While most people have focused on the free speech and implementation difficulties of the “right to be forgotten” in Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos (Mario Costeja González), there are serious jurisdictional implications for the Internet, intermediaries and content publishers that largely have been ignored. In the decision, the European Court of Justice (ECJ) went against Google Inc., and its U.S.-based “Search” service, which it found to be subject to the EU Privacy Directive and subject to the jurisdiction of the Spanish courts and the Spanish Data Protection Authority (DPA), at least for privacy complaints related to search.

Most U.S.-based Internet companies have cooperated voluntarily with EU investigations and court cases while denying that jurisdiction exists, meanwhile using subsidiaries operating in the EU for limited roles, such as selling advertising or operating data centers. The ECJ opinion eviscerates the separate corporate entity doctrine and treats Google as a single operating unit for purposes of the Privacy Directive and, at least, the Search service. The potential far-reaching implications of this case are that the logic of the opinion will apply more broadly to all advertising services offered by U.S.-based Internet services.

More, most commentators seem to think that blocking search results on Google.es will be a sufficient response to the decision, perhaps thinking that anything more will require extraterritorial application of the Spanish law. But nothing in the ECJ opinion suggests any such limitation. To the contrary, it is not extraterritorial to apply local law against a controller deemed to have an establishment within the territory. If a search engine operator is subject to the jurisdiction of the court or DPA, then it can be ordered to block search results based on Mr. González’s name globally. It is censorious in the extreme, giving one local DPA global data control without regard to the law of the land where the search engine is incorporated or operates.

The parent-subsidiary distinction no longer matters for jurisdiction over privacy complaints—it is the corporate group taken as a whole that the courts and DPAs will look to: “the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”

So when Mr. González now seeks to be forgotten, what will happen if an advertising-based, non-EU search engine operator fails to remove the links to the bad debt article on all domains? The Spanish DPA or Spanish courts may prosecute the operator in the local courts and issue an order that it comply with the request. The operator, if it fails to appear and defend, have a judgment entered against it that can be enforced in the operator’s home country. Then we will see how a conflict-of-laws analysis plays out, especially if the action is brought in the United States where the First Amendment’s free speech rights will squarely meet state-sponsored censorship.

The ramifications of the decision are not likely to be limited to search engine operators. The same logic the ECJ used to create jurisdiction can be applied to find that blog hosting companies, social media and other intermediaries are controllers with establishments in the EU. Will an EU court or DPA require removal of user-generated content that violates the Privacy Directive? Perhaps not, given that the user’s speech rights will be implicated by such a decision. But it is another thing to say that the hosting company will be permitted to process the data and advertise around it or return search results on its own site or affiliated properties.

Applicable law and notions of jurisdiction are closely tied together in EU jurisprudence, so one might view the ECJ decision as limited to privacy issues. But other agencies with enforcement powers may look at jurisdiction differently now. For example, law enforcement agencies may now view controllers with an establishment in the territory for privacy purposes as enough to seek to require disclosure of personal information of EU users.

Some intermediaries or platforms may be able to distinguish themselves from Google’s operations based on factual differences. For example, if there is no subsidiary in the country, there is not likely to be an establishment in the country. The ECJ also found a few more facts to be important:

  • There is a local version of Search adapted to the national language and offered through a website using a national domain; e.g., google.es.
  • Google’s search engine is widely used by residents;
  • Indexing of websites takes place automatically and is stored temporarily on servers whose location is unknown—proof that no data is stored in the country may be useful.
  • Advertising is associated with search terms, and advertising pays the freight for the free search service; and
  • The in-country subsidiary acts “as a commercial agent” for the out-of-country parent by promoting, facilitating and effecting the sale of advertising.

How far the DPA will reach in applying the local law remains to be seen. The right to be forgotten is only one aspect of data privacy law in the EU, but it is one of the most controversial. Much more attention is likely to be paid to the clash between the First Amendment in the United States and the censoring impact of the ECJ decision in the EU, but the enduring nature of the jurisdictional decision may have a much more far-reaching impact.

Written By

Albert Gidari

1 Comment

If you want to comment on this post, you need to login.

  • Richard Beaumont Jun 5, 2014

    I agree, this case really highlights the problems and conflicts of national, or territorial legal infrastructures, and the global nature of the web.
    The USA has exerted similar extra-territorial control - for example when a US court recently ruled that data held in a Microsoft data centre in Dublin should be handed over to law enforcement.
    It goes beyond internet businesses when you look more widely at issues like taxation. Global companies shifting revenues around the world to realise profits where the lowest possible tax becomes due.
    I'm not sure I know where the correct balance should be struck, but I do think that one of the first roles of the law is to protect rights and interests of people inside the territory, in a global world this inevitably means reaching beyond their own shores.  For those global companies affected - this has to surely be the price paid for the freedom to operate.
    What are the alternatives?  Google has assumed a right to reach out and index data wherever that data is.  It is an importer of data to the US. Traditionally there are controls on the import and export of goods - should those apply? But when the data is 'taken' (or in effect copied) without permission - well in other fields there a clear rights of the individual, why not in the world of data?  
    We live in an era where data, particularly personal information, is increasingly seen as a vital asset.  Traditionally assets have clearly identified owners - which enables their trade, but in the case of personal information - ownership if often very unclear.  Maybe this is what needs to change.  Certainly The EU is increasingly taking the position that the individual owns rights over data about them - and personally that feels right to me.
    A few thoughts for consideration.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The GDPR requires 75,000 DPOs

What’s the formula for DPO success? IAPP CIPP/E and CIPM training, certifications and our global privacy conferences.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

72% say privacy is now a board-level concern

Find out more about privacy governance in the IAPP-EY Annual Privacy Governance Report 2016.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Time to Get to Work at the Congress

It's almost here! Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register now!

Plan for the Summit

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration opens December 19!

Intensive Education at the Practical Privacy Series

This year's Series spotlights Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need NOW. Early bird ends Nov. 4!

Speak at the Symposium

The call for speakers is open! The Symposium returns to Toronto this Spring and programming is now underway. Looking to share your privacy prowess? Submit by November 20!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»