Advocate General Conclusions in “Google Spain”: web search engines are not obliged to delete personal data from search results.
Last week, the Advocate General (AG) Jaaskinen adopted a proposal for a judgement very favorable to Google in his Opinion of 25 june 2013, C-131/12, “Google Spain”. In Salvador Ferrandis & Partners, we were glad to notice that Mr. Jaaskinen cited on several occasions a book edited by Aurelio Lopez-Tarruella, an Of counsel Attorney of our Law Firm: Google and the Law, T.M.C. Asser Press, The Hague, 2012 (see footnotes 5, 53 and 68).
The facts of the case are the following. A particular asked a Spanish newspaper to delete from its website some prejudicial information about himself. The newspaper said they were not obliged because the publication of that information was mandated by law. The particular tried the same result with Google: he asked Google Spain and Google Inc (USA) not to index the URL of the newspaper where the prejudicial information was published. Since Google gave a negative answer to the petition, the particular filed a complaint against the US company and the Spanish subsidiary before the Spanish Data Protection Agency (AEPD). The AEPD ruled in favor of the particular, but Google appelled. On appeal, the Audiencia Nacional stayed the proceedings and referred to the Court of Justice for a preliminary ruling.
The Audiencia nacional questions relate to three issues:
Firstly, the territorial scope of application of Directive 95/46. The AG affirms that Google Inc (USA) is bound by the obligations established in this instruments. The reason is that the Mountain View company has several subsidiaries in the EU which are to be considered “establishment in EU territory” in the sense of art. 4 of the Directive. Even if these establishments do not perform themselves any of the data processing activities related to the web search engine, their activities are essential for Google’s business model. In particular, they are in charge of promoting keyword advertising in European national markets, an activity which is essential in Google’s business model.
Secondly, the AG understand that Google is not to be considered as a “controller” (art. 2 d) in relation to the personal data which is listed by its search engine. As a general rule, “internet search engine services providers merely supplying an information location tool does not exercise control over personal data included on third-party web pages. The service provider is not ‘aware’ of the existence of personal data in any other sense than as a statistical fact web pages are likely to include personal data (par. 84). If certain circumstances are fulfilled – in particular when they control the index of the search engine which links key words to the relevant URL addresses, ISPs will be considered “controllers”, however that is not the case of Google. Because of that, the AG considers that in the case at hand, the AEPD cannot require Google to delete information from the result list of the web search engine.
Finally, the AG states that in those cases where search engines might be considered “controllers” (that, as previously said, is not the case for Google), they are not bound by arts. 12 and 14 of the Directive (right to erasure and blocking of data) to delete from the result list information relating to a particular person, published legally on third parties’ web pages, event if that person is invoking his wish that such information should not be known to internet users when he considers that it might be prejudicial to him or he wishes it to be consigned to oblivion.