The scope of the applicability of data protection regulation in Europe is getting ever wider. In its ruling on 13 May 2014, the Court of Justice of the European Union (CJEU) ruled that individuals have the right to, under certain conditions, request the removal of a link from a search results list, which links to a web page containing personal information on the person. The obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even when its publication in itself on those pages is lawful.
While the ruling mainly addressed search engine operators, in this case Google, the CJEU did, however, address and clarify some important data protection concepts, which are applicable to all businesses and therefore important to highlight;
- With regard the importance of planning the processing of personal data and the “life-cycle” way of approaching personal data, the CJEU observed that even initially lawful processing of accurate data may, in the course of time, become unlawful where the data is inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.
- Despite the fact that Google’s search engine operations also cover data, which is not personal in nature, the CJEU found that the search operations constituted processing of personal data, regardless of the fact that the operator of the search engine carried out the operations without distinction in respect of information other than the personal data. Further, the CJEU clarified that also material that has been published in the media is subject to data protection regulation. It follows, because of the complex nature of personal data, that it is crucial for businesses to constantly analyse and assess, whether the data they process is personal data and whether such processing is compliant with the regulation.
- The important European data protection concepts of “processing in the context of the activities” and “data controller” were clarified in the ruling. The criteria set out for “carried out in the context of the activities” is crucial when determining whether an entity is a data controller under national data protection laws in Europe. The CJEU held that when the operator of a search engine sets up in a Member State a branch or subsidiary, which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State, processing of personal data is carried out in the context of the activities of that branch or subsidiary. This means that businesses must be aware of the possibility that entities (e.g. their subsidiaries or branches) located in the EU, which merely, for example, market the main business, may constitute the applicability of local European data protection laws to data processing of the main business as a whole.
The ruling shows how strong the objective of protecting the fundamental rights and freedoms of natural persons, in particular the right to privacy, is in the EU, and how businesses should constantly monitor and asses their processing of personal data and compliance with the data protection regulation, which in the digital age stretches further than many might expect.