In the decision C-507/17 the European Court of Justice holds that
it is not apparent from the legal texts that the EU legislature has struck such a balance as regards the scope of a de-referencing outside the EU, nor that it haschosen to confer a scope on the rights of individuals which would go beyond the territory of the Member States. Nor is it apparent from those texts that it would have intended to impose on an operator, such as Google, a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States. What is more, EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU.
Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.
The Court therefore reaffirms the prevalence of the legal notion of jurisdiction as a geographical limit to the exercise of State power and – correctly – refers to the borders of the Member States and not of the European Union as such.
On the other hand, it cannot be agreed with the part of the decision where
The Court points out, next, that Google Inc.’s establishment in French territory carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concernedand, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google Inc.’s French establishment. Such a situation therefore falls within the scope of the EU legislation on the protection of personal data.
This is the very same legal principle affirmed by the Court in Costeja-Google Spain to affirm its jurisdiction and enforced by the Italian Data Protection Authority in the injuction that fined Facebook Italy for the Cambridge Analytica scandal.
The injunction verbatim states
in this case, the activities examined were unequivocally addressed to Italian users through the sections that Facebook reserves for them to use the services of the social network. The close correlation between the Italian territory and the context of the processing operations carried out, which involved, for the most part, Italian users, is therefore apparent;
even if it refers to the activities of a search engine operated by a non-European entity, the provisions of the judgment of the Court of Justice of the European Union, C-131/12, must also be taken into consideration. In particular, paragraph 60 of that judgment states that”processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, … when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.
This principle of law is politically understandable, but not legally acceptable.
It may be true that the purpose of advertising is to ‘push’ users to use a service, but it is also true that the actual and technical use of the service itself is originated by the user that sends the data to the USA and that, therefore, the processing starts outside the EU. Thus, in terms of processing of personal data, the direct obligations of the service provider start only later, that is, for example, when information about the user is actively collected through cookies.
However, the fact remains that the legislation on the processing of personal data regulates the collection and not the “contribution” or the mere “support” to the collection of data. Therefore, if the European subsidiaries do not develop (even partially) autonomous activities in the technical process of collecting and further processing of data, it cannot be argued that Community law should also apply to them.