'The Changing Landscape for Search Engines After Google Spain': Eduardo Ustaran

Duration: 12 mins 47 secs
Share this media item:
Embed this media item:


About this item
'The Changing Landscape for Search Engines After Google Spain': Eduardo Ustaran's image
Description: Eduardo Ustaran, Partner, Hogan Lovells delivers the fourth lecture from the "The Changing Landscape for Search Engines After Google Spain" section of the "EU Internet Regulation After Google Spain" conference.

This conference was held at the Faculty of Law, University of Cambridge on 27 March 2015, and brought together leading experts on Data Protection and Privacy from around the World.

The conference was held with the support of the Centre for European Legal Studies (CELS).

This entry provides an audio source for iTunes U.
 
Created: 2015-04-15 10:28
Collection: EU Internet Regulation After Google Spain: Conference 2015 MOVED
Publisher: University of Cambridge
Copyright: Eduardo Ustaran, Mr D.J. Bates
Language: eng (English)
Transcript
Transcript:
Good afternoon everybody. So this session is about the changing landscape for search engines. So let me lower the intellectual tone that you have put sky high, Julia, by making it simple. In very simple terms, search engines are now subject to take down requests as a result of or on the basis of the right of erasure. That’s it. Okay? That is the changing landscape for search engines. And I think that is the main conclusion. Since I have a few more minutes to talk, I would like to explore a little bit some of the, perhaps, some of the finer points, going back to the decision, the Court of Justice decision. Some of those finer points that were made by the Court. Because, for example, the Court merely skimmed through critical concepts like personal data and processing. When you read the judgement there are seven paragraphs, of about on average four lines each, covering personal data and processing. Which if you print it is about half a page. So there were assumptions of course that were made, but, for example in relation to personal data, the view that the Court took, was that the data that was being indexed by Google and by of course any other search engines in this case, qualified as information relating to an identified or identifiable individual, which of course is the definition of personal data in the Directive. But once the Working Party devoted a sort of forty page document to simply dissect that sentence of information related to an identified or identifiable natural person or individual, the Court just took that view that because this information does relate to people, and therefore that’s being indexed, then that’s personal data. The question is, is it personal data to the search engine? And that was not looked at.

Just looking at the definition of processing, of course what the Court said was that all this organising and again indexing, and making information available, that squarely fits with the definition of processing, because processing as we know covers pretty much anything you can ever do with data, digitally at least. And the Court went on to say that that was the case, despite the fact, or regardless of the fact, that search engines do not distinguish what they actually do with that information, they do not distinguish the nature of the information. They just do that technologically or algorithmically, or however you want to describe that, with all the information that crosses the internet. But that is processing of personal data.

And in line with this thinking, of course what the Court did, in a little more detail, was to expand, or to interpret, the concept of controller, which of course is defined in the Data Protection Directive. And I can see that personal data and processing can be absolute concepts. So it’s either personal data or it isn’t. It’s either processing or it isn’t. But controller, when you look at the definition in the Directive, is down to that subject, that entity, making decisions. There is an intention in being a controller. That’s the whole point. It is determining the processes and the determination involves decision-making. My understanding of the word. But it is not an absolute concept. It is a concept that involves some thinking: "this is what we’re going to do with the data." That’s what the controller does. They do the thinking, they do the decision-making.

And the Court of course took the purposive interpretation of this definition to say, "ah but the objective," they used this word "the objective" of the definition in the Directive is precisely to make it really broad so that it covers any activity dealing with data. So when you add all this, of course, the interpretation of personal data, the interpretation of processing, the interpretation of controller, the implication, this changing landscape for changes, it is very clear cut. Not only are search engines not "intermediary" in the sense that and intermediary is someone that is not really responsible but somewhere in between. No, no, the search engines are the super-controllers. There is no controller in the world that I can think of that processes more personal data than a search engine. If you think about it. It is the biggest controller ever. Applying this criteria, it is the super-controller, and there is no one that processes more personal data therefore. I am not exaggerating. This has to be the implication, which means that all the obligations that apply to controllers will apply to a search engine. All the obligations, and then you look at all the principles, and the conditions for processing of personal data, and of course personal data we know has a sub category of sensitive personal data. So if you add that dimension to certain grounds of processing sensitive personal data, then you start thinking but this is just much more than the right to be forgotten, then.

But then you start thinking, hold on. No one has said, or maybe no one has been heard saying it at least, that the implications of this are such that basically this search engine model is simply non-compliant. And the reason why that’s not being publically said, or at least by regulators I don’t think have said it, is because it is seen as having gone a bit too far. And the reason why it is seen as having gone a bit too far is because it has an unintended consequence and here is what we see sometimes with a decision that can only be taken so far. Because if it is really taken all the way in terms of the implications it should really have technically speaking, it has unintended consequences. Is this a weakness? Is this a reality of life in an imperfect world? Maybe it’s a bit of both. But this is an issue that is certainly raised by this decision. An imperfect decision for an imperfect world.

But there seems to be great implications to all of this at least from a legal perspective, because it does not just affect search engines, it affects everybody else. It is the determination of the applicability of the law, which is also addressed by the case. And I mean this is what has really messed things up for everybody. Because the way in which the law, or the Directive, was interpreted in terms of the applicability of the law, we know when we look at the Directive, the criteria are relatively straightforward. We have Article 4(1)(a), applicability determined by the establishment of the country in the EU. 4(1)(c) applicability determined on the basis of where the equipment is located of course when the controller is elsewhere [i.e.] the controller outside the EU, but the equipment in the EU. Here we’ve seen a mixture of the two. It is, I don’t know, 4(1)(c)(+), or however you want it. Because the interpretation that was given is: the controller is really outside the EU, everybody acknowledged that, but an establishment exists in the EU. And the kind of the link of the two is what determined the applicability of the law.

So this seems to have been accepted, but of course, regulators in Europe are now looking at this and are applying this local establishment criterion to situations where the controller is in the EU. Not necessarily in that country, but somewhere in the EU. Not outside the EU. No, in the EU, somewhere in the twenty-eight Member States. But the applicability of the law is being interpreted as EU-wide, so where until now, until very recently, we had the certainty that an EU-based data controller was only subject to the law of the country where he was established, now we are seeing the law being interpreted in such a way that an EU-based controller is subject to the law of that country where he is established, and everywhere else in the EU, wherever there is some form of presence. Even if the controller is not based there.

So to conclude I think that sometimes we talk about the European Commission being very ambitious in their policymaking. We’re about a year away from seeing a law that is probably the most ambitious data protection law we will ever see in the world. We don’t even need to wait for that. The Court of Justice of the European Union, in just one judgement, a twenty page judgement, has extended and created the greatest extension of European data protection law ever attempted. And that is why this case is so massive. And that is the changing landscape for search engines and for everyone else
Available Formats
Format Quality Bitrate Size
MP3 44100 Hz 249.99 kbits/sec 23.41 MB Listen Download
MP3 44100 Hz 62.25 kbits/sec 5.85 MB Listen Download
Auto * (Allows browser to choose a format it supports)