Data on the Internet

Privacy is the one of the most discussed rights in the debate around intermediaries since

‘[p]ersonal data has become the currency on the Internet. It is collected, stored and used in ever-increasing variety of ways by a countless amount of different users…’.125 _This

fact makes the data important for the online world and especially for intermediaries. Intermediaries obtain, store and even track the data of its users, thus becoming either controllers126 _{or processors}127 _{of this data. Bernal describes this as a symbiotic web or as} Web 2.5 where ‘individuals and commercial enterprises are becoming mutually

dependent: enterprises have business models reliant on the currency of personal data, while individuals depend on ‘free’ access to many services…’. 128 This reality has made individuals to think and even become concerned about their privacy more than they used to. This is because on the Internet, protection of privacy and intimacy may represent a

125 _{Jef Ausloos ‘‘The Right to be Forgotten’ – Worth remembering?’ (2012) 28 Computer Law & Security} Review 143-152, 143.

126 _{In Art 4(7) of GDPR controller is defined as ‘the natural or legal person, public authority, agency or}

other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’

127 _{Processing is defined in Art 4(2) as; ‘any operation or set of operations which is performed on personal}

data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ and Processor ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’ in the Art 4(8).

128 _{Paul Bernal ‘Web 2.5: the symbiotic web’ (2010) International Review of Law, Computers and} Technology 24(1) 25-37.

challenge for individuals as when their data becomes available on the Internet, it may spread around and stay there forever. As such, the protection of privacy and intimacy as well as having control over the data is crucial.129 In order to provide the necessary protection, the European social-democratic model of government imposes on governments an affirmative duty to protect fundamental rights through the positive operation of the law.130

EU law thus provides rules specifically designed to deal with issues related to the data protection. The GDPR now applies (from 25 May 2018) to enshrine the protection over individuals’ data and privacy in the online and offline worlds as it replaced the DPD.131 What is important in pursuit of the aim of this thesis is basically the duties that the GDPR imposes on an intermediary when it acts as controller or processor of the data.132 This is because when the DPD was enacted the Internet and its technologies were not developed as they are today. Hence the DPD had been ineffective as its scope had been too narrow.133 In essence, what can be said with regard to the GDPR is that it imposes rather more and stricter duties by means of placing responsibility on data processors134 in addition to the duties stated in the DPD such as the principles required in processing the data.135 Briefly, consent from the data subject for data processing is still required136 but the threshold has now been increased to a statement or a clear affirmative action.137 _{Besides, the controller} and the processor are now under a duty to undertake a data protection impact assessment to identify the risks to the rights and freedoms of data subjects while processing data in order to foster the protection of data.138 _{Consultation with a national supervisory authority} is also required prior to the assessment. Another duty which is significant in relation to the intermediaries’ regime is that the data processors are also required to notify the data

129 _{For general discussion See Serge Gutwirth, Ronald Leenes and Paul De Hart (eds) Reloading Data}

Protection Multidisciplinary Insights and Contemporary Challenges (Springer 2014), Part 4; Paul Bernal Internet Privacy Rights (Cambridge University Press 2014).

130 _{Richard J. Peltz-Steele ‘The Pond Betwixt: Differences in the US –EU Data Protection/ Safe Harbor} Negotiation’ (2015) Journal of Internet Law 19(1), 20.

131 _{Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the} processing of personal data and on the free movement of such data [1995] OJ L 281/31.

132 _{The data processors are imposed more strict duties under the GDPR.}

133 _{Lilian Mitrou, ‘The General Data Protection Regulation: A Law for the Digital Age?’ in Tatiana- Eleni} Synodinou, Philippe Jougleux, Christiana Markau and Thalia Prastitou, EU Internet Law (Springer 2017), 19-57.

134 _{Mostly intermediaries.}

135 _{Those principles are mainly stated in Articles 5 and 6 and can be outlined as; the data must be processed} lawfully, must be adequate and collected for specified, legitimate purposes etc.

136 _{the GDPR, art 7.} 137 _{Ibid, art 4.} 138 _{Ibid, arts 35-36.}

subject about a data breach once they become aware of it. Finally, the Regulation sets out the rights of the data subjects139 _{such as transparency and right to access. More} importantly, the right to erasure, the so-called RTBF140 is exclusively provided in the GDPR.141 This right enables data subjects to control their data online142 while imposing duties on the data processors. Before examining this right, what can be deduced from the described scope of the GDPR is that intermediaries will have more duties imposed on them when they act as data controllers or processors than in relation to copyright or trade mark related matters.

The CJEU’s decision in Google Spain v Mario Costeja González143(Google Spain) is an

appropriate candidate to demonstrate this along with Google France v Louis Vuitton

(Google France)144. These two cases concerned the same intermediary: Google, as a search engine. However, different rights were at issue. As Google France145 will be examined in detail later, it will be sufficient to state the case briefly here. The Google’s liability under the ECD was one of the questions before the Court as it was claimed that Google should be liable for the sale of keywords under its AdWords service which enables advertisers to purchase keywords corresponding to the trade marks of another. It should be noted here that search engines were not expressly mentioned in the ECD.146 The CJEU held as follows ‘…an internet referencing service provider in the case where

that service provider has not played an active role of such a kind as to give it knowledge of, or control over, the data stored. If it has not played such a role, that service provider

139 _{Chapter 3 of the GDPR. For a detailed analysis See Andres Guadamuz, ‘Developing a Right to be} Forgotten’ in Tatiana- Eleni Synodinou, Philippe Jougleux, Christiana Markau and Thalia Prastitou, EU

Internet Law (Springer 2017) 59-76.

140 _{the GDPR, art 17.}

141 _{In contrast, US law does not have explicitly provided RTBF. See Muge Fazlioglu, ‘Forget me not: the} clash of the right to be forgotten and freedom of expression on the Internet’ (2013) International Data Privacy Law 3 (1) 149-157; Paul Bernal, ‘The EU, the US and Right to be Forgotten’ in Serge Gutwirth, Ronald Leenes and Paul De Hart (eds) Reloading Data Protection Multidisciplinary Insights and

Contemporary Challenges (Springer 2014), 61-77.

142 _{Fazlioglu, ‘Forget me not: the clash of the right to be forgotten and freedom of expression on the Internet’} (2013), 149.

143 _{Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD)}

and Mario Costeja González (13 May 2014).

144 _{Joined Cases C-236/08 to C-238/08 Google France SARL and Google Inc. v Louis Vuitton Mallettier}

SA (C-236/08) and Google France SARL v Viaticum SA and Lutecial SARL (C-237/08) and Google France SARL v Centre national de recherche en relations humanies (CNRRH) SARL and Others (C-238/08) [2010]

ECR I-02417. (Google France). 145 _Ibid.

146 _{For a discussion on search engine’s immunity question, See Edwards, ‘Role and Responsibility of} Internet Intermediaries in the Field of Copyright and Related Rights’ (2011); Francesco Rizzuto, ‘The liability of online intermediary service providers for infringements of intellectual property rights’ (2012) Computer and Telecommunications Law Review 18(1) 4-15, 6-8.

cannot be held liable for the data which it has stored at the request of an advertiser’

unless it either obtains an actual knowledge regarding the infringement or acts expeditiously to remove the illegal material upon obtaining such knowledge.147 Although the assessment was left to national courts to undertake, the CJEU’s guidance stipulates that the search engine provider may benefit from immunity if it does not get actively involved in the service it offers. In Google Spain, however, Google’s operation as search engine was examined under the DPD which is to be examined below in detail.