So everyone knows it, Google is polymorphous. It has experienced many different forms: mere facilitator, publisher, hosting provider, caching provider… The latest legal label stuck on its mutant forehead is that of “data controller” and this has been done quite “noisily” by the Court of Justice of the European Union (CJEU) in its Google Spain “Costeja” judgment of 13 May 2014 (at least by listening to the numerous reactions that this judgement has triggered).
For background context, the CJEU was asked to rule on three questions concerning the interpretation of the Data Protection Directive with regard to the data processing activities of search engine providers, their status as data controllers, and the existence and scope of the so-called ‘right to be forgotten’.
One of the most creative findings of the CJEU can be formulated in two propositions:
- The operator of a search engine processes personal data (See ).
- As such, the operator is a data controller (See )
Why did the CJEU find it useful to characterise the operator of a search engine as a data controller? Because it wanted to impose upon Google a very specific obligation: an obligation
“to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person”,
when the processing of personal data through the means of these webpages is or becomes incompatible with the Data Protection Directive.
Could the CJEU have reached the same solution without characterising Google as a data controller? Looking at the way the Spanish Court had formulated its questions and their respective order, it seems that only if Google was a data controller would it then be possible to recognise a legal obligation upon it to delist.
Yet, the obligation to delist is obviously not the sole obligation borne by a data controller. Under Article 6(2) of the Data Protection Directive, the data controller has to make sure the data quality principles are also complied with. Some then say that it does not make sense to characterise Google as a data controller because the principle of data minimisation (the personal data processed must be relevant and not be excessive in relation to the purpose for which they are processed) does not make sense when applied to the activity of search engines. Well, it might be that the obligation to delist is the very means by which the principle of data minimisation can be complied with.
Generally speaking, Art. 22 of the Data Protection Directive provides that
“Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question”and Art. 23(1) that “Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered”.
This is thus where the ground starts to move. And this is where the recent UK case Max Mosley v Google dated 15 January 2015 becomes really fascinating.
In a nutshell, and not to relate the whole Mosley saga on the facts, the claimant (Max Mosley) had requested that Google cease the listing of results including thumbnails directing to websites displaying the full version of images containing private information (still images of a video footage taken by a prostitute and featuring the claimant) on the ground of s.10 of the UK’s Data Protection Act 1998 (DPA). Under section 10, individuals have a (limited) right to require the data controller not to process data where such processing causes, or is likely to cause, the individual or anyone else unwarranted substantial damage or distress. Google refused to acknowledge this right against it for a variety of reasons, arguing in particular that it was not a data controller (which after the CJEU’s judgement was not really tenable) and that the notices did not “identify the personal data in respect of which it was given or the steps required to cease processing it”.
The claimant thus brought a suit against Google on the grounds of s.10, 13 and 14 of the DPA. Under section 13, individuals are entitled to compensation from data controllers for damage caused by any breach of the DPA. Under section 14, an individual can obtain a court order for the rectification, blocking, erasure or destruction of data that is inaccurate.
The first part of his claim is a claim for monetary compensation but Mr. Justice Mitting had decided to stay that part of the claim until the appeal in the case of Google Inc v Vidal-Hall had been decided (the appeal was decided on 27 March 2015 and it will be discussed in a following post).
Irrespective of the result of this appeal, can a search engine, obviously Google in this case, be held financially liable for the damage suffered by the claimant as a result of the listing of personal data incompatible with the Data Protection Directive but published by others?
It would seem that if the search engine is a data controller the answer should be affirmative, although it would be odd as the e-commerce Directive sets forth horizontal third-party liability immunities to the benefit of intermediary service providers including caching and hosting providers. (As Google hosts the links and it seems also the thumbnails it is arguable that it is more a hosting than a caching provider in the end).
But I hear you saying, the Data Protection Directive and the e-commerce Directive cannot be interpreted together as Article 1 of the e-commerce Directive provides that the Directive “shall not apply to questions relating to information society services covered by Directives 95/46/EC and 97/66/EC”.
Such an odd result might explain paragraph 12 of the Article 29 Data Protection Working Party’s recentguidelines on the implementation of the CJEU’s Google Spain “Costeja” judgement, which states that:
“By making a request to one or several search engines the individual is making an assessment of the impact of the appearance of the controverted information in one or several of the search engines and, consequently, makes a decision on the remedies that may be sufficient to diminish or eliminate that impact”.
Mr Justice Mitting seems to be of the opinion that the exclusion of Article 1 of the e-commerce Directive does not make sense, although he does not make the point in relation to the claim for compensation but in relation to the claim for injunctive relief. Google could therefore be both a data controller and an intermediary service provider.
The second part of the claim is a claim for an order enjoining Google to “take appropriate technical measures” to block the search result images, in other words a claim for an order enjoining Google to implement a stay-down mechanism …relying upon the implementation of a content identification and filtering system to prevent the future indexing of identical or similar images.
Mr Justice Mitting ultimately found that the claimant has a “viable claim which raises questions of general public interest, which ought to proceed to trial”. And this is true even if the Data Protection Directive and the e-commerce Directive are read together as Articles 12 to 14 of the e-commerce Directive clearly distinguish between two types of remedies – monetary compensation and injunctions- making it possible for intermediary service providers to be the addressees of injunctions.
What is interesting to note at this stage is that stay-down obligations (which go beyond than take-down obligations as they require the implementation of filtering mechanisms to prevent the future reappearance of unlawful content) triggered by the reception of a notification have been held contrary to Article 15 of the e-commerce Directive by the French Supreme Court in 2012. However in the Mosley case the stay down obligation would not be triggered by a notification but by a judicial order having previously checked whether the search results at stake are incompatible with the Data Protection Directive or its national transposition, which arguably is a different scenario.
Even more interesting, in the French case Max Mosley v Google, (the Tribunal de Grande Instance back in November 2014), did enjoin Google not to include for a period of 5 years 9 unlawful pictures within its search results… (which strictly speaking is not exactly saying that Google cannot include within its search results links to webpages displaying these pictures… by the way). But guess what? The Tribunal in this case did check whether Google could benefit from Article 14 of the e-commerce Directive and found that it could not as its activity as a search engine was not neutral and passive….It concluded that Google upon reception of the claimant’s notifications should have taken down the images and made sure they could not reappear too quickly!
What a mess! Could we have a reference for a preliminary ruling please!
Sophie Stalla-Bourdillon is Associate Professor in Information Technology and Intellectual Property Law at the University of Southampton
This post originally appeared on the Peep Beep! blog and is reproduced with permission and thanks