The decision of the European Court of Justice on the Google case has been defined by most commentators as a landmark decision (European Court of Justice, Grand Chamber, Case C 131/12, Decision of May 13, 2014). On one hand this definition can be expected from people who are not expert in privacy matters; on the other hand in all fairness, it is a landmark decision. It is so because of its echo, because the defendant is no one else than one of the most successful companies in recent times, and because the operations of this company now are (presumably) in danger. It is also fair to say that to European privacy experts and practitioners it is by no means something completely unexpected or new.
Be it as it may, in this decision there are some key points that give quite some room for thoughts. The main points of the decision are the following: (A) when Google indexes web pages it acts as a controller of data and; (B) Directive 95/46/EC applies to Google Inc., i.e. the company that controls and manages the search engine, regardless of the fact that it is a not resident of the E.U.
The first point is that Google (n.b.: when I use the word Google, for the sake of simplicity, I refer to Google Inc.) as the entity who controls and manages the search engine is an independent controller of personal data in its activity. Up to now, Google’s defense on this point has been that it is a mere mirror of the information others have published. The search engine collects and indexes web pages without filtering or making any distinction between personal data or other information, it only displays web pages, hence it cannot be considered a processor or a controller of personal data. The Court has rejected this defense. Google search engine (as the words of the decision itself say) is engaged in “finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference”. It was not contested that the data found, indexed and stored by the search engine are personal data; it was also not contested that the data were made available as search results under a natural person’s name; the Court has concluded that the logic consequence is that Google is a controller of personal data.
This principle, which is absolutely right from a legal and from a logical point of view, is not new. In much simpler words it had been previously expressed by the Italian Data Protection Authority in its decision of Jan. 18, 2006 (available as doc. # 1242501 on www.granteprivacy.it), decision in a case where Google Italy was the defendant:
“PROVIDED that the search engine performs an autonomous processing of personal data of the claimant, more specifically through the setting up and the retention of the so-called “cache copies” of the pages of the original sites;
PROVIDED that with respect of such processing of personal data the data subjects can legitimately exercise their rights under the law and expect prompt response, assuming the law applies”.
The principle expressed in the decision of the ECJ is no surprise to anyone who knows or practices Privacy Law and it should have been no surprise to Google itself. Google’s policy has always been that it would have not removed a link to a page, (and the more so if it was a web page of a newspaper) unless and until the owner of the site would have cancelled the page itself. This is very logical as well: Google’s revenue derives from the continuous availability of all possible, Internet-based, sources of information to offer to its users. More information=more users=more ads=more revenue. Just as simple as that. It is my view that they knew they were processing personal data; if they did not know it (but I am hard-pressed to believe that) someone should have told them. Google here appears to have made a gross mistake: this is not a case of liability for publishing news or information about a person. Nobody can hold Google responsible for the content of the pages it indexes; in fact the claim is completely different: when Google retrieves, stores and makes available pages on the basis of a search under an individual name, that is a processing of personal data, independent and completely autonomous from the processing made by each owner of each site that is found in the final index. By refusing to accept this principle (and by fighting to enforce it in a court of justice) Google has dug itself a hole from where exit is not clear nor easy.
Let me repeat it once again, the principle expressed by the ECJ is nothing new and nothing revolutionary, the same concept and principle had been expressed before by the Italian “Garante”. So, why did Google not react or, better yet, why it did nothing to comply with the consequences of this findings by a national Data Protection Authority and address it in due time, without much damage? There are probably various reasons. Let’s assume that the Italian decision is the only precedent in this field: it probably was not known to Google itself. In the case I am referring to, the Italian Garante decided that Google Italy had no control on the search engine and as such Italian Data protection Law did not apply differently from what the ECJ has decided. In practice, the claim was rejected, which means that the “obiter dictum” of the decision went probably unnoticed. The second reason is that Google’s approach to privacy, throughout the years, has been (to say the least) questionable; at the same time, on the opposite side, the approach to Google’s policies by the national Authorities (until recently, that is) has been very weak, spotty and unconvincing. This approach has changed when the amount of mess Google has been able to produce has reached a level where the National Authorities could not ignore it any longer. Today’s ECJ’s decision has been in the making for some time and Google can only blame itself and its lack of foresight.
But in my view the main reason why Google has been dodging its privacy problems has been its belief that the European Authorities could not touch it. Google has always refused to apply EU law to its search engine, notwithstanding the fact that it was doing business in all EU countries. It has built its organization in a way to avoid jurisdiction in any place other than Santa Clara County, California, USA. It was convinced (or someone convinced them) that it could have done so and lived happily ever after. This is not the case. Actually, this was not the case ever since the LICRA vs Yahoo litigation (the English translation of the decision of Nov. 20th, 2000 is available on www.gigalaw.com/library/france-yahoo-2000-11-20.html) but Google went on anyway, and in pretty good company, too.
Google in fact is not alone in using this policy. Most of the relatively new and successful major US high-tech companies have the same business model and the same approach: we’re this side of the ocean, there’s precious little that you can do to us, we only respond to US courts and law. Come and get us, if you can.
Which brings me to the second cornerstone of the decision of the EU: the EU Directive applies to Google, regardless of the fact it is based in California. The way the Court has arrived to its conclusion is quite simple. Google Spain sells ads for the engine. These ads make the management and the operation of the search engine viable. Again, let me use the words of the decisions: the selling of advertisements by Google’s subsidiary and the activity of Google Inc., that operates the search engine
“are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the mean enabling those activities to be performed”.
One cannot live without the other, therefore the processing of personal data carried out by Google Inc. (the controller) is carried out in the context of the activity of its subsidiary, established in a Member State, and as such the condition laid down by sec. 4.1. (a) is fulfilled. The Directive applies, as simple as that.
I believe that a terrible feeling of discomfort has been creeping through the spine of many executives of high-tech, US-based companies; social networks are obviously the first in line. It may be a simple coincidence but, one week after the decision, Facebook has announced a major change in its privacy policy. Yes, it may be a simple coincidence.
There’s one final point I want to make. I stressed above the fact that Google did not probably know the precedent laid down by the Italian Garante. Well, there’s another possibility. Maybe they knew it. Maybe they knew and decided not to do anything, in order to keep things quiet. A local decision, a singleton, an obiter dictum in a decision that rejects the plaintiff’s claim, who will ever notice. For some reasons, this time they decided to appeal and the case was referred to the ECJ for a preliminary ruling. By appealing this decision, they have replicated the Streisand effect.
In 2002 Barbra Streisand sued Pictopia, a site that had published an aerial photo of her posh Malibu house. She sued and asked 10 million dollars in damages; the news of the lawsuit instantly multiplied the number of access to Pictopia, which peaked to 420.000 in the following month. By suing the site to protect her privacy Ms Streisand had achieved the opposite result.
Did Google reached the same effect? Had Google not appealed the original Spanish Authority’s decision, how many people would have known about it anyway? And how many know about it today?
