December wrap-up of data protection cases (Google, Österreichische Datenschutzbehörde and Pankki S)

The end of the month (and the end of the year as well) is a good moment for summaries. This time we are taking a closer look at events in the area of data protection law. December was a month with a couple of interesting events, so here is a brief recap. 

Dereferencing allegedly inaccurate content (C-460/20 Google)

The case concerned two executives of a group of investment companies (a board member and a proxy) who asked Google to remove search results linking their names to certain articles criticising the group's investment model. They exercised the so-called right to be forgotten, guaranteed under Article 17(1) of the GDPR, claiming that the information presented contained false claims and defamatory opinions. They also wanted Google to remove their thumbnail images from the search results. Google rejected these requests, arguing that it does not know whether the information contained in the articles is true or not.

In cases involving the erasure of data from a search engine operator's search results, two rights usually collide: the public's right of access to information (especially about persons holding public positions) and the individual's right to protection of his or her personal data, including the right to erasure, protection of his or her good name, image, etc. The same problems were considered in this case, as we wrote about when reporting on the AG's opinion issued in the proceedings. In the ruling of 8th December 2022 the Court held that the person requesting the deletion of data is obliged to show that the information is manifestly inaccurate. "However, in order to avoid imposing on that person an excessive burden which is liable to undermine the practical effect of the right to de-referencing, that person has to provide only evidence that, in the light of the circumstances of the particular case, can reasonably be required of him or her to try to find in order to establish that manifest inaccuracy" (para. 68). It means that such a person cannot be required to present a judicial decision made against the publisher of the website in question, even in the form of a decision given in interim proceedings, since it would be an unreasonable burden imposed on such a person. At the same time "the operator of the search engine concerned cannot be required to investigate the facts and, to that end, to organise an adversarial debate with the content provider seeking to obtain missing information concerning the accuracy of the referenced content" (para. 71). Therefore, if the person who made a request for de-referencing submits relevant and sufficient evidence showing the manifest inaccuracy of the information found in the referenced content, the operator of the search engine is required to accede to that request for de-referencing. But an operator should not grant a request if the inaccurate character of the information is not obvious in the light of the evidence presented (para. 72&73). 

As regards the thumbnails the Court concluded that "a separate weighing-up of competing rights and interests is required depending on whether the case concerns, on the one hand, articles containing photographs which are published on an internet page and which, when placed into their original context, illustrate the information provided in those articles and the opinions expressed in them, or, on the other hand, photographs displayed in the list of results in the form of thumbnails by the operator of a search engine outside the context in which they were published on the original internet page" (para. 101). The Court also stated that the informative value of those images should be taken into account independently of the context of their publication on the website from which they originate, nevertheless taking into account all the content that directly accompanies the display of those images in the search results and that can explain the informative value of those images (para. 108).

The concept of a "copy of personal data" under the Article 15(3) of the GDPR. AG Pitruzzella opinion on Österreichische Datenschutzbehörde case (C‑487/21)

The dispute arose over the interpretation of Article 15(3) of the GDPR, which provides that a data subject, as part of the right of access to one's personal data, may obtain a copy of that data. The complainant requested an exact copy of the data processed by the controller, including full copies of documents containing his personal data. However, the controller provided only some of the requested information as an aggregate that reproduced the stored personal data of the data subject in a table broken down by name, date of birth, street, postal code, and place, and in a statement summarising corporate functions and powers of representation. As part of the proceedings, the national court decided to refer several questions concerning the interpretation of Article 15(3) of the GDPR to the Court. 

On 15 December 2022, the AG delivered an opinion stating that the concept of “copy” referred to in Article 15(3) of the GDPR must be understood as "a faithful reproduction in intelligible form of the personal data requested by the data subject, in material and permanent form, that enables the data subject effectively to exercise his or her right of access to his or her personal data in full knowledge of all his or her personal data that undergo processing – including any further data that might be generated as a result of the processing, if those also undergo processing – in order to be able to verify their accuracy and to enable him or her to satisfy himself or herself as to the fairness and lawfulness of the processing so as to be able, where appropriate, to exercise further rights conferred on him or her by the GDPR". The AG underlined that this provision does not, in principle, entitle the data subject to obtain a full copy of documents containing the personal data, but, at the same time, does not exclude the need to provide that person with extracts from documents, whole documents or extracts from databases if that is necessary to ensure that the personal data undergoing processing are fully intelligible.

Right to know the identity of the persons who had access to one's personal data. AG Campos Sánchez-Bordona on Pankki S case (C-579/21)

The third case also concerned the right of access to personal data, but from a different perspective. Data subject wanted to know who exactly (among the employees of the financial institution) had access to his personal data at the time when he was a customer of that institution and an employee thereof. The controller refused to provide names of the employees arguing that Article 15 of the GDPR does not apply to log data of the institution's data processing system and that the information requested does not relate to personal data of the data subject, but to the personal data of the employees. 

The AG approved the controller's view and stated that Article 15(1) of the GDPR "does not give the data subject the right to know, from among the information available to the controller (where applicable, through records or log data), the identity of the employee or employees who, under the authority and on the instructions of the controller, have consulted his or her personal data". In justifying his opinion, he pointed out that "the identity of individual employees who have handled the processing of customer data is particularly sensitive information from a security point of view, at least in certain economic sectors" (para. 76). Disclosure of employees' data could expose them to attempts by customers of the banking institution to exert pressure and influence. Nevertheless, the AG noted that if a data subject has reasonable doubts about the integrity or impartiality of an individual who has participated on behalf of the controller in the processing of his or her data, this could justify the interest of that customer in knowing the identity of the employee in order to exercise the customer's right to take an action against that employee (para. 78; nb. in the relevant case the data subject made his request, in particular, in order to clarify the reasons for his dismissal).

No one-size-fits-all approach to search engine de-referencing - CJEU in Google

Earlier this year we reported on the two opinions of Advocate General Szpunar concerning several aspects of the right to be forgotten: 1) the role of search engine operators in relation to sensitive data; 2) the nature of the respective obligation to respond to de-referencing requests; and 3) territorial reach of required de-referencing measures.

Today the Court of Justice delivered judgments in both cases. Importantly, despite the fact that the questions were referred from the point of view of Directive 95/46, the Court also took General Data Protection Regulation 2016/679 into account (by which Directive was replaced in the meantime), in order to ensure "that its answers will in any event be of use to the referring court".

Source: Pixabay

The direction of both judgments generally remains in line with the interpretation proposed in both opinions. In case C-136/17, the Court confirmed that restrictions on the processing of certain categories of sensitive data apply also to operators of search engines. Like in AG's opinion, that prohibition was nonetheless read in the context of responsibilities, powers and capabilities of search engine operators. Restrictions on the processing of sensitive data thus concern the stage of ex post verification triggered by a request from the data subject. The judgment further lays down which steps a search engine operator must take when assessing the notification (and these are far from trivial).

Judgment in case C-507/17 concerned the territorial scope of de-referencing measures which a search engine operator must take. The Court referred to the objective of ensuring a high level of protection of personal data in the EU, pursued by both Directive 95/46 and Regulation 2016/679. It further admitted that a de-referencing carried out on all the versions of a search engine would meet that objective in full and argued that the EU legislature enjoys competence to lay down such an obligation (para. 58). That being said, the Court considered that the EU lawmakers have not done so, thus far. In consequence, for the time being, EU data protection law does not require search engine operators to carry out a de-referencing on all world-wide versions of a search engine. Importantly, however, the Court also did not exclude a possibility for a supervisory or judicial authority of a Member State to weigh up, in the light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, where appropriate, to order such de-referencing (para. 72).

As regards the EU, the Court began by observing that, in principle, de-referencing is to be carried out in respect of all Member States (para. 66) and, if necessary, the search engine operator should be obliged to take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Measures of this kind should have the effect of preventing or, at the very least, seriously discouraging internet users in the Member States from gaining access to the links in question while searching on the basis of that data subject’s name (para. 70). The Court left the question open whether automatic redirecting to a different national version of the search engine's website constitutes such a measure. It would seem that such blocking or redirection would then fall under the exception to customers' right of access to online interfaces, set out in Article 3(3) of Regulation 2018/302 on geo-blocking. 

At the same time, however, the Court accepted that the interest of the public in accessing information may, even within the Union, vary from one Member State to another, meaning that results of the balancing exercise are not necessarily the same for all the Member States. The Court thus emphasized the role of cooperation between supervisory authorities in the Member States as an adequate framework for reconciling the conflicting rights and freedoms. It is through this framework, therefore, that a de-referencing decision, covering all searches conducted from the territory of the Union on the basis of a data subject’s name, should be adopted (para. 69).

Two opinions of AG Szpunar on the right to be forgotten

Last week also brought new developments regarding the interpretation of the right to be forgotten - a widely discussed right of data subjects developed by the Court of Justice in its earlier jurisprudence (see our 2014 post Google as data controller...). More specifically, Advocate-General Szpunar delivered his opinions in the two pending cases: C-136/17 G.C. and Others v CNIL and C-507/17 Google v CNIL. Just like Google Spain, both cases relate to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (and not yet the General Data Protection Regulation). Both are also concerned with the scope of search engine operators' obligation to respond to de-referencing requests by data subjects. 

Background of the cases

Both references of the French Conseil d’État pertained to disputed decisions of the national data protection authority (Commission for Information Technology and Civil Liberties, CNIL). The setting of each case was nevertheless quite different. In C-136/17 the CNIL refused to take measures against Google for failing to de-reference various links from search results and the affected data subjects complained about inaction. In C-507/17, by contrast, the search engine provider contested the sanctions imposed by the authority.

AG's opinions

The opinions presented last Thursday by the Advocate-General Szpunar shed light on several important aspects of the right to be forgotten: 1) the role of search engine operators in relation to sensitive data, 2) the nature of the respective obligation to respond to de-referencing requests, and 3) territorial reach of required de-referencing measures.

Processing sensitive data by search engine operators

As readers may recall, one of the controversial elements of the 2014 Google Spain judgment was the qualification of search engine operators as data controllers. This implied that the processing of personal data in the course of relevant activities needed to be authorized under one of the legal bases set out in the Directive. While the broader implications of this finding may not have been immediately apparent in the case of non-sensitive data, the picture became more complex as soon as special categories of data (e.g. about religious or philosophical beliefs) came into play. One of the questions asked in G.C. and Others was thus whether the prohibition of processing data falling within certain specific categories also applied to search engine operators.

The Advocate-General sought a balanced solution. He essentially replied in the affirmative, but observed that specific responsibilities, powers and capabilities of search engine operators should be taken into account as part of the interpretation. In particular, it was recognized that the processing carried out by such entities is secondary in its nature (an argument Google already tried to advance in the 2014 case). Hence, according to the AG, prohibitions and restrictions set out in the Data Protection Directive could only apply to an operator of search engine by reason of his referencing activities (searching, finding and making information available in an efficient way). Ex ante control of referenced web pages, which - so the AG - is covered neither by the responsibility, nor by capabilities of search engine providers, should therefore be excluded. Consequently, also with respect to sensitive categories of data, the primary focus remains on ex post verification of de-referencing requests, which was the subject of remaining questions.

Systematic de-referencing

In respect to the search engine operator's de-referencing duty (as a correlate of data subject's right to be forgotten), the Advocate-General first considered whether search engine operators are obliged to systematically de-reference web pages on which sensitive data appear, as soon as the absence of a legal ground for the processing is established. This matter appears to have divided the intervening parties and certainly needs to be looked at in more detail after all language versions of the opinion are available. For the time being, it suffices to report that, in view of the AG, an operator of a search engine should generally be required to accede, as a matter of course (i.e. without regard to elements other than the lack of legal ground), to requests for de-referencing relating to web pages on which sensitive data appear, subject to limited exceptions provided for in Article 8. Notably, however, if the contested processing of personal data falls within the scope of Article 9 of Directive 95/46, i.e. when the processing is carried out solely for journalistic, artistic or literary purposes, a balancing exercise can be required, possibly resulting in the refusal of de-referencing requests.

Territorial scope

The second of the discussed cases, Google v CNIL, dealt with the territorial scope of de-referencing measures. By way of illustration: in case of a request from a French data subject, should Google only deactivate links on Google.fr, on all EU domains, or on all worldwide domains? Or perhaps such de-referencing should (also) depend on the location from which the search is performed (assessed based on the IP address)? It this respect, the AG decided to put limits on the CNIL's extraterritorial ambitions. In particular, he insisted that search requests made outside the EU should not be affected by the de-referencing of search results. A different (broader) interpretation could, in view of the AG, create significant limitations in access to information, and as such should be approached with caution. Considering the facts of the case, worldwide de-referencing duty did not appear justified.

When it comes to the EU, however, the Advocate-General came out in favour of a rather broad territorial scope of de-referencing. Specifically, according to the opinion, once a right to be forgotten within the EU has been established, the search engine operator should take all measures available to it to ensure full and effective de-referencing within the EU, including by use of ‘geo-blocking’ in respect of an IP address located in the EU, irrespective of the domain name used by the internet user.

Concluding thought

The opinions of the Advocate-General come at a time of a heated debate about the application of the European data protection framework following its recent reform. Both the right to be forgotten and the territorial scope of act have been exhaustively discussed in the legislative process leading to the adoption of the GDPR. As usual, the judgment of the Court of Justice is awaited with interest. This time, however, it will reveal not only whether the CoJ shares the view of its advisor, but also to what extent the interpretation eventually provided affects the framework applicable today.

Beyond B2C: proposed regulation on fairness and transparency in platform-to-business relations

Earlier today the Commission took further steps to advance its hotly debated initiative on platform-to-business relationships and proposed a regulation on promoting fairness and transparency for business users of online intermediation services. The declared aim of the new rules is to "create a fair, transparent and predictable business environment for smaller businesses and traders when using online platforms". This includes, in particular, businesses such as hotel owners, sellers of goods or developers of mobile applications who rely on online intermediation services to reach consumers. By proposing rules targeting this specific type of B2B relationships, the Commission - already second  time this month (cf. the proposed directive on unfair trading practices in the food chain) - departs from the usual, consumer-oriented approach to the regulation of fairness in commercial transactions and steps upon a legal minefield. 

Two approaches

Aside from the business-to-business dimension addressed, the rules proposed for the platform economy and for the food sector do not seem to have much in common. For a start, the rules tabled today would not be contained in a directive requiring implementation, but in a directly applicable regulation with elements of a co-regulatory approach. The substantive provisions of both initiatives are also fundamentally different. Rather than providing for a black or grey list of unfair trading practices, the proposed regulation on platform-to-business (un)fairness lays down obligations for providers of online intermediation services and, in certain respects, online search engines to provide business users and corporate website users, respectively, with appropriate transparency and to offer them certain redress possibilities. 

Content of the proposal

Particular attention in the instrument presented today is devoted to standard terms and conditions used by providers of online intermediation services. In this respect the proposal does not provide for a general fairness test, such as the one found in the Directive 93/13/EEC on unfair terms in consumer contracts, but rather focuses on the way T&Cs are drafted (in clear and unambiguous language - Article 3(1)(a)) and made available (easily and at all stages of the commercial relationship, including the pre-contractual stage - Article 3(1)(b)). Further provisions referring the specific terms and conditions to be determined by providers of online intermediation services are also found throughout the instrument. Only one of them, however, is mentioned as a direct follow-up to the rules on transparency and availability - one related to the suspension or termination of online intermediation services.

Indeed, pursuant to Article 3(1)(c) providers of online intermediation services shall ensure that their terms and conditions set out the "objective grounds" for decisions to suspend or terminate, in whole or in part, the provision of their online intermediation services to business users. The placement within the proposal is not insignificant considering that, pursuant to Article 3(2), "terms and conditions, or specific provisions thereof, which do not comply with the requirements of paragraph 1 shall not be binding on the business user concerned where such non-compliance is established by a competent court". Additionally, Article 4 of the proposal provides that the business users affected by suspension or termination should be provided with a "statement of reasons".

Consequences of non-compliance with other provisions related to the specifics of T&Cs such as the parameters of ranking (Article 5 - applicable also to search engines; for a consumer protection perspective see our ealier post: New Deal for Consumers: proposals on online transparency; note the differences between the addressees of the rules), conditions of differentiated treatment (Article 6) and of access to personal and other data (Article 7) as well as restrictions to offer different conditions through other means (Article 8) are not directly apparent. In this respect business users could either rely on the abovementioned rules on transparency and availability or try to address their concerns by means of internal complaint-handling systems (Article 9) or mediation (Articles 10-11). Both solutions do not seem unviable.

Furthemore, the proposal establishes a notification requirement of providers of online intermediation services regarding modification of their T&C. On the face of it, the requirement seems to be similar to the one known from regulated network markets. The proposed regulation, however, does not aim to allow business users to terminate the contract upon notice of changes in contractual conditions (cf. Article 20(4) of Directive 2002/22/EC and Article 98(3) of the proposed European Electronic Communications Code). Rather the failure to comply with requirements of proposed Article 3(3) would render the relevant modifications null and void. 

Last but not least, the proposal also opens avenues for injunctive relief (Article 12), which deserve an analysis of their own, particularly in the light of new initiatives devoted to consumer law enforcement.

Concluding thought

The basic premise regarding the role on online platforms - with regard both to professional users and the non-professional ones - seems to hold. Admittedly, one may argue that this is only true for some of the major players. Whether the extent of the issue calls for a response of the kind proposed today, and not, for example, within competition law, is only a part of controversy, however. The proposal on platform-to-business (un)fairness touches upon other highly divisive issues such as the distinction between B2B and B2C and the broader questions of Intenet governance. Even though, as for now, the future of the proposal remains uncertain, advancing the discussion on (some of) these matters would already bring value of its own.