Is Google a Data Controller?

What am I?

It would be very difficult – and to some extent odd – to start a blog with the intention to express my viewpoints on privacy issues, and related matters, without mentioning the already thoroughly commented ruling, better known as the “right to be forgotten” decision, where the  European Court of Justice (ECJ) concluded that, in order to comply with the rights laid down in Directive 95/46:

the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

It might not come as a surprise – after all, I just created a blog – but I have as well some comments that I would like to share in this (still) freedom of expression ever growing and globalized, yet interconnected, technological world.

However, I do not intend, at least today, to reflect on how the ‘right to be forgotten’ may or may not work in practice.

Instead, I would like to refer to a recent speech of  Martine Reicherts, who stated that internet search engine service providers, such as Google, have a big responsibility in ensuring that personal data is being handled properly.

And it is precisely this new notion of ‘responsibility’ regarding search engines services providers that I consider disturbing. After all, until very recently, the internet search engine service providers liability for the third-party content they transfer and/or store has always been quite restricted. I therefore have some doubts and concerns about this sudden and innovative understanding of the responsibility of internet search engine service providers as data ‘controllers’.

One should not forget that the role and legal position of internet search engine service providers has not been expressly regulated in EU legislation.
Their activity consists in locating information made available on the internet by third parties, indexing it automatically, storing it temporarily and finally, making it accessible to internet users according to a particular order of preference.

In this context, we agree with the understanding stated by the ECJ according to which an internet search engine provider processes personal data (if that data relate to an identified or at least identifiable subject) as foreseen in Directive 95/46, regardless of the fact that it also carries out the same operations in respect of other types of information and does not distinguish between the latter and the personal data.

However, in this same context, the internet search engine service provider cannot be automatically considered as ‘controller’ of the processing of such personal data!

A controller is, according to the aforementioned Directive:

the natural or legal person […] which alone or jointly with others determines the purposes and means of the processing of personal data.

A special reference to the processing of personal data by information society services that act as selection intermediaries is absent from the Data Protection Directive.

In this particular case, based on complete automated search algorithms which filters data and delivers results based on relevance and popularity, Google is not aware nor exercises any control over the data included in the publisher’s webpage. In this particular context, Google was not able to distinguish between personal data and other data. Moreover, it is not able to change the content in the host servers.

It is therefore evident that Google acted act as a data processor, i.e., an information society intermediary between content providers and internet users, only storing information and supplying an information location tool.

As stated by the Article 29 Data Protection Working Party:

[t]he principle of proportionality requires that to the extent that a search engine provider acts purely as an intermediary, it should not be considered to be the principal controller with regard to the content related processing of personal data that is taking place. In this case the principal controllers of personal data are the information providers.

I thus strongly support the view expressed by the Advocate General in his Opinion on this case.

Surprisingly, the ruling point out in the opposite direction, and Google was regarded as responsible, under data protection law, for the results which it returned. The fact that the processing of data is conducted entirely by complex algorithms, without any of its control, was absolutely disregarded by the ECJ.

Instead, the ECJ stated that search engines have a separate responsibility from publishers, consisting in loading those data on an internet page, to which is additional. Indeed, according to the ruling, search engines shall be liable to make accessible outdated information because it still is available in a publisher’s website:

that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published.

This is just too far-fetched…