Thursday, July 25, 2013

Some Notes on AG's Opinion in Google Spain Case

Being in almost summer off-mode, I finally found some time to read AG's Opinion in Google Spain C-131/12. I was personally quite surprised to find there many references to eCommerce Directive safe harbors and secondary liability in the data protection law. Here are my notes with relevant passages.

But let me start with super short and superficial recap of what the case is about. Advocate General Jääskinen gives an advice to CJEU on three most important issues: a) territorial applicability of data protections laws, b) position of a search engine operator as a data 'controller' and c) right to be forgotten. He concludes that a) a business model matters when assessing establishment acitivities, b) a search engine operator does 'process' personal data, but is generally not a data 'controller' and that c) de lege lata there is no right to be forgotten.

The AG comes up with some surprising and some interesting arguments (see especially one on notice and take downs).

C –    Regulation of internet search engines

36.      The European Union has attached great importance to the development of the information society. In this context, the role of information society intermediaries has also been addressed. Such intermediaries act as bridge builders between content providers and internet users. The specific role of intermediaries has been recognised, for example, in the Directive (recital 47 in the preamble thereto), in the ecommerce Directive 2000/31 (24) (Article 21(2) and recital 18 in the preamble thereto) as well as in Opinion 1/2008 of the Article 29 Working Party. The role of internet service providers has been considered as crucial for the information society, and their liability for the third-party content they transfer and/or store has been limited in order to facilitate their legitimate activities.

37.      The role and legal position of internet search engine service providers has not been expressly regulated in EU legislation. As such ‘information location tool services’ are ‘provided at a distance, by electronic means and at the individual request of a recipient of services’, and amount thus to an information society service consisting of provision of tools that allow for search, access and retrieval of data. However, internet search engine service providers like Google who do not provide their service in return for remuneration from the internet users, appear to fall in that capacity outside the scope of application of ecommerce Directive 2000/31. (25)
This is in my opinion plainly wrong reading. Excluding all free access services from the definition is a wrong step. First of all, the services have to be only 'normally provided for remuneration', and secondly, search engines are in fact provided for remuneration (isn't Google one of the richest tech companies after all?). The remuneration is only payed by advertisers who subsidize the service for users, because AdWords as a typical multi-sided market charges different sides of market (users & advertisers) according their valuation for each other. Because advertisers have much stronger valuation for users, Google only charges them and thus subsidizes the service for the users with advertisers money. There are plenty of such examples in the on-line environment (e.g. YouTube, eBay etc.). Hopefully CJEU gets it right in Papasavvas C-291/13 (see my comment here).

38.      Despite this, it is necessary to analyse their position vis-à-vis the legal principles underpinning the limitations on the liability of internet service providers. In other words, to what extent are activities performed by an internet search engine service provider, from the point of view of liability principles, analogous to the services enumerated in the ecommerce Directive 2000/31 (transfer, mere caching, hosting) or transmission service mentioned in recital 47 in the preamble to the Directive, and to what extent does the internet search engine service provider act as content provider in its own right.

D –    The role and liability of source web page publishers

39.      The Court found in Lindqvist that ‘the operation of loading personal data on an internet page must be considered to be [processing of personal data]’. (26) Moreover, ‘placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically.’ The Court concluded that ‘the act of referring, on an internet page, to various persons and identifying them by name or by other means’ ‘constitutes “the processing of personal data” wholly or partly by automatic means within the meaning of Article 3(1) of [the Directive]’.

40.      It follows from the above findings in Lindqvist that the publisher of source web pages containing personal data is a controller of processing of personal data within the meaning of the Directive. As such the publisher is bound by all the obligations the Directive imposes on the controllers.

41.      Source web pages are kept on host servers connected to internet. The publisher of source web pages can make use of ‘exclusion codes’ (27) for the operation of the internet search engines. Exclusion codes advise search engines not to index or to store a source web page or to display it within the search results. (28) Their use indicates that the publisher does not want certain information on the source web page to be retrieved for dissemination through search engines.

42.      Therefore, technically, the publisher has the possibility to include in his web pages exclusion codes restricting indexing and archiving of the page, and thereby enhancing the protection of personal data. In the extreme, the publisher can withdraw the page from the host server, republish it without the objectionable personal data, and require updating of the page in the cache memories of search engines.

43.      Hence, the person who publishes the content on the source web page, is in his capacity of controller liable for the personal data published on the page, and that person has various means for fulfilling his obligations in this respect. This channelling of legal liability is in line with the established principles of publisher liability in the context of traditional media. (29)

44.      This liability of publisher does not, however, guarantee that the data protection problems may be dealt with conclusively only by recourse to the controllers of the source web pages. As the referring court has pointed out, it is possible that the same personal data has been published on innumerable pages, which would make tracing and contacting all relevant publishers difficult or even impossible. Moreover, the publisher might reside in a third country, and the web pages concerned could fall outside the scope of application of EU data protection rules. There might also be legal impediments such as in the present case where the retaining of the original publication on the internet has been considered to be lawful.

45.      In fact, universal accessibility of information on the internet relies on internet search engines, because finding relevant information without them would be too complicated and difficult, and would produce limited results. As the referring court rightly observes, acquiring information about announcements on the forced sale of the data subject’s property would previously have required a visit to the archives of the newspaper. Now this information can be acquired by typing his name into an internet search engine and this makes the dissemination of such data considerably more efficient, and at the same time, more disturbing for the data subject. Internet search engines may be used for extensive profiling of individuals by searching and collecting their personal data. Yet the fear relating to the profiling of individuals was the inspiration for the development of modern data protection legislation. (30)

46.      For these reasons, it is important to examine the liability of internet search engine service providers in respect of personal data published on third-party source web pages which are accessible through their search engines. In other words, the Court is here faced with the issue of ‘secondary liability’ of this category of information society service providers analogous to that it has dealt with in its case-law on trademarks and electronic marketplaces. (31)
I did some Google search and area of secondary liability in data protection law seems to be quite unexplored issue. As European law guarantees a private cause of action for data protection breaches (see Art. 22 of Data Protection Directive "Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question."), it might be interesting to see how were these cause of actions implemented in different countries in a broader system of aiding and abetting or even tort of negligence for third party wrongdoing.

E –    Activities of an internet search engine service provider

47.      An internet search engine service provider may have various types of activities. The nature and assessment of those activities from the data protection point of view may be different.

[..]

50.      However, the present preliminary ruling concerns Google acting as a simple internet search engine service provider in relation to data, including personal data, published on the internet in third-party source web pages and processed and indexed by Google’s search engine. Hence, the problems of the users and advertising customers, to whose data the Directive is undoubtedly applicable with respect to their relationship with Google, do not affect the analysis of the second group of preliminary questions. However, concerning the jurisdictional issues under the first group of preliminary questions these customer groups may be relevant.
[..]
B –    The concept of ‘controller’

76.      A controller (55) is according to Article 2(d) of the Directive ‘the natural or legal person … which alone or jointly with others determines the purposes and means of the processing of personal data’. In my opinion the core issue in this case is whether, and to what extent, an internet search engine service provider is covered by this definition.

77.      All parties except for Google and the Greek Government propose an affirmative answer to this question, which might easily be defended as a logical conclusion of a literal and perhaps even teleological interpretation of the Directive, given that the basic definitions of the Directive were formulated in a comprehensive manner in order to cover new developments. In my opinion such an approach would, however, represent a method that completely ignores the fact that when the Directive was drated it was not possible to take into account the emergence of the internet and the various related new phenomena.


[..]

81.      I doubt, however, whether this leads to a truthful construction of the Directive in a situation where the object of processing consists of files containing personal data and other data in a haphazard, indiscriminate and random manner. Does the European law professor mentioned in my example in paragraph 29 above determine the purposes and means of the processing of personal data included in the Court’s judgments he has downloaded to his laptop? The finding of the Article 29 Working Party according to which ‘users of the search engine service could strictly speaking also be considered as controllers’ reveals the irrational nature of the blind literal interpretation of the Directive in the context of the internet. (57) The Court should not accept an interpretation which makes a controller of processing of personal data published on the internet of virtually everybody owning a smartphone or a tablet or a laptop computer.

82.      In my opinion the general scheme of the Directive, most language versions and the individual obligations it imposes on the controller are based on the idea of responsibility of the controller over the personal data processed in the sense that the controller is aware of the existence of a certain defined category of information amounting to personal data and the controller processes this data with some intention which relates to their processing as personal data. (58)
The concept of processing of personal information as personal data reminds me of use of a sign as a trade mark. Test which intermediaries in trade mark law also fail to meet according to CJEU.

83.      The Article 29 Working Party correctly notes that ‘[t]he concept of controller is a functional concept, intended to allocate responsibilities where the factual influence is, and thus based on a factual rather than a formal analysis’. (59) It continues that ‘the controller must determine which data shall be processed for the purpose(s) envisaged’. (60) The substantive provisions of the Directive, and more particularly Articles 6, 7 and 8 thereof, are, in my opinion, based on the assumption that the controller knows what he is doing in relation to the personal data concerned, in the sense that he is aware of what kind of personal data he is processing and why. In other words, the data processing must appear to him as processing of personal data, that is ‘information relating to an identified or identifiable natural person’ in some semantically relevant way and not a mere computer code. (61)

C –    An internet search engine service provider is not a ‘controller’ of personal data on third-party source web pages

84.      The internet search engine service provider merely supplying an information location tool does not exercise control over personal data included on third-party web pages. The service provider is not ‘aware’ of the existence of personal data in any other sense than as a statistical fact web pages are likely to include personal data. In the course of processing of the source web pages for the purposes of crawling, analysing and indexing, personal data does not manifest itself as such in any particular way.
And what if he learns by means of a notice? Is he a controller then? From the following paragraphs, it seems that knowledge would be only important for secondary liability standards in national law, but not for re-qualification into a controller.

85.      It is for this reason that I find the approach of the Article 29 Working Party adequate as it seeks to draw a line between the entirely passive and intermediary functions of search engines and situations where their activity represents real control over the personal data processed. (62) For the sake of completeness, it needs to be added that issue of whether the personal data has become public (63) or has been disclosed legally on third-party source web pages is not relevant for application of the Directive. (64)
Footnote 62 refers to Opinion 1/2008 on data protection issues related to search engines, 4 April 2008, p. 14 of that states:
The principle of proportionality requires that to the extent that a search engine provider acts purely as an intermediary, it should not be considered to be the principal controller with regard to the content related processing of personal data that is taking place. In this case the principal controllers of personal data are the information providers. The formal, legal and practical control the search engine has over the personal data involved is usually limited to the possibility of removing data from its servers. With regard to the removal of personal data from their index and search results, search engines have sufficient control to consider them as controllers (either alone or jointly with others) in those cases, but the extent to which an obligation to remove or block personal data exists, may depend on the general tort law and liability regulations of the particular Member State.
So non-harmonized national tort law standards will determine important obligations. One difference to other search engines might be that they operate on a different basis. As above quoted Opinion states in respect to other services:

Search engine providers that specialise in the creation of value added operations, such as profiles of natural persons (so called ‘people search engines’) and facial recognition software on images must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing.

86.      The internet search engine service provider has no relationship with the content of third-party source web pages on the internet where personal data may appear. Moreover, as the search engine works on the basis of copies of the source web pages that its crawler function has retrieved and copied, the service provider does not have any means of changing the information in the host servers. Provision of an information location tool does not imply any control over the content. It does not even enable the internet search engine service provider to distinguish between personal data, in the sense of the Directive, that relates to an identifiable living natural person, and other data.

87.      Here I would draw from the principle expressed in recital 47 in the preamble to the Directive. It states that the controller of messages containing personal data transmitted by telecommunication or by electronic mail is the originator of the message and not the person offering transmission services. This recital, as well as the exceptions to liability provided in the ecommerce Directive 2000/31 (Articles 12, 13 and 14), builds on the legal principle according to which automated, technical and passive relationships to electronically stored or transmitted content do not create control or liability over it.
This is very interesting "use" of safe harbors. AG is basically using them to point out that certain person should not be the principal addressee of the regulation. It brings me to the question if same line of argument did not in fact lead CJEU in Google France to reject trade mark use by Google when providing AdWords. The idea is to synchronize different applicable laws to ISPs (copyright, trade mark law, data protection law) with idea of the framework of eCommerce Directive. At the same time, the Opinion of Working party states what we already know from the IP law:

The question whether an intermediary should be considered to be the controller itself or a controller jointly with others with regard to a certain processing of personal data is separate from the issue of liability for such processing (16).
(16) In some Member States there are special horizontal exceptions (‘safe harbors’) regarding the liability of search engines (‘information location tools’). The Directive on Electronic Commerce (2000/31/EC) does not contain safe harbors for search engines, but in some Member States such rules have been implemented. [..]
This interpretation of a controller thus partially avoids this issue.
88.      The Article 29 Working Party has emphasised that, first and foremost, the purpose of the concept of controller is to determine who is to be responsible for compliance with data protection rules and to allocate this responsibility to the locus of the factual influence. (65) According to the Working Party, ‘[t]he principle of proportionality requires that to the extent that a search engine provider acts purely as an intermediary, it should not be considered as the principal controller with regard to the content related processing of personal data that is taking place. In this case the principal controllers of personal data are the information providers.’ (66)

89.      In my view the internet search engine service provider cannot in law or in fact fulfil the obligations of controller provided in Articles 6, 7 and 8 of the Directive in relation to the personal data on source web pages hosted on third-party servers. Therefore a reasonable interpretation of the Directive requires that the service provider is not generally considered as having that position. (67)

90.      An opposite opinion would entail internet search engines being incompatible with EU law, a conclusion I would find absurd. Specifically, if internet search engine service providers were considered as controllers of the personal data on third-party source web pages and if on any of these pages there would be ‘special categories of data’ referred to in Article 8 of the Directive (e.g. personal data revealing political opinions or religious beliefs or data concerning the health or sex life of individuals), the activity of the internet search engine service provider would automatically become illegal, when the stringent conditions laid down in that article for the processing of such data were not met.

D –    Circumstances in which the internet search engine service provider is a ‘controller’

91.      Internet search engine service provider clearly controls the index of the search engine which links key words to the relevant URL addresses. The service provider determines how the index is structured, and it may technically block certain search results, for example by not displaying URL addresses from certain countries or domains within the search results. (68) Moreover, the internet search engine service provider controls its index in the sense that he decides whether exclusion codes (69) on source web page are to be complied with or not.

92.      In contrast, the contents of the cache memory of the internet search engine cannot be considered as falling within the control of the service provider because the cache is the result of completely technical and automated processes producing a mirror image of the text data of the crawled web pages, with the exception of data excluded from indexing and archiving. It is of interest that some Member States seem to provide special horizontal exceptions regarding the liability of search engines analogous to the exception provided in ecommerce Directive 2000/31 for certain information society service providers. (70)

93.      However, with regard to the contents of cache, a decision not to comply with the exclusion codes (71) on a web page entails in my opinion control in the sense of the Directive over such personal data. The same applies in situations where the internet search engine service provider does not update a web page in its cache despite a request received from the website. [my emphasis]
So if Google would not respect robots.txt files or similar technical tools, it will qualify as a controller for its cached content [this however seems to apply to index as well, see para 99]. This is just another example of practice when courts adjust existing law to technical standards. Think of BGH's image search decision Vorschaubilder I., where concept of implied consent (similar to common law concept of bare license) was also constructed around robots.txt. The second case is also interesting. If Google would not update it's cache it won't qualify as a controller unless it receives the request from the website, where personal data originate from. I am wondering what kind of notice is meant here. Because if Google sticks to old cache and a source website removed the data in the meantime, it would mean that natural person have to force the source website to tell this to search engine as well. Interestingly enough, Working party Opinion said something slightly different in the context of cache:

The cache functionality is another way in which a search engine provider may go beyond its role as exclusive intermediary. The retention period of content in a cache should be limited to the time period necessary to address the problem of temporary inaccessibility to the website itself.

Any caching period of personal data contained in indexed websites beyond this necessity of technical availability, should be considered an independent republication. The Working Party holds the provider of such caching functionalities responsible for compliance with data protection laws, in their role as controllers of the personal data contained in the cached publications. In situations where the original publication is altered, for example to remove incorrect personal data, the controller of the cache should immediately comply with any requests to update the cached copy or temporarily block the cached copy until the website has been revisited by the search engine.

E –    The obligations of an internet search engine service provider as ‘controller’

94.      It is obvious that if and when the internet search engine service provider can be considered as ‘controller’ he must comply with the obligations provided by the Directive.

95.      As to the criteria relating making data processing legitimate in the absence of a data subject’s consent (Article 7(a) of the Directive), it seems obvious that provision of internet search engine services pursues as such legitimate interests (Article 7(f) of the Directive), namely (i) making information more easily accessible for internet users; (ii) rendering dissemination of the information uploaded on the internet more effective; and (iii) enabling various information society services supplied by the internet search engine service provider that are ancillary to the search engine, such as the provision of keyword advertising. These three purposes relate respectively to three fundamentals rights protected by the Charter, namely freedom of information and freedom of expression (both in Article 11) and freedom to conduct a business (Article 16). Hence, an internet search engine service provider pursues legitimate interests, within the meaning of Article 7(f) of the Directive, when he processes data made available on the internet, including personal data.

Article 7 - Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

96.      As controller, an internet search engine service provider must respect the requirements laid down in Article 6 of the Directive. In particular, the personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are collected, and up to date, but not out dated for the purposes for which they were collected. Moreover, the interests of the ‘controller’, or third parties in whose interest the processing in exercised, and those of the data subject, must be weighed.
So this applies only if Google is a controller, which is if it a) does not respect no-crawling exclusions or b) does not update it's cache upon request from the source website (see para 93).

97.      In the main proceedings, the data subject’s claim seeks to remove from Google’s index the indexing of his name and surnames with the URL addresses of the newspaper pages displaying the personal data he is seeking to suppress. Indeed, names of persons are used as search terms, and they are recorded as keywords in search engines’ indexes. Yet, usually a name does not as such suffice for direct identification of a natural person on the internet because globally there are several, even thousands or millions of persons with the same name or combination of a given name(s) and surname. (72) Nevertheless, I assume that in most cases combining a given name and surname as a search term enables the indirect identification of a natural person in the sense of Article 2(a) of the Directive as the search result in a search engine’s index reveals a limited set of links permitting the internet user to distinguish between persons with the same name.

98.      A search engine’s index attaches names and other identifiers used as a search term to one or several links to web pages. Inasmuch as the link is adequate in the sense that the data corresponding to the search term really appears or has appeared on the linked web pages, the index in my opinion complies with the criteria of adequacy, relevancy, proportionality, accuracy and completeness, set out in Articles 6(c) and 6(d) of the Directive. As to the temporal aspects referred to in Articles 6(d) and 6(e) (personal data being up to date and personal data not being stored longer than necessary), these issues should also be addressed from the point of view of the processing in question, that is provision of information location service, and not as an issue relating to the content of the source web pages. (73)

F –     Conclusion on the second group of questions

99.      On the basis of this reasoning, I take the view that a national data protection authority cannot require an internet search engine service provider to withdraw information from its index except for the cases where this service provider has not complied with the exclusion codes (74) or where a request emanating from the website regarding update of cache memory has not been complied with. This scenario does not seem pertinent for the present preliminary reference. A possible ‘notice and take down procedure’ (75) concerning links to source web pages with illegal or inappropriate contents is a matter of national law civil liability based on grounds other than the protection of personal data. (76)
In this paragraph the previous distinction between index and cache (see para 91-93) is removed for compliance with exclusion codes.

100. For these reasons I propose that the Court answers the second group of questions in the sense that under the circumstances specified in the preliminary reference an internet search engine service provider ‘processes’ personal data in the sense of Article 2(b) of the Directive. However, the service provider cannot be considered as ‘controller’ of the processing of such personal data in the sense of Article 2(d) of the Directive with the exception explained above. 
[..]
133. The particularly complex and difficult constellation of fundamental rights that this case presents prevents justification for reinforcing the data subjects’ legal position under the Directive, and imbuing it with a right to be forgotten. This would entail sacrificing pivotal rights such as freedom of expression and information. I would also discourage the Court from concluding that these conflicting interests could satisfactorily be balanced in individual cases on a case‑by‑case basis, with the judgment to be left to the internet search engine service provider. Such ‘notice and take down procedures’, if required by the Court, are likely either to lead to the automatic withdrawal of links to any objected contents or to an unmanageable number of requests handled by the most popular and important internet search engine service providers. (95) In this context it is necessary to recall that ‘notice and take down procedures’ that appear in the ecommerce Directive 2000/31 relate to unlawful content, but in the context of the case at hand we are faced with a request for suppressing legitimate and legal information that has entered the public sphere.
Do such requests really relate only to unlawful content? I am not sure. Same argument can be made about copyright or defamation notices.

134. In particular, internet search engine service providers should not be saddled with such an obligation. This would entail an interference with the freedom of expression of the publisher of the web page, who would not enjoy adequate legal protection in such a situation, any unregulated ‘notice and take down procedure’ being a private matter between the data subject and the search engine service provider. (96) It would amount to the censuring of his published content by a private party. (97) It is a completely different thing that the States have positive obligations to provide an effective remedy against the publisher infringing the right to private life, which in the context of internet would concern the publisher of the web page.
Again. I am wondering how is this different from the case when search engine is asked to take down links to a website that allegedly infringes upon copyright. Website operator does not have any say about his position in this case as well. No to mention all website blocking orders that I criticized for not properly respecting a right to a fair trial of targeted website operator (things seems to moved however, in the last website block FAPL v BSkyB and others where:

The operator(s) of the Target Website (as defined in the Schedule to this order) and the operators of any other website who claim to be affected by this Order, are to have permission to apply to vary or discharge this Order insofar as it affects such an applicant, any such application to be on notice to all the parties and to be supported by materials setting out and justifying the grounds of the application. Any such application shall clearly indicate the status of the applicant and indicate clearly (supported by evidence) that it is the operator of the website which is the subject of the application.)

135. As the Article 29 Working Party has observed, it is possible that the secondary liability of the search engine service providers under national law may lead to duties amounting to blocking access to third‑party websites with illegal contents such as web pages infringing IP rights, or displaying libellous or criminal information. (98)
To sum up. Google's is not a controller when it comes to it's search results or cache under regular circumstances, but might turn to controller if it a) does not respect no-crawling exclusions of third party websites or if it b) does not update it's cache upon request from the source website. Obligations of an intermediary to remove personal data in situations where it is not a controller depend on fragmented non-harmonized national secondary liability standards. On overall, AG's suggestions seems to be more favorable to Google than Opinion 1/2008 upon which he otherwise extensively relies. Let's see if CJEU follows this suggestions.

No comments: