Tag Archive: Google

EUROPE: The Applicability Of EU Data Protection Laws To Non-EU Businesses

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).

This article first appeared in E-Commerce Law and Policy – volume 18 issue 03 (March 2016).

On 16 December 2015, the Article 29 Data Protection Working Party (“WP29”) updated their Opinion 8/2010[1] on applicable law in light of the landmark decision Costeja v. Google[2] rendered by the Court of Justice of the European Union (“ECJ”) on 13 May 2014.

In a context where local data protection authorities are increasingly scrutinizing cross-border data processing operations, companies worldwide need to identify whether and which EU data protection law(s) apply to processing of personal data taking place wholly or partially outside the EU.

Yet the extent of the territorial scope of the Directive has always raised many questions. In 2010, the WP29 concluded in their Opinion 8/2010 that Article 4(1)(a) of the Data Protection Directive 94/46/EC[3] (“Directive”), which provides that a Member State’s data protection law shall apply to data processing “carried out in the context of the activities of an establishment of the controller on the territory of the Member State“, suggests a very broad scope of application.

The exact extent of application remained rather unclear despite the WP29’s guidelines until four years later when the question of whether EU data protection laws should apply to a business based and processing personal data outside the EU came up before the ECJ in the so-called “right to be forgotten” case, Costeja v. Google. In its judgement, the ECJ held that Spanish law applied to the personal data processing performed by the search engine operated by Google Inc., a US-based controller, on the ground that it was “inextricably linked to“, and therefore was carried out “in the context of the activities of” Google Spain, whose advertising and commercial activities constituted the “means of rendering the search engine at issue economically profitable“.

The WP29 have recently updated their 2010 opinion to take into account Costeja. According to the WP29, the implications of the judgement are very broad and should certainly not be limited to the question of determining applicable law in relation to the operation of the Google search engine in Spain.  And indeed, Costeja confirms the broad territorial application of Article 4(1)(a) of the Directive that was espoused by the W29 in 2010.  In this respect, the WP29 recall that the notion of establishment in itself must be interpreted broadly, in line with recital 19 of the Directive, which provides that the notion of “establishment (…) implies the effective and real exercise of activity through stable arrangements[4], such as subsidiaries or branches for example. In Costeja, there was no doubt that Google Spain, the Google Inc. subsidiary responsible for promoting in Spain the sale of advertising space generated on the website google.com, fell under that definition. However, it was disputed whether the data processing in question, carried out exclusively by Google Inc. by operation of Google Search without any intervention on the part of Google Spain, was nevertheless carried out “in the context of the activities of” Google Spain.

The ECJ then introduced a new criterion: the “inextricable link” between the activities of a local establishment and the data processing activities of a non-EU data controller. As underlined by the WP29, the key point is that even if the local establishment is not involved in any direct way in the data processing, the activities of that establishment might still trigger the application of EU data protection laws to the non-EU controller, provided there is an “inextricable link” between the two.

What this “inextricable link” might be raises many questions. The WP29, while insisting on the importance of conducting a case-by-case analysis, consider that, depending on the role played by local establishments, non-EU companies offering free services within the EU, which are then financed by making use of the personal data collected from users, could also be subject to EU data protection laws. The same reasoning would apply, for example, tor non-EU companies providing services in exchange for membership fees or subscriptions, where individuals may only access the services by subscribing and providing their personal data to the EU establishments.

The WP29 are careful to say that being part of a same group of companies is not in itself sufficient to establish the existence of an “inextricable link“, and that additional factors are necessary, such as promotion and sale of advertising space or revenue-raising, irrespective of whether such proceeds are used to fund the data processing operations in the EU. But because the examples provided by the WP29 are almost solely based on revenue flow as the source of the “inextricable link“, it is difficult to conceive of what type of multinational will not have such an “inextricable link” between the activities of a subsidiary (let alone a branch) in the EU and a parent company outside the EU.  The long arm of the Directive is in effect stretched even further.

Will this criterion still be relevant when the General Data Protection Regulation[5] (“GDPR”) applies, likely by July 2018? Certainly, insofar as article 3(1) provides that the GDPR applies “to the processing of personal data in the context of the activities of an establishment of a controller… in the Union“. But the GDPR goes much farther: not only does it consecrate Costeja by specifying that the GDPR applies “regardless of whether the processing takes place in the Union”, it also applies to processing in the context of the activities of an establishment of a processor in the EU, even if the processing occurs outside the EU. Moreover, relying more explicitly on the “effect principle”, article 3(2) of the GDPR further extends the territorial scope of EU data protection law to any data controller based outside the EU that either: (i) offers goods or services to EU residents; or (ii) monitors the behaviour of EU residents.

Another important aspect the WP29 infer from the Costeja decision concerns the applicable law where a business has multiple establishments in the EU, with a designated “EU headquarters”, and this establishment alone carries out the functions of a data controller in relation with the processing operations in question. The WP29 note that, although the Court did not directly address this question, neither did it distinguish its ruling according to whether or not there is an EU establishment acting as a data controller or being otherwise involved in the processing activities.  For the WP29, this means that where there is an “inextricable link“, several national laws may apply to the activities of a business having several establishments in different Member States, regardless of whether one of them qualifies as data controller in respect of the processing in question. This position goes beyond the plain meaning of article 4(a) of the Directive, which provides that “when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”.[6]

In conclusion, although the WP29’s recent update provides some useful illustrations to help businesses determine whether they should comply with EU data protection law, it does not clarify its exact scope. In particular, WP29’s analysis mostly focuses on websites where data subjects have a connection with one EU establishment, leaving aside other scenarios, such as when data subjects have absolutely no connection with any EU establishment. And the question of how are companies to deal with conflicts of laws remains unanswered. The discussions over these questions promise to be challenging, even more so now with the prospect of the application of the GDPR.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] WP29, Opinion 8/2010 on applicable law, December 16, 2010

[2] Case C-121/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014

[3] Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[4] Recital 19 of the Directive

[5] COM/2010/2011 final, Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[6] The recitals of the Directive are admittedly puzzling. Recital (18) states that any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States and processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State. But recital (19) provides that if a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure that each of the establishments fulfils the obligations imposed by the national law applicable to its activities – thereby vitiating the entire concept of separate legal personality, and failing to denote whether those subsidiaries are to be considered controllers or processors.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-the-applicability-of-eu-data-protection-laws-to-non-eu-businesses/

FRANCE: The CNIL Fines Google €100,000 Over Right To Be Forgotten

The French data protection authority (the “CNIL”) will not settle for a compromise, or so says its recent decision to fine Google Inc. €100,000 for failing to properly implement the so-called “right to be forgotten”.

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).

Earlier this month, Google announced it was adapting its approach to the right to be forgotten following discussions between the Mountain View, California firm and EU data protection authorities, in particular the CNIL, which in May 2015 issued a cease and desist order against Google Inc. (see previous post here) and rejected its appeal in September 2015 (see previous post here).

Despite reports that some EU data protection authorities saw this as a potentially acceptable solution, on March 10, 2016, the French regulator ordered Google Inc. to pay a €100,000 fine for violation of individuals’ right to object to the processing of their personal data and the right to delete their personal data, in light of the landmark decision of the Court of Justice of the European Union (“ECJ”) in Costeja v. Google[1].

For the CNIL, in order to be compliant with French law, Google Inc. must delist links from all Google Search extensions globally, and unconditionally. Google Inc. argued that this extraterritorial reach of the right to be forgotten is likely to raise conflict of laws issues and impair other States’ sovereignty (see previous post here). In particular, Google expressed concerns that a global delisting would disproportionately undermine the freedom of expression and information. But the CNIL countered that the purpose of its decision is to ensure “effective and complete protection of data subjects“, as required by the ECJ.

A Google spokesman has already confirmed they will appeal the CNIL’s decision[2].

If the CNIL’s decision becomes definitive, Google will have to further adapt its approach to the right to be forgotten or face up to € 300,000 in additional administrative fines.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] Case C-131/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014

[2]France fines Google over ‘right to be forgotten’“, Julia Fioretti, Reuters, March 24, 2016 (http://www.reuters.com/article/us-google-france-privacy-idUSKCN0WQ1WX)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-cnil-fines-google-e100000-over-right-to-be-forgotten/

RIGHT TO BE FORGOTTEN: Google Adapts Its Approach To The EU Right To Be Forgotten

Will the arm wrestling between Google and the EU data protection authorities regarding the implementation of the so-called “right to be forgotten” come to an end?  Almost a year after the CNIL issued a cease and desist against Google, the search engine announced it will expand the right to be forgotten to all Google domains, based on geolocation, starting this week.

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) & Caroline Chancé (Caroline.Chance@dlapiper.com).

On March 4, 2016, Google announced that it will use geolocation signals (like IP addresses) to restrict access to delisted URL on all Google search engine domains, including google.com, when accessed from the country of the person requesting the removal. This new approach will be applied prospectively but also “retrospectively”, to all previous delistings by Google under the ECJ’s decision in Costeja v. Google[1].

What does this change? Until now, Google delisted search results from all EU versions of the Google search engine, such as google.fr, google.co.uk or google.de, as well as from the Andorra, Icelandic, Liechtenstein, Norwegian and Swiss extensions, regardless of the country of origin of the request. This meant that delisted results were no longer accessible to Internet users using those extensions, but were still available on other versions of Google, such as google.com, google.ca or google.co.jp.

The EU data protection authorities did not consider Google’s approach to be compliant. In the view of the French data protection authority, the CNIL, the various geographic extensions are simple means of access to processing. Therefore, if a search engine agrees to delist a result, it must do it on all the extensions. The CNIL’s reasoning is that to do otherwise deprives the right to be forgotten of its effectiveness. In fact, the CNIL issued a cease and desist to Google, Inc. in May 2015, ordering it to de-index the entirety of Google’s indexing services and thus all extensions of the search engine.  Google appealed to no avail (see previous posts here and here).

Google has now proposed, in addition to its existing practice, to delist results from all extensions, but only for persons searching in the specific country where the delisting request was made. This means that users in other EU countries will still be able to find those results and the search engine will still be processing the data of the person requesting the delisting, even though the negative consequences will obviously be mitigated as people in the same country won’t have access to the delisted links, whatever extension they use.

Will this new approach satisfy the EU data protection authorities? The CNIL has not yet issued its position. Nevertheless, filtering may be an acceptable (or possibly interim) compromise, particularly if applied to the entire EU, as opposed to limiting it to the country where the request was made. People in other EU countries presumably have a lesser interest in finding information regarding the person who made the delisting request. Moreover, if results are completely delisted in the country where the request was made, completely delisting in the EU should not be a problem, either technically or legally. As for the rest of the world, the right to be forgotten could still conflict with other jurisdictions’ laws.

It will therefore be interesting to see whether EU regulators will insist that links be completely delisted for anyone worldwide, as the CNIL first requested in its formal notice, essentially putting search engines in a situation where they would certainly be exposed to financial sanctions in the EU or violate other jurisdictions’ freedom of speech principles  (see previous post here).

In any case, the right to be forgotten will not be forgotten, and in fact has been taken up outside the EU. For example, it has been reported[2] that a Japanese court recently ordered Google to delete from its search engine news reports of Japanese man convicted of a sex offense involving minors who invoked his right to be forgotten.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] Case C-121/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014
[2] Justin McCurry, “Japan recognises ‘right to be forgotten’ of man convicted of child sex offences”, The Guardian, March 1, 2016 (http://www.theguardian.com/technology/2016/mar/01/japan-recognises-right-to-be-forgotten-of-man-convicted-of-child-sex-offences)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/right-to-be-forgotten-google-adapts-its-approach-to-the-eu-right-to-be-forgotten/

Europe’s Right to be forgotten: update on implementation guidelines

By Patrick Van Eecke and Mathieu Le Boudec

Last week we wrote that the Article 29 Working Party (“Working Party 29”) has adopted guidelines relating to the implementation of the European Court of Justice’s Google ruling on the right to be forgotten. Click here for a previous blog post on this ruling.

These guidelines have now been published and can be consulted here.

The guidelines are important for several reasons. Not only do they clarify the scope of the ruling but they also introduce an harmonized approach by the different national Data Protection Authorities of the EU member states (“DPAs”) when handling de-listing requests. It has been an issue in Europe before that DPA’s have divergent approaches to similar problems. With these guidelines, the DPA’s will at least all follow the same criteria when handling a complaint.

In its Google ruling, the European Court of Justice held that individuals can request search engines, under certain conditions, to de-list certain links from the results for searches based on their names. Where a search engine refuses such a request, the data subject can file a complaint with the DPAs. Based on the complaints they received during the past six months, the DPAs have drafted a non-exhaustive list with thirteen common criteria which can be used as “a flexible working tool” when evaluating such complaints.

Generally more than one criterion will need to be taken into account when taking such decisions and each criterion has to be applied in the light of the principles established by the Court of Justice and in particular in the light of the “the interest of the general public in having access to [the] information”. Even when they are directed towards the DPAs, these criteria will also be very useful for search engines when handling de-listing requests.

 Below we give a quick overview of these criteria. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europes-right-to-be-forgotten-update-on-implementation-guidelines/

ITALY: Right to be forgotten and the Google Advisory Council in Rome: main takeaways.

As you all remember, last May the European Court of Justice ruled that Google must allow the de-indexing of web pages containing personal data, further to a lawful enforcement by the relevant data subjects of their right to be forgotten. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/right-to-be-forgotten-and-the-google-advisory-council-in-rome-main-takeaways/

EU: Update on Google’s Right to be forgotten

By Patrick Van Eecke and Anthony Cornette

In an earlier blog post, Patrick Van Eecke and Anthony Cornette discussed the impact of the ECJ Case C-131/12. The authors now provide some further insight on the latest developments relating to the ECJ case on the ‘Right to be Forgotten’

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-update-on-googles-right-to-be-forgotten/

ITALY: Cookies Update – Main takeaways from the Cybersecurity Course

Whilst we are waiting for the publication of the results of the public consultation on cookies carried out by the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante), here are some thoughts on cookies, as discussed during our latest presentation within the Cybersecurity and Data Protection Course at the University of Milan: Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-cookies-update-main-takeaways-from-the-cybersecurity-course/

The EUCJ has ruled in favour of the “right to be forgotten” in Google’s case

By Bartolome Martin and Diego Ramos

It was made ​​public yesterday, Tuesday, May 13th, the decision of the Court of Justice of the European Union (EUCJ) in Case C-131/12 on the questions submitted by Spanish High Court (Audiencia Nacional) in the proceedings involving Google Spain, SL Google Inc. and the Spanish Data Protection Commissioner and a Spanish citizen.

The decision is particularly striking as it divorces from the criteria proposed by the General Attorney (Mr. Niilo Jääskinen ) in its Conclusions of 25 June 2013 on the right to apply for the de-indexation of certain content. In this sense, in contrast with the position of General Attorney that data subjects cannot exercise their cancellation rights in front of Internet search engine services provider, the EUCJ has confirmed that they are allowed to request the de-indexation of content. The EUCJ defends that, in general, the data subject’s interest must prevail over both the economic interest of the Internet search engine services provider, and the interest of third parties (the general public) of finding a specific information in connection with a given research about the data subject.

The EUCJ accepts however that, the cancellation/ blocking request made by the data subject can be rejected when, for specific reasons (such as having the data subject a public post), the interference with the fundamental rights concerned is justified by the overriding interest of third parties to, as a result of this indexation, have access to information on the data subject. It further clarifies that backing the enforceability of this right does not entail that indexation of the information causes damages to the data subject.

With the above in mind, in principle, it is possible to exercise the so-called “right to be forgotten” in front of Internet search engine services providers, which will be obliged to process such request in all cases, it being only possible to reject cancellation or blocking of data exceptionally, when a major interest of third parties (the public) to find this information by making a research on the data subject is reputed.

Regarding the rest of questions raised within the proceedings brought by the Spanish Audiencia Nacional, the ruling backs the General Attorney and states:

  • The activity of Internet search engine services providers should be considered a “data processing”, as defined in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with respect to the processing of their personal data and the free movement of such data (the Directive).
  • Internet search engine services providers should be considered “data controllers”, as defined in the Directive, as the decide on the purposes and means for the processing.
  • A subsidiary in a Member State of an entity not located in a Member State that is performing an activity closely connected to the activity of the parent company (e.g. to advertise and promote the sale of advertising spaces associated with the search patterns of Google Search users) should be considered as an establishment in said Member State acting “in the framework of the activities” of the Controller (reference contained in Article 4 of the Directive that cannot be interpreted restrictively), and therefore the Member State data protection regulations shall be applicable.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-eucj-has-ruled-in-favour-of-the-right-to-be-forgotten-in-googles-case/