decision might be considered a landmark case, but it does not solve everything. On the contrary, it raises new questions, such as the search engine operators’ compliance process with other data protection obligations, and farreaching practical issues, such as the implementation of appropriate take-down mechanisms. Also, it is noteworthy that the ECJ did not refer to Article 10 of the European Convention on Human Rights which protects the freedom of expression and information, covering the freedom to receive and impart information.

Related : Stibbe ( Mr. Erik Valgaeren ,  Mr. GĂ©rald Origer ,  Mr. Nicolas Roland )

Mr. Erik Valgaeren Mr. Erik Valgaeren
Partner
erik.valgaeren@stibbe.com
Mr. GĂ©rald Origer Mr. GĂ©rald Origer
Executive Partner
gerald.origer@stibbe.com
Mr. Nicolas Roland Mr. Nicolas Roland
Counsel
nicolas.roland@stibbe.com

Click here to see the ad(s)
All articles Media law

Lastest articles Media law

Digital content makers’ do’s & don’ts in the Digital single market
30/09/2019

The Directive (EU) 2017/790 on copyright and related rights in the Digital Single Market was adopted by the Euro...

Digital content makers’ do’s & don’ts in the Digital single market Read more

Newsflash GDPR : A “Like” button on your website? Then you are a joint controller together wi...
02/09/2019

In a judgment of 29 July 2019 ( C-40/17, Fashion ID GmbH & Co ) the European Court of Justice ruled that ope...

Newsflash GDPR : A “Like” button on your website? Then you are a joint controller together with Facebook! Read more

Using social plug-ins on your website? You and the social network will be jointly liable for the ...
31/07/2019

Using social plug-ins on your website? You and the social network will be jointly liable for the data processing Read more

Nieuwe “online broadcasting” richtlijn in werking
25/06/2019

In de schaduw van de “Digital Copyright Directive” (Richtlijn 2019/790 van 17 april 2019, cfr. onze bijdr...

Read more

Lastest articles by Mr. Erik Valgaeren

Oops! Caught red-handed? What are the sanctions for violating data protection rules?
18/08/2016

This is not a trivial question because the supervisory authority designated in each Member State will now be entitled to i...

Read more

GDPR: Cross-border transfers - don’t be on the wrong track!
04/07/2016

The virtual world has no borders, and we often do not realize the massive data flows generated within companies operating ...

Read more

Watch out for your drone: new Belgian Royal Decree is out!
27/04/2016

The Royal Decree on the use of drones in the Belgian airspace has come into force on 25 April 2016. The Royal Decree autho...

Read more

Article 29 WP sceptical on the EU/US Privacy Shield
15/04/2016

On 6 October 2015, the CJEU invalidated the U.S. Safe Harbor. The EU Commission then published a draft adequacy decisio...

Read more

Lastest articles by Mr. GĂ©rald Origer

Article 29 Data Protection Working Party issues Opinion on Personal Data Breach Notifications
19/09/2014

On 25 March 2014, the Article 29 Working Party ("WP 29") issued Opinion 03/2014 (the "Opinion"). The Opinion provides guid...

Read more

European Court of Justice declares the Data Retention Directive invalid
12/09/2014

In its decision of 8 April 2014, the European Court of Justice ("ECJ") declared the Data Retention Directive 2006/24/EC (t...

Read more

European Court of Justice specifies conditions under Article 8(3) of the Copyright Directive gove...
27/08/2014

In a decision of 27 March 2014, the European Court of Justice (“ECJ”) held that Article 8(3) of Directiv...

Read more

Svensson-case: European Court of Justice rules hyperlinking to protected works can be done withou...
19/08/2014

In 2012, the Court of Appeal of Svea (Sweden) submitted to the European Court of Justice (“ECJ”) preliminary ...

Read more

Lastest articles by Mr. Nicolas Roland

Court of Cassation: right to privacy encompasses (online) ‘right to be forgotten’
15/11/2016

On 29 April 2016, the Court of Cassation dismissed an appeal lodged by the Belgian newspaper Le Soir against the ruling of...

Read more

New data retention obligations for providers of publicly available electronic communications serv...
07/11/2016

On 18 July 2016, the Belgian Official Gazette published the Act of 29 May 2016 on the collection and storage of data in th...

Read more

Oops! Caught red-handed? What are the sanctions for violating data protection rules?
18/08/2016

This is not a trivial question because the supervisory authority designated in each Member State will now be entitled to i...

Read more

GDPR: Cross-border transfers - don’t be on the wrong track!
04/07/2016

The virtual world has no borders, and we often do not realize the massive data flows generated within companies operating ...

Read more

LexGO Network