DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     Balancing  Fundamental  Rights  on  the  Internet.     Service  Providers  as  Quasi-­‐Constitutional  Actors?       Marco  Bassini   University  of  Verona   [email protected]  

 

The   paper   aims   at   exploring   how,   as   result   of   recent   judicial   achievements,   private   actors   are   playing   a   more   and   more   significant   role   when   it   comes   to   balancing   fundamental   rights   on   the   Internet.   Notably,   in   the   European   scenario   most   of   Internet   operators   are   nowadays   far   from   being   considered  merely  service  providers,  also  in  light  of  the  constitutional  implications  deriving  from  the   nature  of  the  activities  carried  out  by  the  same.   Against  the  background  of  the  Directive  2000/31/EC,  several  issues  have  emerged  pushing  for  more   constitutional   relevance   of   the   role   played   by   service   providers.    The   Google   Spain   judgment,   for   instance,   has   revealed   that   Internet   search   engine   service   providers   may   be   tasked   with   significant   responsibilities  with  respect  to  the  protection  of  personal  data  in  their  capacity  as  controller  pursuant   to   the   Directive   95/46/EC.    While   attaching   such   new   liabilities   to   operators,   however,   the   decision   at   the   same   time   makes   Internet   service   providers’   role   crucial   with   regard   to   the   protection   of   freedom   of  expression.  This  way,  a  new  constitutional  relevance  emerges,  since  functions  which  are  assumed   to   pertain   to   public   authorities   (judges   and   lawmakers)   are   now   de   facto   exercised   by   private   operators.   It  has  therefore  to  be  questioned  whether  this  approach  is  appropriate  at  least  in  two  respects.  First   of   all,   it   is   at   issue   whether   the   constitutional   protection   of   values   which   enter   into   conflict   on   the   Internet   is   likely   to   satisfactorily   pass   through   functions   performed   by   private   operators.   Balancing   fundamental   rights,   in   fact,   should   prima   face   rely   on   a   public   authority   and   the   involvement   of   private  actors  is  likely,  as  said  above,  to  trigger  a  constitutional  or  quasi-­‐constitutional  relevance  of   the  same.  Secondly,  the  point  is  whether  burdening  Internet  providers  with  new  liabilities  only  reflects   the   crucial   nature   of   their   services   for   the   protection   of   fundamental   rights   or,   in   a   purely   market   view,   is   an   option   that   is   likely   to   discourage   operators   from   targeting   European   residents   when   offering  their  services.   In  light  of  these  remarks,  the  idea  comes  through  that  any  process  concerning  the  governance  of  the   Internet   lato   sensu   is   unlikely   to   achieve   far-­‐reaching   results   when   not   properly   considering   the   (whether  undesirable  or  not)  quasi-­‐constitutional  relevance  of  certain  private  actors.  

   

 

1. Introduction.  Internet  providers  towards  ‘more’  responsibility?   One  of  the  most  significant  consequences  of  the  digital  (r)evolution  of  the  last  twenty  years   is   that   several   legal   categories   have   become   obsolete.     Regardless   of   the   opportunity   to   introduce   new   legal   instruments   (or   to   adapt   the   existing   ones)   when   it   comes   to   facing   the   developments   brought   to   light   by   the   new   technologies,   sometimes   legal   regimes   modeled   on   the   basis   of   the   characteristics  of  certain  phenomena  turns  out  to  be  ineffective.     The   steady   evolution   of   the   new   technologies   is   posing   several   issues   with   respect   to   the   degree   of   appropriateness   of   certain   (even)   recent   pieces   of   legislation1.   These   changes   may   also  

                                                                                                                1

 An   example   is   provided   by   the   Directive   95/46/EC   (“Data   Protection   Directive”):   even   if   this   act   is   quite   recent,   it   has   proved   to   be   ineffective   vis-­‐a-­‐vis   the   challenges   of   the   new   digital   technologies.   The   EU  

 

  1  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     reflect,  to  a  certain  extent,  the  complexity  of  the  legal  relationships  taking  place  by  virtue  of  the  new   technologies,  most  notable  via  the  Internet.     Against   the   prevailing   technological-­‐oriented   view,   also   some   constitutional   nuances   are   involved  in  this  process.     An   example   that   serves   to   make   things   clearer   is   offered   by   the   legal   regime   concerning   Internet  service  providers  in  the  European  Union,  which  is  the  subject  of  this  paper2.   The   relevant   legal   framework   has   been   set   out   by   the   so   called   ‘E-­‐Commerce   Directive’,   which   dates   back   to   20003.   The   provisions   set   forth   in   the   Directive   define   the   legal   regime   for   operators  providing  Internet  services  in  a  way  that  mirrors  the  complexity  of  the  role  played  by  these   actors  in  the  information  society,  albeit  at  its  very  beginning  in  Europe.     Two   are   the   distinguishing   features   of   this   regime4.   On   the   one   hand,   the   absence   of   any   general   monitoring   obligation   on   the   shoulders   of   Internet   providers.   On   the   other   hand,   the   Directive   has   laid   downs   a   set   of   exemptions   from   liability   which   applies   under   condition   that   the   provider  has  no  actual  knowledge  or  awareness  of  unlawful  activities  or  information.   This  legal  regime  is  clearly  inspired  by  the  purpose  of  limiting  intermediaries’  liability  for  any   unlawful  activity  or  information  transmitted  or  stored  via  their  services.  As  noted,  this  legal  regime   has   key   implications   also   from   a   constitutional   point   of   view,   as   it   aims   at   reaching   the   widest   possible  circulation  of  contents.     However,   this   legal   framework   is   nowadays   more   and   more   called   into   question,   and   also   its   constitutional  implications  seems  to  be  relevant.   The  purpose  of  the  present  paper  is  to  describe  the  main  trends  that  are  affecting  the  regime   of  Internet  service  providers  as  result  of  recent  judicial  achievements,  in  order  to  highlight  the  quasi-­‐ constitutional  relevance  that  these  actors  have  assumed  in  the  information  society.   Two  main  trends  will  be  now  discussed.     First,   the   attempts   made   by   various   domestic   courts   to   reduce   the   scope   of   the   liability   exemptions  by  interpreting  restrictively  the  relevant  provisions  of  the  E-­‐Commerce  Directive  on  the   basis  of  the  difference  between  ‘active’  and  ‘passive’  providers.   Second,  the  paper  will  more  in  detail  focus  on  the  recent  decision  of  the  Court  of  Justice  in   the   Google   Spain   case   and   on   the   consequences   of   qualifying   search   engine   providers   as   data   controller  pursuant  to  the  Data  Protection  Directive  (Directive  95/46/EC).   Having   explored   the   above,   some   remarks   concerning   the   critical   points   posed   by   these   trends  will  be  drawn.      

                                                                                                                                                                                                                                                                                                                                                          institutions    have  then  started  to  consider  a  proposal  to  reform  this  legal  framework  which  aims  at  replacing   the  Directive  with  a  new  Regulation  on  data  protection.   2  See   O.   Pollicino   and   E.   Apa,   Modeling   the   Liability   of   Internet   Services   Providers:   Google   vs.   Vivi   Down.   A   Constitutional  Perspective,  Milan,  2013.   3  Directive  2000/31/EC  (“E-­‐Commerce  Directive”).   4  See   P.   Von   Eecke,     ‘Online   service   providers   and   liability:   a   plea   for   a   balanced   approach’,   48   CML   Review   (2011)  1455.    

 

  2  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     2. Internet  service  providers:  active  versus  passive?  (passim)   The   Court   of   Justice   of   the   European   Union   and   a   number   of   domestic   courts   of   Member   States   are   interpreting   the   legal   provisions   applying   to   Internet   service   providers   under   EU   law   in   light  of  the  evolution  of  the  respective  services  over  the  time.     More   in   details,   it   has   to   be   noted   that   behind   the   liability   exemptions   set   forth   by   the   E-­‐ Commerce   Directive   was   the   assumption   that   Internet   providers   acted   in   a   purely   passive   manner,   without   exercising   any   control   over   the   content   transmitted5.   This   was   the   main   reason   why   the   approach  adopted  by  the  E-­‐Commerce  Directive  was  to  hold  providers  immune  from  liability  on  the   assumption  they  had  no  control  over  contents.     However,   these   services   have   reached   a   high   level   of   complexity   since   the   Directive   came   into  force.  While  at  the  time  the  relevant  legal  framework  was  set  out  there  were  no  difficulties  to   determine   whether   an   Internet   service   provider   was   acting   or   not   in   a   passive   way,   to   date   the   growing   complexity   of   these   services   has   led   to   a   number   of   cases   where   it   is   disputable   that   a   provider  enjoys  exemptions  from  liability.   Therefore,  it  is  for  courts  to  determine  whether  the  exemptions  established  by  the  Directive   shall   apply.   Depending   on   the   circumstances   of   the   case,   courts   have   assessed   whether   the   conditions  for  the  liability  exemptions  were  met  or  not6.  Some  domestic  courts,  such  as  the  Italian   ones,   have   provided   a   peculiar   construction   of   these   provisions.   Most   notably,   as   far   as   hosting   providers   are   concerned,   the   Italian   courts   have   created   a   kind   of   hybrid   by   carving   out   the   legal   paradigm  of  the  ‘active  hosting  provider’  in  the  wake  of  the  decisions  of  the  Court  of  Justice  of  the   European   Union   in   the   Google/Louis   Vuitton 7  and   eBay/L’Oréal 8  cases.   This   notion,   in   the   construction  given  by  several  judgments  by  Italian  courts9,  includes  those  service  providers  that  do   not  operate  in  a  purely  passive  way  and,  thus,  could  not  benefit  of  the  liability  exemptions  in  case   unlawful  information  or  contents  are  transmitted  or  stored10.    

                                                                                                                5

 This   view   is   reflected   by   the   Recital   42   of   the   Directive,   which   reads   as   follows:   ‘The   exemptions   from   liability   established  in  this  Directive  cover  only  cases  where  the  activity  of  the  information  society  service  provider  is   limited   to   the   technical   process   of   operating   and   giving   access   to   a   communication   network   over   which   information   made   available   by   third   parties   is   transmitted   or   temporarily   stored,   for   the   sole   purpose   of   making  the  transmission  more  efficient;  this  activity  is  of  a  mere  technical,  automatic  and  passive  nature,  which   implies  that  the  information  society  service  provider  has  neither  knowledge  of  nor  control  over  the  information   which  is  transmitted  or  stored’.   6  In   particular,   the   courts   have   taken   into   account   that   some   Internet   service   providers   were   no   longer   operating   as   mere   intermediaries   by   reason   of   certain   features   that   were   not   essential   for   their   functioning.   The   applicability   of   the   liability   exemptions   is   questioned,   for   instance,   when   it   comes   to   search   engine   providers   which   ‘suggest’   how   to   complete   the   keyword   in   the   queries   or   to   the   so   called   ‘user-­‐generated-­‐ content’  platforms  where  the  contents  posted  by  users  are  classified  into  different  categories  or  coupled  with   advertising  messages  mirroring  the  type  of  content  visited  or  researched  by  the  user.     7  CJEU,  23  March  2010,  C-­‐236/08  to  238/08,  Google  France  SARL  and  Google  Inc.   8  CJEU,  12  July  2011,  C-­‐324/09,  L’Oréal  and  others.   9  See   Court   of   Rome,   20   October   2011;   Court   of   Milan,   9   September   2011;   Court   of   Milan,   20   January   2011;   Court   of   Appeals   of   Milan,   21   December   2012;   Court   of   Turin,   5   May   2014;   Court   of   Turin,   23   June   2014;   Court   of  Appeals  of  Milan,  7  January  2015.   10  According  to  the  Italian  case  law,  a  provider  may  qualify  as  active  hosting  provider,  for  instance,  when  the   terms   and   conditions   entered   into   by   the   parties   provides   the   exercise   of   control   on   the   information,   when   advertising   messages   related   to   the   contents   are   displayed   or   when   unlawful   contents   have   been   uploaded   directly   by   the   provider.   It   is   disputed   whether   such   qualification   occurs   when   contents   are   indexed   or   selected,  or  when  the  provider  has  established  a  notice-­‐and-­‐take  down  procedure.  

 

  3  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     These  operators  are  not  ipso  facto  treated  in  the  same  way  as  content  providers,  but  having   something   plus   (‘quid   iuris’)   than   passive   providers   may   most   likely   face   liability   for   unlawful   activities   such   as   copyright   infringements   or   defamatory   comments:   they   are   supposed,   in   other   terms,   to   have   ‘actual   knowledge’   of   the   unlawful   contents   and   supposed   to   remove   the   same   without  a  prior  notice  by  the  competent  authority  (as  required  by  the  Directive  in  the  case  of  passive   providers).   Then,   the   model   of   liability   foreseen   in   the   E-­‐Commerce   Directive,   as   interpreted   by   some   domestic  courts,  seems  to  be  revisited  as  a  consequence  of  the  growing  up  of  Internet  services.   This  view  of  Internet  providers,  most  notably  of  the  hosting  providers,  as  actors  which  are  no   longer   to   be   regarded   as   mere   intermediaries   impacts   also   on   the   protection   of   certain   fundamental   rights:   freedom   of   expression   is   of   course   the   crucial   value   at   stake   when   the   role   of   Internet   providers  is  affected  by  these  interpretative  trends.         3. Google  Spain:  more  than  an  Internet  search  engine  service  provider   The   very   constitutional   relevance   of   the   role   of   Internet   providers   emerges   when   it   comes   to   consider  different  legal  regimes  which  may  apply  to  the  same  operator.  In  this  respect,  the  Google   Spain11  judgment  delivered  by  the  Court  of  Justice  of  the  European  Union  has  marked  a  point  of  no   return  while  clarifying  that  search  engine  providers  do  also  meet  the  definition  of  ‘data  controllers’   pursuant   to   the   Data   Protection   Directive.   Then,   the   judgment   rendered   by   the   Court   in   this   case   constitutes  a  useful  case-­‐study  to  bring  to  light  the  constitutional  implications  which  are  now  related   to  the  role  played  by  Internet  service  providers12.   Here,   the   view   expressed   by   the   Court   is   not   based   on   a   different   application   of   the   provisions  concerning  Internet  service  providers,  but  rather  rests  on  the  complexity  of  the  role  that   the  Internet  providers  play  nowadays  in  the  information  society.   The  ruling,  which  has  given  rise  to  a  number  of  comments,  marked  a  very  significant  turning   point  since,  on  one  hand,  it  boosted  a  renewed  interpretation  of  the  EU  data  protection  legislation   while,  on  the  other,  it  significantly  affected,  although  indirectly,  on   the  regime  of  liability  of  Internet   service  providers.   Labeled   as   an   explicit   and   long-­‐awaited   statement   of   the   right   to   be   forgotten,   the   judgment   has  a  very  broad  subject  but  impacts  especially  on  the  position  of  the  operators  of  search  engines.   Indeed,  referring  to  the  ‘right  to  be  forgotten’  as  such  sounds  perhaps  improper,  as  long  as   this  expression  is  meant  as  the  claim  of  an  individual  to  obtain  the  removal  from  the  Internet  of  news   or  piece  of  information  that  he/she  considers  outdated  or  no  longer  of  public  interest.  The  Court  of   Justice,  in  fact,  focused  exclusively  on  the  role  of  search  engines  and  on  the  responsibilities  that  they   bear   as   data   controllers   with   respect   to   the   indexing   of   news   contained   on   web   pages   or   websites   operated  by  third  parties.   By   supporting   an   interpretation   of   the   relevant   provisions   of   the   Data   Protection   Directive   contrary  to  the  view  expressed  by  the  Advocate  General  in   his  Opinion13,  the  Court  of  Luxembourg  

                                                                                                               

 CJEU,  C-­‐131/12,  13  May  2014,  Google  Spain,  Google  Inc.    See   O.   Pollicino   and   M.   Bassini,   ‘Reconciling   Right   to   be   Forgotten   and   Freedom   of   Information   in   the   Digital   Age.  Past  and  Future  of  Persona  Data  Protection  in  the  EU’,  2  Diritto  pubblico  comparator  ed  europeo  (2014),   640.   13  Opinion  of  the  Advocate  General  Jääskinen,  25  June  2013,  C-­‐131/12,  Google  Spain,  Google  Inc.   11 12

 

  4  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     has   considerably   (even   though   indirectly)   expanded   the   scope   of   liability   of   the   Internet   search   engine   service   providers.   The   key   assumption   of   the   Court   is   that   these   operators   do   actually   qualify   as  data  controllers  pursuant  to  the  Data  Protection  Directive.       According   to   Article   2(d)   the   Directive   95/45/EC,   in   fact,   the   data   controller   is   defined   as   ‘the   natural  or  legal  person  …  which  alone  or  jointly  with  others  determines  the  purposes  and  means  of   the  processing  of  personal  data’.  Thus,  if  Internet  search  engine  service  providers  meet  the  definition   of   ‘data   controller’,   this   leads   significant   implications   for   this   category   of   operators.   Most   notably,   the  same  are  bound  by  the  obligations  which  are  established  by  the  Data  Protection  Directive  with   respect   to   the   data   controller,   including   the   obligations   to   comply   with   the   data   subject’s   requests   with  respect  to  their  personal  data.   So,  while  on  one  hand  a  search  engine  provider  can  enjoy  ‘as  such’  the  liability  exemptions   laid  down  by  the  E-­‐Commerce  Directive,  on  the  other  one  may  face  additional  obligations  set  forth   by  the  Data  Protection  Directive,  to  the  extent  the  operator  is  found  to  match  the  definition  of  data   controller.   The  preliminary  ruling  that  gave  rise  to  the  decision  of  the  Court  of  Justice  concerned  a   point   which   ranks   among   the   most   debated   in   several   Member   States:   the   possibility   for   the   concerned   individuals   to   obtain   the   removal   of   the   results   generated   by   search   engines   relating   to   news   considered   no   longer   of   public   interest,   without   prior   consulting   the   owner   of   the   website   being   indexed.     As  noted,  this  claim  sounds  slightly  different  from  a  proper  right  to  be  forgotten  meant  as  a   right   to   ‘disappear’   from   the   Internet.   However,   providing   individuals   with   such   an   instrument   is   supposed  to  allow  individuals  to  protect  themselves  from  the  main  source  of  harm  for  the  protection   of  personal  identity  and  reputation  when  it  comes  to  the  Internet,  namely  the  search  engines.  The   same  search  engine  on  the  shoulders  of  which  the  protection  of  some  constitutional  interests  relies.   The   very   critical   point   lies   with   the   Court   of   Justice   choice   to   place   in   the   hands   of   private   actors,  such  as  Internet  search  engine  service  providers,  the  power  to  handle  individual  requests  to   obtain   the   removal   of   personal   data.   Said   decision,   in   fact,   is   supposed   to   entrust   search   engine   operators   with   the   function   of   balancing   the   right   to   data   protection   with   the   other   fundamental   rights  at  stake,  namely  freedom  of  expression  and  freedom  to  conduct  business.  According  to  some   scholars,  this  could  attach  a  quasi-­‐constitutional  status  to  Internet  providers14.     The  reasoning  of  the  Court  which  led  to  this  conclusion  has  followed  gradual    steps.   First,  the  Court  has  stated  that  the  activity  carried  out  by  a  search  engine,  consisting  of  the   indexing   and   display   as   search   results   of   the   content   of   third   parties   websites   constitutes   a   processing  of  personal  data  pursuant  to  the  Data  Protection  Directive.   This  notion,  under  Article  2,  lit.  b)  of  the  Directive  95/46/  EC,  is  very  broadly  defined,  so  this   first  point  is  not  disputed  and  does  not  raise  critical  issues.   The  crucial  point  is  rather  the  following  step  taken  by  the  Court  of  Justice,  when  it  comes  to   answering   the   question   whether   a   search   engine   qualifies   as   data   controller.   Here   the   line   of   reasoning  of  the  Court  of  Justice  diverges  from  that  of  the  Advocate  General.     The  latter,  in  fact,  had  concluded  that  only  under  exceptional  circumstances  a  search  engine   provider  could  qualify  as  data  controller.  In  Jääskinen’s  view,  in  fact,  the  mechanical  and  automated   indexing  of  information  (not  necessarily  containing  personal  data)  retrieved  from  third  parties  web  

                                                                                                               

 See  O.  Pollicino,  ‘Google  rischia  di  «vestire»  un  ruolo  para-­‐costituzionale’,  Il  Sole  24  Ore,  15  May  2014.  

14

 

  5  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     sites   was   such   to   exclude   that   the   search   engine   was   determining   means   and   purposes   of   the   processing  and  thus  qualifying  as  data  controller15.     The  Court  of  Justice,  on  the  contrary,  has   found  that  an  Internet  search  engine  provider  acts   as   data   controller:   to   hold   differently,   according   to   the   Court,   would   be   contrary   not   only   to   the   wording   of   the   provision   but   also   to   its   purpose,   which   is   to   provide   a   notion   sufficiently   wide   of   controller  in  order  to  grant  effective  protection  to  individuals  and  their  personal  data16.     In  this  step  the  judges  seem  to  fall  into  a  clear  excusatio  non  petita:  the  Court  seeks  a  broad   definition   of   data   controller   for   the   sake   of   a   comprehensive   protection   of   the   data   subjects.   However,  this  assumption  is  not  free  of  consequences  for  Internet  search  engine  service  providers,   as   it   triggers   significant   consequences   in   term   of   legal   obligations,   the   same   obligations   that   in   the   view  of  the  Advocate    General  the  search  engine  ‘cannot  in  in  or  in  fact  fulfill’.   This  way,  in  fact,  the  Court  makes  the  same  provisions  concerning  the  data  controller  under   the  Data  Protection  Directive  applicable  to  the  Internet  search  engine  service  providers.  In  particular,   among   others,   the   provisions   applying   to   Google   in   the   case   were   Article   12,   lit.   b),   allowing   individuals   to   ask   the   controller   for   the   erasure,   blocking   or   rectification   of   personal   data   and   Article   14,  par.  1,  lit.  b),  which  establishes  the  right  of  data  subjects  to  object  to  the  processing  of  personal   data.  By  coupling  these  provisions  with  Articles  7  and  8  of  the  Charter  of  Fundamental  Rights  of  the   European   Union,   the   Court   of   Justice   provides   the   right   to   be   forgotten   in   this   peculiar   ‘right   to   delisting’  version  with  legal  grounds,  making  the  claim  to  the  removal  of  personal  data  enforceable   against   Internet   search   engine   service   providers.   Making,   thus,   the   right   to   data   protection   enforceable  against  the  freedom  to  impart  and  search  information.   It   is   worth   remarking   some   critical   aspects   which   bring   to   light   the   nature   of   quasi-­‐ constitutional  actors  of  Internet  service  providers  .   First,   the   Court   has   failed   to   laid   down   at   all   any   criteria   on   the   basis   of   which   the   search   engine  provider  is  required  to  carry  out  a  balance  between  the  protection  of  personal  data  and  the   protection   of   other   interests   such   as   freedom   of   expression.   In   particular,   the   Court   has   not   even   mentioned  Article  11  of  the  Charter  in  the  judgment.  The  impact  on  freedom  of  expression  is   even   more   clear   if   one   considers   that   the   removal   from   the   search   results   is   possible   without   a   prior   consultation   of   the   web   site   owner.   If   a   right   of   the   web   site   owner   to   have   its   site   ‘indexed’   has   probably  no  legal  grounds,  there  is  a  competing  general  interest  of  individuals  to  find  and  research   information,  which  constitutes  essential  profiles  of  the  freedom  of  information.     Additionally,  the  threat  to  the  protection  of  freedom  of  speech  is  even  more  serious  if  one   considers   that   restrictions   on   fundamental   rights   do   generally   rest   in   the   hands   of   judges,   as   any   limitations   should   be   grounded   on   an   order   by   the   judicial   authority.   This   is   not   the   case,   as   the   restriction   on   the   possibility   for   users   to   access   information   only   depends   on   the   discretionary   assessment  of  the  individual  complaint  by  the  search  engine.  

                                                                                                                15

 Opinion,  p.  89:  ‘the  internet  search  engine  service  provider  cannot  in  law  or  in  fact  fulfill  the  obligations  of   controller  provided  in  Articles  6,  7  and  8  of  the  Directive  in  relation  to  the  personal  data  on  source  web  pages   hosted  on  third-­‐party  servers.  Therefore  a  reasonable  interpretation  of  the  Directive  requires  that  the  service   provider  is  not  generally  considered  as  having  that  position’.   16  CJEU,   C-­‐131/12,   p.   34:   ‘it   would   be   contrary   not   only   to   the   clear   wording   of   that   provision   but   also   to   its   objective   —   which   is   to   ensure,   through   a   broad   definition   of   the   concept   of   ‘controller’,   effective   and   complete   protection   of   data   subjects   —   to   exclude   the   operator   of   a   search   engine   from   that   definition   on   the   ground  that  it  does  not  exercise  control  over  the  personal  data  published  on  the  web  pages  of  third  parties’.  

 

  6  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     It   has   to   be   pointed   out   that   the   judgment   of   the   Court   of   Justice   does   not   prevent   individuals   from   bringing   their   claims   before   the   competent   judicial   and   administrative   authority,   either  directly  or  in  case  the  request  is  rejected  by  the  search  engine.  However,  the  lack  of  a  judicial   review  still  constitutes  a  critical  point  of  the  decision.   The   Court   of   Luxembourg   has   correctly   underlined   that   the   processing   of   personal   data   carried  out  by  the  search  engine  is  autonomous  and  separate  from  that  of  the  owner  of  the  web  site   where  the  retrieved  news  were  originally  published.  Notwithstanding,  the  judgment  has  set  out  no   criteria   for   the   balance   between   opposite   interests   at   stake.   And   also,   nothing   is   said   with   respect   to   the  purposes  for  which  the  processing  by  the  search  engine  is  carried  out.  The  Court  of  Justice  has   only   clarified   that   the   Internet   search   engine   service   provider   does   not   enjoy   the   exemptions   laid   down   with   regard   to   the   processing   for   journalistic   purposes   by   Article   9   of   the   Data   Protection   Directive  from  the  obligations,  among  others,  to  obtain  the  consent  of  the  data  subjects.   Also,   the   Court   has   paid   no   regard   to   the   freedom   to   conduct   business   which   enjoys   likewise   protection   under  Article   16   of   the   Charter   of   Fundamental   Rights   of   the   European   Union.   As   detailed   below,  the  decision  seems  to  go  against  the  business  model  that  is  mirrored  by  the  legal  regime  of   Internet  service  providers  outlined  by  the  E-­‐Commerce  Directive,  at  least  as  long  as  the  category  of   the   search   engines   is   concerned.   In   the   reasoning,   however,   the   Court   has   underestimated   the   consequences  for  the  operators,  which  may  thus  encounter  obstacles  while  doing  their  business.   Having   said   that,   against   this   background   Article   1(5)(b)   of   the   E-­‐Commerce   Directive   itself   states   that   the   Directive   shall   not   apply   to   questions   relating   to   information   society   services   covered   by  Directive  95/46/EC.  Relying  on  this  provision  to  exclude  any  debate  concerning  the  evolution  of   the  role  of  Internet  service  providers,  however,  would  seem  to  me  too  much  simplistic.  Furthermore,   the  exact  meaning  of  this  provision,  as  well  as  its  scope,  still  remain  unclear:  some  domestic  courts   have  tried  to  enforce  this  safe  harbor  but  these  attempts,  as  in  the  Italian  Google  Vivi  Down  case,  did   not  lead  to  significant  results.  In  any  cases,  should  one  assume  that  the  liability  exemptions  do  not   apply   when   it   comes   to   data   protection   issues,   this   interpretation   would   not   affect   the   idea   that   Internet   service   providers   are   moving   towards   a   new   legal   model,   reflecting   the   constitutional   relevance  of  their  role.     Then,  regardless  of  the  application  of  the  liability  exemptions  laid  down  by  the  E-­‐Commerce   Directive,   the   Internet   search   engine   service   providers   are   now   bound   by   the   obligation   stemming   from  the  role  of  ‘data  controller’.     The   Court   of   Justice,   then,   has   acknowledged   that   different   legal   regimes   may   apply   to   operators  which  match  different  status.     Internet   search   engine   service   providers,   in   light   of   the   foregoing   will   continue   to   benefit   from   the   exemptions   from   liability   established     by   the   E-­‐Commerce   Directive   with   respect   to   the   unlawful   activities   carried   out   by   its   services.   While,   in   their   capacity   as   data   controllers,   will   be   bound  by  the  obligations  provided  by  the  Directive  95/46/EC.   It  goes  without  saying  that,  as  a  consequence  of  the  judgment  of  the  Court,  the  favor  behind   the  legal  regime  of  Internet  service  providers  has  been  undermined.  Conversely,  the  scope  of  liability   of  the  same  has  been  extended.     Said   extension   is   an   effect,   first   of   all,   of   having   made   enforceable   against   search   engine   operators  the  rights  that  data  subjects  are  entitled  to  under  the  Data  Protection  Directive.     A  few  weeks  after  the  judgment,  Google  has  implemented  a  web  site  to  allow  individuals  to   ask  the  search  engine  to  remove  results  for  queries  that  include  their  name.  

 

  7  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     If,   on   one   hand,   the   activity   carried   out   by   a   private   operator   like   Google   mirrors   the   relationship   between   data   subjects   and   data   controller,   on   the   other   one   the   removal   of   search   results  arises  out  of  a  balance  between  the  right  to  data  protection  and  the  freedom  of  expression.   Then,  the  power  to  restrict  the  exercise  of  a  fundamental  right  rests  in  the  hands  of  private  actors   instead  of  a  public  authority.     Not  all  the  relationships  between  data  subjects  and  data  controllers  are  such  as  to  assume   public  relevance:  it  is  by  virtue  of  the  nature  of  search  engine  of  the  data  controller  that  the  removal   (or  the  reject)  of  personal  data  acquires  the  nature  of  a  restriction  on  freedom  of  expression  for  the   sake  of  protection  of  personal  data.  This  confirms,  more  than  other  factors,  the  quasi-­‐constitutional   status  of  the  search  engine  providers.       4. The  aftermath  of  the  judgment  Google  Spain.  Concluding  remarks   As  a  reaction  to  the  questions  left  unanswered  by  the  decision  of  the  Court  of  Justice,  both   the  Google  Advisory  Council  on  the  Right  to  Be  Forgotten  and  the  Article  29  Data  Protection  Working   Party   have   handed   down   respectively   a   report17  and   an   opinion18  focusing   on   the   criteria   for   the   removal   of   search   results.   Nothing   can   explain   better   than   that   the   overlap   between   private   and   public   functions.   Two   bodies,   i.e.   the   independent   committee   appointed   by   the   leading   private   operator   in   the   market   of   search   engines   and   the   entity   where   the   national   data   protection   authorities  of  the  Member  States  are  represented,  have  taken  similar  steps  in  order  to  resolve  the   uncertainties  of  the  decision  of  the  Court  of  Justice.   Without   entering   into   the   merits   of   these   documents,   it   seems   that   the   report   adopted   by   the  private  actor  (Google)  would  most  likely  have  more  significant  effects  than  the  resolution  of  the   institutional  body  where  the  European  data  protection  authorities  sit.  The  latter,  in  fact,  is  intended   to   provide   data   protection   authorities   and   judges   with   some   guidelines   as   to   the   interpretation   of   the   relevant   provisions   of   the   Data   Protection   Directive.   The   report   issued   by   the   Advisory   Committee   to   Google,   instead,   reflects   the   point   of   view   (even   though   through   the   eyes   of   an   independent  body)  of  the  leading  worldwide  Internet  search  engine  provider,  which  was  concerned   as   party   of   the   proceedings   before   the   Court   of   Justice   and   is   the   first   (although   not   exclusive)   addressee  of  the  most  part  of  the  requests  of  removal  filed  by  individuals.       However,  the  criteria  set  forth  in  the  report  of  the  Google  committee  are  of  course  tailored   to  the  nature  of  private  operator  of  the  search  engine  provider.  Private  powers  vs.  public  powers?   Here,   the   contrast   between   the   power   of   the   market   and   the   power   of   public   authorities   is   even   more  clear.  Thus  one  could  question  whether  the  rules  laid  down  in  this  respect  do  actually  fulfill  the   general   interest   of   the   public   to   a   sound   balance   between   the   protection   of   personal   data   and   other   competing   rights.   The   criteria   set   forth   by   a   private   actor,   indeed,   are   likely   to   be   more   ‘business-­‐ oriented’  than  ‘fundamental  rights  oriented’:  in  other  terms,  Google  will  take  into  account  the  value   of  freedom  to  conduct  business  when  counterweighing  the  balance  with  the  right  to  be  forgotten.  At   the  same  time,  the  judgment  of  the  Court  has  exposed  any  Internet  search  engine  service  provider  to   the   risk   to   face   claims   of   ‘censorship’   or   undue   restrictions   on   freedom   of   expression   by   the  

                                                                                                                17

 The  Advisory  Council  to  Google  on  the  Right  to  Be  Forgotten,  6  February  2015.    Article   29   Data   Protection   Working   Party,   Guidelines   on   the   Implementation   of   the   Court   of   Justice   of   the   European   Union   Judgment   on   "Google   Spain   and   Inc.   v.   Agencia   Española   de   Protección   de   Datos(AEPD)and   Mario  Costeja  González”  C-­‐131/12,  26  November  2014,  WP  225  14/EN.  

18

 

  8  

DRAFT  VERSION  –  PLEASE  DO  NOT  CITE  WITHOUT  PERMISSION     concerned   web   sites’   owners   in   the   cases   where   the   right   to   data   protection   is   found   to   prevail   over   freedom  of  expression.   In   light   of   the   foregoing,   may   a   trend   toward   ‘more   responsibility’   be   justified?     While   it   would   be   easy   to   rely   on   the   assumption   ‘the   more   one   enjoys   freedom,   the   more   the   same   faces   responsibility’     (very   similar   to   the   principle   ‘ubi   commoda,   ibi   et   incommoda’   derived   from   the   Roman   Law),   this   conclusion   should   be   rejected.   It   is   not   by   burdening   private   operators   which   perform   functions   having   constitutional   relevance   with   more   liability   that   the   protection   of   the   fundamental   rights   at   issue   is   strengthened.   Rather,   it   is   the   switch   from   a   purely   ‘business-­‐oriented’   view  to  a  ‘fundamental  rights  sensitive’  approach  that  may  lead  to  a  reasonable  balance  among  the   competing   interests   involved,   whose   protection   nowadays   necessarily   pass   through   the   role   even   (but  not  limited  to)  of  private  operators.  

 

  9