Clash between different chambers of the Spanish Supreme Court on the right to be forgotten.
The right to be forgotten – which can be best described as a right to be delisted – was recognized by the CJEU on the assumption that the search engine operator, Google Inc., is a data controller of the personal data included in the search results.
However, is also the local subsidiary of Google Inc., Google Spain SL, a data controller? The answer to this question is by no means irrelevant. After the 2014 CJEU judgment, the Audiencia Nacional (AN)—the court that made the reference for a preliminary judgment—handed down 60+ rulings upholding DPA delisting orders that had been appealed before it. All of them, with the only exception of the Costeja case itself, were directed exclusively against Google Spain SL, not against Google Inc. Now, if Google Spain SL is not a data controller, all those rulings, along with the original DPA decisions they affirm, could be declared void by the Supreme Court for lack of standing of the defendant.
And that’s exactly what happened last month. The 60+ AN rulings had been appealed by Google Spain SL before the Supreme Court claiming lack of standing. And the Supreme Court agreed, handing down five rulings holding that Google Spain SL is not a controller and declaring the DPA decisions null and void. Similar rulings in the remaining cases are expected to follow soon.
(It must be noted that this refers to old decisions of the DPA. Since August 2014, the DPA no longer directs its decisions against Google Spain, but against the Google Inc., and thus no problem of lack of standing should appear).
That came as a big surprise for many. But the news didn’t end there. There was another RTBF ruling appealed by Google Spain SL before the Supreme Court. Unlike all the others, this one was not an appeal against a decision issued by the DPA and further upheld by the AN. Rather it was an appeal against a ruling issued by the Barcelona Court of Appeals in a civil lawsuit sentencing Google Spain SL to pay 8,000 Euros in moral damages for failing to delist a link.
There is a crucial difference. The DPA is an administrative body, and thus the appeals against its decisions are ultimately decided by the Administrative Chamber of the Supreme Court (Third Chamber), whereas appeals in civil lawsuits correspond the Civil Chamber of the Supreme Court (First Chamber).
Only a few days after the Administrative Chamber of the Supreme Court issued the said five rulings, the Civil Chamber ruled on the civil appeal. In essence, the ruling held that Google Spain is in fact a controller, no matter what the other Chamber may say. The case was decided by the Civil Chamber in full, which attaches more relevance to the judgment.
So now we have the following puzzle regarding the local subsidiary: the DPA can’t order Google Spain SL to delist a link – such a decision would be immediately voided on appeal. However, if a data subject requests Google Spain SL to delist a link and this company rejects the request, that individual might bring a civil action for damages against Google Spain SL and this company could not claim lack of standing.
How could the two Chambers of the Supreme Court come to such a diverging conclusion?
Under the Data Protection Directive, a controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.” The Administrative Chamber of the Supreme Court noted that being a controller thus hinges on the actual intervention in the determination of purposes and means of the processing. The processing at issue, as described by the CJEU [¶ 28], consisted of a number of activities carried out by the operator of a search engine “in exploring the internet automatically, constantly and systematically in search of the information which is published there”, namely “the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results.” The operator of the search engine, who carries out those activities, is Google Inc., and the AN remarked that “it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites.” [¶ 46]
The Administrative Chamber of the SC held that for Google Spain SL to be considered a joint controller, it must participate in the determination of the means and purposes of the processing, and this was not demonstrated in any way in the procedure. In addition, it stressed that the CJEU clearly assumed that the processing was carried out only by Google Inc. The CJEU conclusion the activities of both entities were ‘inextricably linked’ was only to the effect of finding that Google Inc.’s processing was carried out ‘in the context of the activities’ of Google Spain SL., which entails that the Data Protection Directive is applicable to Google Inc. All the discussion about the territorial application would have been unnecessary if Google Spain would have been considered a controller of processing carried out by the search engine.
On the other hand, the Civil Chamber did not directly discuss the arguments of the Administrative Chamber—it simple noted that their decisions are not binding for the Civil Chamber. The Civil Chamber holds that the CJEU supports the finding that Google Spain is also a controller. It admits that the CJEU did not seek to determine whether this company was a controller. However, the Civil Chamber believes that the CJEU ruling provides elements enough to come to this conclusion, as that ruling (i) refers to the broad definition of the concept of controller in the Directive; (ii) finds that the operation of the search engine by Google Inc. is inextricably linked with Google Spain’s marketing activities; and (iii) holds Google Inc.’s processing is carried out ‘in the context of the activities’ of Google Spain SL. According to the SC Civil Chamber:
“Google Spain may also be considered, in a broad sense, controller of the processing carried out by the search engine Google Search in its Spanish version (www.google.es), jointly with its parent company Google Inc.”.
It added that holding otherwise would frustrate in practice the aim of “ensuring effective and complete protection” of the rights to privacy and data protection sought by the Directive and the EU Charter of Fundamental Rights, as data subjects would need to litigate with a company located in the US, which might entail huge costs. The Civil Chamber argues that it would be inconsistent to give the Directive a very broad territorial scope and then frustrate in practice this protection by obliging the data subject to litigate against a company located in the US, with the costs and delays attached to this.
Of course, though, this does not seem comport with the practice experience in Europe, where Google Inc is delisting results by the thousands. Further, one may wonder what the situation would be should Google Inc. decide to dispense with its local subsidiary and simply work with a local establishment without legal personality.
Whatever you may think about considering the local subsidiary a controller, this radical disparity of conclusions within the Supreme Court looks far from desirable.