The Belgian Data Protection Controller (DPA)’s decision of March 2022 (thank you Peter Craddock for alerting me to it at the time) has been travelling with me since it was issued mid March 2022: a late posting, I realise. There is however follow-up because Google have appealed.
The case concerns a classic ‘right to be forgotten’ aka delisting request, which Google refused, made by a practising solicitor with a criminal conviction and disciplinary measures taken against him. Google was rebuked, but not fined, for not dealing with the request promptly. However in substance the DPA agreed with Google’s refusal to delist, citing the link of the convictions to the applicant’s current profession, the recent nature of the conviction, and the severity of the facts.
This post however wants to signal the issue for which Google have appealed: the territorial reach of the GDPR under Article 3(1) v 3(2) GDPR, as also explained in the European Data Protection Board (EDPA) December 2019 guidelines on the territorial scope of the GDPR (and something which the Belgian Court of Appeal has grappled with before, albeit not in the 3(1) v 3(2) setting).
Article 3(1) of the GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether processing takes place in the Union or not“. Article 3(2) applies the GDPR to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union“.
Google Ireland was fast out off the picture by consent among the parties and the DPA [39-40]: it had no role at all in any of the processing. Google LL.C. admitted [44] that Article 3(1) applies to it, while Google Belgium [53] posits that as a mere internal consultancy /lobbying outfit for the Google group, it, too, has no role in the processing of the data.
Citing earlier decisions and CJEU Google Spain, the DPA nevertheless takes a broad view of ‘data processing’, arguing [64] that Google Spain identifies an ‘inextricable link’ between the various units of a group as sufficient to trigger DPA jurisdiction, even if one of these units has no role in the data processing. While this reasoning ([68] and [71] in particular) suggests the wide notion of inextricable link triggers Article 3(1), in subsequent paras ([69] in particular) suggest the opposite causality: suggesting that because Article 3(1) applies, the activities are inextricably linked. Clearly, as Peter Craddock had pointed out before (I read it at the time but cannot find the source anymore I fear) that is a case of circular reasoning.
For Google, application of the GDPR to the US based entity as opposed to the EU based ones clearly is of significant difference. Its appeal with the Court of Appeal will be heard in the autumn.
Geert.
EU private international law, 3rd. ed. 2021, 2.256 ff.
gavc law - geert van calster 