Faculty of Law, University of Cambridge
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Inasmuch as the activity of a search engine is … liable to affect significantly and additionally compared with that of the [original] publishers … the fundamental rights to privacy and to the protection of personal data, the operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of [data protection].
As my own work has explored, it is concerning that these tests don’t seem to be present in the actual legislative framework which the Court said it was applying. European data protection has generally adopted a “processing” model which holds an operator responsible in any case where they are determining purposes and means, irrespective of whether the activity is significantly or additionally impactful. Moreover, the idea of removing duties on the basis of a lack of capability (or even power) in the relevant systems would appear in tension with the general expectation (now explicitly stated in laws such as the GDPR) that controllers should proactively ensure data protection by design. Nevertheless, the tests themselves may be considered quite reasonable and, aside from where services are clearly operating on behalf of another named or traceable entity which can realistically be held legally accountable, should be broadly applied. Nevertheless, not only is there a need to place this all on a statutory footing, but these abstractions clearly also require considerable further contextual specification. Thus, whilst Google and general search engines have accepted that nominative searches significantly and additionally affect data subject rights, what about searches based on an image, telephone number or job title and workplace? Should the functionality of social networking sites be considered intrinsically significantly and additionally impactful or, if not, how should in-scope processing be demarcated there? Finally, what can be done to ensure that action is respectful of users’ enjoyment of freedom of expression, without fundamentally undermining these personal information safeguards? Related questions are being addressed in a wider range of legal contexts as the European Commission’s draft Digital Services Act and the UK Government’s Online Safety Bill highlight. The development of data protection should, therefore, take full account of these related developments. Only by legislators themselves addressing these issues in earnest can we hope that the landscape in this area might be effectively charted to the potential benefit of legitimate services, users and data subjects alike.