The right to be forgotten, search engines and the scope of jurisdiction of the DPA: a ruling by Italy’s Garante della privacy
In a decision issued on 26 February 2017, the Garante della privacy (the Italian Data Protection Authority) ruled on the application of an Italian resident seeking the removal from Yahoo!’s search engine of links to a US website reporting news of an old judicial mishap that had occurred to him in that country. The news in question was outdated: the offence had in the meantime been downgraded to a minor infraction, and the whole case dropped. The applicant had already addressed Yahoo! directly, but to no avail.
In upholding the application, the Garante ordered Yahoo! to remove all links to the content at issue, enforcing the applicant’s right to be forgotten against information that was “out of date and about a story that ended in a different way than can be gathered by reading the webpage at issue”.
So far, this was nothing new compared to the now well-established national case-law on the right to be forgotten on the Internet (which we reviewed, for example, here, here and here). What makes the ruling more interesting is how the Garante addressed the jurisdiction issues raised by the Internet provider.
The petitioner’s application had been filed jointly against Yahoo! EMEA Limited, the European headquarters of Yahoo! based in Ireland and its Italian subsidiary Yahoo! Srl Italy. The respondents claimed that the sole data controller was the Irish parent company, which provided and managed search engine services, while the Italian branch (which promoted and sold advertising) had no responsibility over the same; on these grounds, the Italian Garante lacked jurisdiction on the subject matter.
The Garante, however, took the view that Yahoo! Italy should be considered a stable organisation of Yahoo! EMEA Limited in the national territory, “in light of the fact that the activity of the former is directed, at the very least, to render the service provided by Yahoo! EMEA Limited economically profitable”. As a consequence, the Garante concluded, national law was applicable to the processing of the personal data at issue, and the case fell within its jurisdiction.
In other words, the Garante applied the principles established by the European Court of Justice (ECJ) in the Google Spain and Weltimmo cases (which were expressly mentioned, along with Article 29 of the Working Party’s opinion no. 8/2010 as updated on 16 December 2015). There, the concept of “establishment” in a Member State, and of the processing of personal data carried out “in the context” of the activities of such establishment, has been stretched to cover cases of local subsidiaries engaged in activities that, however minimal, are “inextricably linked” with the actual data processing carried out by the foreign controller. The Garante also made reference, in support of its reasoning, to an (as of yet unpublished) January 2017 Milan Court ruling issued on appeal against a Garante order. The Milan Judge apparently stated in that ruling that the Garante’s jurisdiction in similar cases should be affirmed in light of the need to ensure effective legal protection against any unlawful processing of personal data causing harmful effects in the Italian territory.
The decision confirms the current trend aiming to make the enforcement of individual rights against the unlawful processing of personal data by foreign controllers (and/or controllers with multiple European establishments) as accessible and effective as possible. The Garante’s order is, however, still subject to appeal by the defendants before ordinary courts.