On 21 August 2014, the District Court of Berlin ruled (27 O 293/14, German) that the subsidiary of Google in Germany, Google Germany GmbH, is not responsible for the fulfillment of requests of natural persons under the so called ‘right to be forgotten’, created by the European Court of Justice (ECJ) in its much-noticed judgment in May 2014 (C-131/12). The Berlin court held that only the American company, Google Inc., can be regarded as the ‘data controller’ in the sense of European data protection law because only Google Inc. is the operator of the search engine. As a consequence, legal actions must be brought against Google Inc., not the subsidiary in Hamburg. Natural persons who want a link to third party websites to be removed from the search result list following a search made on the basis of a person’s name would therefore have to sue Google Inc. and not the European subsidiary.
The Berlin court explicitly refers to the judgment of the ECJ where the highest court of the European Union based its decision on the fact that “Google Search is operated by Google Inc., which is the parent company of the Google Group and has its seat in the United States”. Furthermore the German court held that it did not find any evidence that the German subsidiary could be considered as a ‘data controller’ in the sense of Art. 2 lit. d) of the European Data Protection Directive (95/46/EC), because it does not alone or jointly with others determine the purposes and means of the processing of the respective personal data.
The District Court clearly distinguishes between the question of applicable data protection law on the one side and of the legal responsibility under European data protection law on the other side.
With regard to the applicability of Directive 95/46/EC, the Berlin court clarifies that the ECJ did not rule that the national subsidiary itself would process the personal data or determine the means and purposes, but that the processing operations are conducted by Google Inc. and carried out ‘in the context of the activities’ of the national establishment. Only with regard to this question (applicable data protection law) did the ECJ rule that the activities of Google Inc. and the national subsidiary were “inextricably linked”.
Examining the question of legal responsibility, the District Court refers to margin number 33 of the ECJ-judgment: “It is the search engine operator which determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of that activity and which must, consequently, be regarded as the ‘controller’ in respect of that processing pursuant to Article 2(d)”.
Although the statements of the ECJ might seem straight forward and clear, the final answer to the question of responsibility under European data protection law for ‘right to be forgotten’-requests seems to disputed. The European data protection authorities, assembled in the Article 29 Working Party (Art. 29 WP), recently released their own interpretation (WP 225, PDF) of the judgment by the ECJ. In its opinion, the Art. 29 WP acknowledges that “Directive 95/46/EC does not contain any specific provision with regard to the responsibility of establishments of the controller located in the territory of Member States”. Nevertheless, the members of the working party demand that “the effective application of the ruling and of data protection law requires that data subjects may exercise their rights with the national subsidiaries of search engines in their respective Member States of residence”.
Although this interpretation might seem favorable for data subjects, trying to enforce their right to be forgotten, the wording of the ECJ-ruling as well as the current provisions of Directive 95/46/EC leave hardly any room for interpretation. It still remains to be seen how other national courts will interpret the ECJ-ruling and answer the question of responsibility under data protection law and which entity must be considered the right defendant of a legal action.