Session 1: The Pathway to Google Spain
Both the breadth and depth of the Google judgment came as a surprise to many within the internet community. And yet, far from emerging in the vacuum, it built upon both general concepts in European data protection and particular concerns around free-text retrieval systems of public domain data which date back to the early 1980s. Moreover, since the early 2000s, the Court of Justice of the European Union has been building up a corpus of EU data protection jurisprudence increasingly based on the idea of data protection as a fundamental right overlapping with, but also distinct from, a traditional right to privacy. This reality was also strongly apparent in the Court’s recent case striking down the Data Retention Directive. The first panel explored this broader background and context.
Session 2: The Changing Landscape for Search Engines After Google Spain
The Google judgment directly concerned the responsibilities of search engines vis-à-vis processing of public content, most notably through the actualization of a right to erase personal results in certain circumstances (the “right to be forgotten”). This panel explored the developments to date, and potential future trajectories, of these now confirmed data protection rights and obligations.
Session 3: The General Shape of EU Internet Regulation After Google Spain
Whilst the Google judgment directly considered data protection vis-à-vis search engines, it is clear that its broad understanding of personal data, data controllers and data protection as a fundamental right have significant implications for the general ecosystem of the internet especially as regards data aggregators, online forums, rating websites and social networking sites. This session explored this the various aspects of this broader substantive context.
Session 4: Jurisdiction, Applicable Law and Beyond After Google Spain
The Google judgment found that the Google search engine was subject to Spanish data protection law since its processing was "inextricably linked" and therefore took place "in the context of" its Spanish advertising subsidiary. Given that the Directive states that "where the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with obligations laid down by the national law applicable" (Art. 4 (1) (b)), this finding is arguably difficult to square with insistence of many European Data Protection Authorities' that companies such as Facebook need generally only comply with one national data protection law within the EU and not with the data protection laws of other EU Member States. At the same time, even though the Court refused to discuss whether using a national domain name and/or using robots to access European websites would trigger EU law on the basis of a "use of equipment", the judgment also opens up the possibility of many activities taking place entirely outside the EU being subject to EU data protection requirements. These complex but important issues will be explored here. This final panel touched on the likely future shape of the law under the proposed General Data Protection Regulation, especially but not only vis-à-vis applicable law and jurisdiction.