In Europe, all information regarding an individual made available publicly has been termed “personal” information, thanks to a man who fought to be forgotten and now remembered forever. For Google, this is of course an added burden. This post takes a closer look at this most ironic internet story of all time.
Search engines that were once thought to run errands on the internet for the sake and benefit of the internet user, are no longer errand-boys as they were once thought but are now considered as masters by their own right, as per Court of Justice of the European Union (EUCJ) last year. Among the multitude of issues dealt in the case, the most intriguing question was whether Google’s search engine acts in the capacity of a data controller under Article 2(d) of the Data Protection Directive (DPD).
What is a “Data Controller” and why should you care?
The said provision defines a controller as “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data […]”.This is important because a data controller has most of the responsibilities of protecting a person’s privacy in the EU.
In the judgement, the EUCJ found that it is the search engine that determines the means and purposes of a search query of an internet user. In fact, the search engine decides what the search is for, and deploys the means that result in collecting, retrieving, indexing, caching and finally displaying it on the web browser of the user. Thereby, Google in essence performs the function of a controller as espoused under Article 2(d) of the DPD.
The very foundation of this case is based on the finding that Google is not an intermediary, let alone a processor, but a controller that determines the means and purposes of a web-search. The EUCJ unequivocally held that a search query using the name of the data subject amounts to processing of personal data. Whether the data processed is in fact personal or not is a separate discussion which this column will not venture into. However, it is sufficient to note at this point that by holding every piece of information found over the internet relating to an individual as “personal”, the EUCJ has effectively blurred and merged the core aspects of personal data, namely, identity (when data is capable of pin-pointing to a particular individual), reasonableness (it is not too difficult or costly to pin-point to an individual based on the data) and relatively (same data may be deemed personal to one person and may not be to another).
However, for the purpose of this column, it is sufficient to assume that all information regarding an individual made available publicly, is personal. This means that the search engine does indeed ‘process’ data when it operates its search algorithms over the internet by retrieving and indexing data that matches the query. However, the characterisation of Google search engine as a controller warrants further consideration.
Whilst the EUCJ proceeded to distinguish processing by websites and processing by search engines it went on to hold, without any further ado, that it is the search engine which determines the purposes and means of that activity as per Article 2(d) of the DPD. However, the Court fails to clarify what it means by that activity. Therefore, it is open to conclude that the following would amount to that activity;
“[…] exploring the internet automatically, constantly and systematically in search of the information which is published there, the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results”
The conundrum arises when EUCJ, while refraining from referring to the actual mission statement of Google to ascertain their purpose, holds that the mere operation of a search (by using algorithms known only by the search engine) is enough to become a controller. But is it?
Is it reasonable to characterise Google search engine as a controller after all?
Simply put, it has been a while since the term “Google” has lost its status as a proper-noun and is instead being used as a verb referring to the act of using the search engine to basically search for information stored across the internet. Googling means searching, simple as that. After all, we have all googled someone or the other, using the search engine merely to assist our so-called background checks – simply due to its convenience (as opposed to pouring over old dusty archives).
What the search engine does is it runs our search-terms through a complex arrangement of algorithms and displays results from websites – except for those protected from robot.txt syntax (meaning the site requests the search engine to not display it). In fact, the search engine is merely performing the order given to it by the user, who has decided to make use of the service; it is acting only on behalf of the said user. Accordingly, the more prudent approach would be to characterise the search engine which complies with a search request only in the capacity of a “Processor” under the DPD (which has far less responsibilities when it comes to privacy).
It is noted here that running a search query should be distinguished from a search engine collecting data on its user to build a profile for its own economic benefit. In that latter case, a search engine decides the purpose of collection and means to do so. However, the EUCJ states that aggregation of information by a search engine enables a user to obtain a structured overview of the information relating to the “data subject” in question, thus enabling the user to establish a profile on the data subject. Thus, the defining factor is the human intervention in building the profile.
However, had the search engine, on its own volition, displayed a summary of the results on the side of the web-browser, it could then be argued that the engine has processed data for the purpose of making that profile. In the absence of knowledge on the part of the search engine to determine the search query relates to personal data further dilutes the finding that it is functioning in the capacity of a controller.
Furthermore, in light of finding the search engine to be a controller, it remains unanswered whether the processing it undertakes as a controller adheres to the provisions of Article 6(1)(a) which requires personal data to be processed lawfully and Article 7 of the DPD when it is deemed that a search engine is a controller at every occasion it performs the task of retrieving and indexing. Article 7 provides conditions under which personal data can be processes, which includes consent from data-subject or processing is necessary to perform contract, to comply with legal obligation, in the public interest or vital interests of data-subject and finally legitimate interests as pursued by controller. In that sense, such controller must process information legitimately based on any of the criteria laid down in Article 7 of the DPD, otherwise it can be construed that every search operation is in fact illegal. Accordingly, the only plausible limb under Article 7 according to the EUCJ is to pursue a legitimate interest under Article 7(f).
Article 7(f) is of course not an exclusive ground for processing. It is conditioned by any overriding fundamental rights of the data subject in question. However, the Court fails to clarify what the ‘legitimate interests’ of a controller in this context could be, and if it is an economical one, before Court turned into the question of identifying any overriding rights and freedoms. Thus, proceeding into the question of balancing rights against an unclarified legitimate interest of the controller makes the entire exercise inconclusive, to say the least.
A few big questions
The ultimate question remains regarding whether it would be possible to maintain a right to be forgotten on information that is lawful and legitimate but simply shocks or offends a data subject. The Court has clearly waded into murky waters by imposing an undefined legitimate interest to the search engine and allowing anyone to maintain a right to control content on the internet leading to the tricky question of censorship.
Read more at: Wickramasinghe, Sanduni, The Oblivious Oblivion: A Critique on the EUCJ’s Right to Be Forgotten (November 25, 2015). Available at SSRN: http://ssrn.com/abstract=2782746
 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (GC) C-131/12 9, 186 Decided on 13.05.2014 Available at: http://curia.europa.eu/juris/liste.jsf?num=C-131/12
 See paragraph 33
 Supra n1 paragraph 35
 Ibid., paragraph 33
 Ibid., paragraph 2
 Read more on robot.txt at https://support.google.com/webmasters/answer/6062596?hl=en
 Article 2(e) – ‘processor’ shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
 Ibid., paragraph 37