Although search engines operate businesses which target advertising to inhabitants of a particular European Union member state, they cannot generally be deemed to be 'data controllers' of data processed by their search engines in connection with those member states, Court of Justice of the European Union (CJEU) Advocate General (AG) Niilo Jääskinen said.
The Advocate General was providing his opinion on a case currently before the CJEU, the EU's highest court. The Court has been asked to rule whether Google can be considered to be a 'data controller' that is required to comply with the data protection regime in Spain.
Spain's data protection authority, the AEPD, ordered Google to "take the necessary measures to withdraw" information about some individuals from its search index and to "render future access to the information impossible via their search engine". However, Google and Google Spain both appealed against that order to the Spanish courts.
The Audiencia Nacional in Spain has, referred a number of questions on the application of EU data protection rules to search engines to the CJEU to answer. Google has argued that as its search engine business is based in the US the EU's Data Protection Directive should not be applied to it. It has said that the fact it has a Spanish subsidiary is irrelevant because that business is only responsible for selling advertising on Google and has no role in the operation of the search engine itself.
However, the AEPD has argued that Google is subject to the Directive's rules, should be considered to be a 'data controller' and should be required to "remove [personal data] when that data has been lawfully published on another website and is kept on the page from which it originates".
Under current EU data protection laws organisations are generally allowed only to collect and store personal data that is strictly necessary and proportionate for its purposes. An individual has the "right to obtain, at his request ... the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued" by organisations responsible for, and in control of, their personal data – 'data controllers'.
The Advocate General said that the way that the search engine copies, indexes, caches and displays the information constitutes "processing" of personal data. Jääskinen said, though, that although search engines can also be said to collect, record, organise, store and perhaps use, disclose or make available and combine personal data, they could not be said to be 'data controllers' responsible for adhering to all the provisions contained in the Data Protection Directive.
"The internet search engine service provider merely supplying an information location tool does not exercise control over personal data included on third-party web pages," the CJEU's advisor said. "The service provider is not ‘aware’ of the existence of personal data in any other sense than as a statistical fact web pages are likely to include personal data. In the course of processing of the source web pages for the purposes of crawling, analysing and indexing, personal data does not manifest itself as such in any particular way."
"In my view the internet search engine service provider cannot in law or in fact fulfil the obligations of controller ... in relation to the personal data on source web pages hosted on third-party servers," he added.
However, Jääskinen said that if search engines decide not to comply with "exclusion codes" that website operators can use to prevent information being indexed in search rankings, or a request from operators to update a web page in its cache, they can be said to be data controllers under the Directive.
Where search engines are considered to be data controllers those businesses have "legitimate interests" in processing personal data and can do so without individuals' consent, the Advocate General said.
By making information more accessible to internet users, helping disseminate published information more effectively and enabling a number of other "ancillary" information society services as a by-product of its indexing, search engines respect fundamental EU rights on the freedom of information, freedom of expression and freedom to conduct a business, he said.
Jääskinen said that these legitimate interests are generally pursued without search engines breaching rules that require personal data to be "adequate, relevant, and not excessive in relation to the purposes for which they are collected, and up to date, but not out dated for the purposes for which they were collected".
He said that EU laws do not provide individuals with a general 'right to be forgotten'. Search engines should not be "saddled" with any obligation to remove legally published personal data from their indexes, it said.
"The particularly complex and difficult constellation of fundamental rights that this case presents prevents justification for reinforcing the data subjects’ legal position under the Directive, and imbuing it with a right to be forgotten," the legal advisor said. "This would entail sacrificing pivotal rights such as freedom of expression and information."
"I would also discourage the Court from concluding that these conflicting interests could satisfactorily be balanced in individual cases on a case‑by‑case basis, with the judgment to be left to the internet search engine service provider. Such ‘notice and take down procedures’, if required by the Court, are likely either to lead to the automatic withdrawal of links to any objected contents or to an unmanageable number of requests handled by the most popular and important internet search engine service providers," he said.