The CJEU held that:
- Search engines such as Google are acting as “data controllers” by indexing, compiling and organising personal data in their search results. Google is therefore responsible for personal data which appears in its search results;
- Individuals may object to the inclusion of their personal information in Google’s search results, and can require its deletion, where the information is not being processed in line with EU data protection law, for example because the information is out-of-date, excessive or irrelevant; and
- Data controllers based outside the EU will still be subject to EU data protection laws if they have subsidiaries in the EU, and if such subsidiaries undertake activities which are clearly linked to the processing of personal data.
The decision is a major blow to search engines such as Google who have long argued that the scope of their operations makes taking on responsibility for the data processed by them a disproportionate exercise. The judgment means that Google will no longer be able to operate on a uniform basis around the world, and will mean that Google is likely to now need to expend significant resources in the EU to bring its activities in line with EU data protection law.
Other non-EU based businesses should also consider their global structuring of subsidiaries and offices in light of the judgment to check whether they are subject to the requirements of EU data protection law.
The judgment is also striking in light of the current work being undertaken to overhaul EU data protection law through a new Data Protection Regulation (“DPR”). Whilst the current proposals for the DPR strengthen individuals’ rights to require deletion of their data (the so-called “right to be forgotten”), and significantly widen the territorial scope of EU data protection law, the CJEU’s decision demonstrates that the existing regime already goes a long way in these respects.