Google has recently confirmed that it is refusing to extend its “de-indexing” procedures following the Google Spain decision to Google.com. This position is legally indefensible and is likely to be challenged in an EU court in the near future.
As has been widely reported (see, for example, the Independent), Google has released a Transparency report on “European privacy requests for search removals”. This tells us that between 29 May 2014 (when the process was launched) and October 2014, there have been 151,100 removal requests and 41.5% have been removed. A total of 19,359 requests have been received from the UK (compared with 29,936 for France and 25,887 for Germany).
The term “removal” is misleading. Google does not “remove” any URL from the web but rather “delists” that URL when the requesting individual’s name is searched. In other words, the “removal request” results in an instruction to a Google search engine not to display certain results.
What Google does not tell us in its Transparency Report is which search engines this procedure is applied to. However, Google’s approach was spelled out in its response to inquiries from the EU Article 29 Working Party in July 2014.
The following question was posed:
Do you delist results displayed following a search:
1. Only on EU / EEA domains?
2. On all domains pages accessible from the EU / EEA or by EU/EEA residents?
3. On all domains on a global basis?
Google’s response was as follows:
“We remove the identified links from search results in our European versions of our search services. Specifically, such links do not appear in search results for queries on the data subject’s name (alone or in combination with other query terms) in our search services targeted to EU and EFTA countries.
National versions of our search service are offered from the relevant ccTLD (country code top level domains) for each country, like google.fr for France and google.it for Italy. We have developed different versions of our search service to meet local user preferences in almost every country. We actively redirect European users from google.com to the appropriate ccTLD, and European users overwhelmingly use those services. Fewer than 5% of European users use google.com, and we think travellers are a significant portion of those.
It is our long-established practice to comply with national law by processing removals from search results for the version of search on the national ccTLD. We regularly remove results from country-specific versions of search in this manner, typically based on notice through our user-facing webforms informing us of potential violations under national law. For example, users in Germany may alert us to pages featuring extremist content that violates German law, which we would remove from the google.de search results.
In its decision, the CJEU presented a legal interpretation affecting multiple countries simultaneously. We heard some DPAs and others call for consistency across states in implementing it, and we have therefore decided to respect that effort by extending each removal to all EU/EFTA ccTLDs”.
But the Google Spain ruling does not differentiate between google.com and the “European versions” of search services. The Court recorded, as a fact established by the “referring court” that
Google Search is offered worldwide through the website ‘www.google.com’. In numerous States, a local version adapted to the national language exists. The version of Google Search in Spanish is offered through the website ‘www.google.es’, [43].
The issue in the proceedings concerned the making of a search using “Google Search” (with no differentiation between “google.com” and the “local versions”).
The CJEU held that Google, as the operator of the search engine, was the controller of the personal data being processed [41]. The very display of personal data on a search results page constitutes processing of personal data [57]. This is carried out in the context of an establishment of the controller on the territory of a member state – that is the country specific companies which promote and sell advertising – such as Google Spain SL or Google UK Ltd.
However, Google’s erroneous position in relation to Google.com was confirmed at a public hearing of the Google “Advisory Council on the Right to be Forgotten” on 16 October 2014 by Google’s Executive Chairman Eric Schmidt.
The Techcrunch blog reports that, in response to a question from the audience, Mr Schmidt said
“As we read the law it applies to the EU which is the jurisdiction of the court. And of course we have now done the 150,000 reviews and so forth and so on. The Google.com domain is actually U.S. targeted, and what happens is when you come to Europe your default access is to the .uk or .de or .fr or what have you. And since the court focused on European users we’re going to focus on those domains. A very small percentage — less than 5 per cent — of European traffic goes to .com so 95 per cent or more are to these sites, I don’t know the exact number, and that’s where the action is,”
But this answer misses the point: the question is not “on what country is the particular version of Google targeted” but “where is the data processed”. A search on Google.com can be carried out in any EU country – when such a search is carried out against the name of a living individual that individual’s personal data is processed in the EU and Google Inc is the data controller. If inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by” Google, then the information must be erased (Google Spain, [94]).
The percentage of traffic which on google.com (or any other version of the search engine) which comes from EU countries is irrelevant: if the data are processed in the EU (as it is when a search is performed) then EU law applies.
It seems unlikely that Google have failed to grasp the basic legal point here. The attempt to exempt Google.com seems to be driven by US political considerations rather than legal analysis. The Article 29 Working Party is currently considering the way in which the operators of search engines comply with the Google Spain ruling. It seems likely that when it publishes its conclusions it will make it clear that compliance with the ruling is not optional and that Google must comply in relation to all versions of its search engine.
The Internet doesn’t have borders, and there is no practical way to achieve the 100% censorship mandated by the EU law. Even if Google were to impose stringent Geo-based IP filtering, all an EU user would need to do is proxy around it using TOR or some other VPN to obtain unfiltered results from google.com.notEU. There is no reasonable or rational basis to deprive the non-EU world access to something merely as a consequence of chasing decimal places to satisfy what amounts to a local law. The EU’s censorship doesn’t and shouldn’t reach into the rest of the non-EU world.
Actually, it seems like quite a credible position to take that “targeting” is the relevant test to be applied in order to localise an act under EU law (whether of processing, communication to the public, trade mark use, or otherwise). The same approach applies in many other areas, including under the Brussels I Regulation, the Trade Marks Directive/CTM Regulation, the Infosoc Directive, among others. Why should a different approach be taken under the DPD? The more interesting question is where, if anywhere, Google.com is actually targeted.