Case Summary and Outcome

On February 8, 2022, the Italian Supreme Court reversed the ruling of the Court of First Instance of Milan, which had upheld the legality of a measure issued by the Italian Data Protection Authority against Yahoo! search engine. On the basis of Mr. D.B.C.’s right to be forgotten, the measure had ordered Yahoo! to de-reference and delete the cache copies of internet content related to him. The Supreme Court considered, instead, that the removal of the cache copies would be disproportionate and that de-referencing alone was sufficient.

---

Facts

Under Article 152 of Legislative Decree no. 196 of 2003, Yahoo!Emea Limited and Yahoo!Italia s.r.l. (hereinafter “Yahoo”) brought an action before the Court of First Instance of Milan against the measure issued by the Italian Data Protection Authority on February 25, 2016.

On April 22, 2015, the plaintiff, Mr. D.B.C. requested that Yahoo remove certain content (specifically identified via URLs) from its search results on the basis of his right to be forgotten. This content referred to a judicial proceeding in which he was involved but that, in his submission, was no longer of interest to the general public.

Yahoo replied that it could not proceed with the requested deletion as the search engine was not the data controller.

D.B.C. brought an action to the Italian Data Protection Authority which accepted his request, ordering Yahoo to delete the content in violation of his right to be forgotten.

On January 15, 2016, the Court of First Instance of Milan rejected Yahoo’s appeal against the order. The Court considered it lawful for the Authority to issue an order against an Irish company. It based this finding on the following authorities:

• Regulation 1215/2012/EU, according to which a subject may be sued either in the courts of the place where the harmful event occurred or where the facts that gave origin to the harmful event took place.
• Article 13 of the European Convention on Human Rights and Article 47 of the Charter of Fundamental Rights of the European Union, which provide a right to an effective remedy.
• Article 4 (1) (a) of Directive 95/46/EC, pursuant to which “Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, it must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”.
• Article 2 (b) of the same Directive, with regards to which the Court observed that the act of loading personal data onto an internet page must be considered as “processing” within the meaning of the provision.

The Judge pointed out that, according to the caselaw of the Court of Justice of the European Union (CJEU), the data subject’s fundamental right to be forgotten shall prevail both over the economic interest of the search engine, and over the interest of the general public in finding information on the data subject upon searching for his name online. In the Court’s opinion, Yahoo had merely contested whether Mr. D.B.C.’s right prevailed, without providing clear information concerning the general public’s interest in being able to access information on the criminal proceedings involving Mr. D.B.C. Finally, the Court observed that the measure issued by the Italian Data Protection Authority was aligned with principles inspiring the General Data Protection Regulation (Regulation EU 2016/679).

Yahoo appealed the decision of the Court of First Instance, submitting that:

1. Regulation 1215/2012/EU could not be applied to the measure of the Italian Data Protection Authority as the Regulation did not apply to administrative proceedings and the Authority was an independent administrative body.
2. Article 13 of the European Convention on Human Rights and Article 47 of the Charter of Fundamental Rights of the European Union did not establish jurisdiction amongst the Member States of the EU but rather only provided general principles to which national laws are required to conform.
3. The Court had wrongly applied Article 4 (1) (a) and Article 28 (1) and (6) of Directive 95/46/EC. The jurisdiction of data protection authorities was, in Yahoo’s interpretation, limited to the territory of its Member State and, even though different authorities may cooperate, there is no functional overlap between their scope of action.
4. Yahoo had not carried out any processing of personal data. According to Article 154 of Legislative Decree no. 196 of 2003, the jurisdiction of the Data Protection Authority extends only to matters strictly concerning the processing of personal data. By contrast, Yahoo merely allowed users to locate information on the data subject, without exercising any control over the personal data appearing on the webpage.
5. The Court of First Instance, by upholding the Data Protection Authority’s order to delete the cache copies of the webpages containing the name of the data subject (instead of simply requesting its de-referencing), had given disproportionate value to his right to be forgotten when balancing it against the right of the general public to access the information.

---

Decision Overview

The Supreme Court considered the first two objections to be unfounded. It observed that the dispute was not a matter of jurisdiction, but rather that it concerned the power of the Italian Data Protection Authority (an administrative body) to issue a measure addressed to a foreign (in this case, Irish-registered) company. It held that the EU legislation on jurisdiction and on a right to effective remedy was irrelevant.

On the third submission, the Court assessed the powers of the Italian Data Protection Authority to issue a measure addressed to a foreign company (Yahoo! EMEA). Specifically, it examined whether Article 4(1)(a) of Directive 95/46 should be interpreted as permitting the application of Italian data protection law rather than that of Ireland, the Member State in which the controller is registered. The Judges relied on the following principles and rules of the Court of Justice of the European Union:

• On the definition of “processing”, the CJEU has clarified that the operation “consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) and, (…) the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d)” (C-131/12 Google Spain 26, 41; see also C-101/01, Lindqvist, 25 and C-131/12). Therefore – and in response also to the fourth submission – Yahoo shall be considered to be carrying out the processing of Mr. D.B.R.’s personal data and shall be regarded as the data controller.
• On the question of material and territorial scope, the Court held that, for Article 4(1)(a) of Directive 95/46 to be applicable, it is not necessary that the processing is carried out by the establishment itself “but only that it be carried out ‘in the context of the activities’ of the establishment”. To clearly define the material and territorial scope of the provision, it is then necessary to clarify the meaning of the expression “in the context of the activities of the establishment”. The CJEU does so by ruling that: “the processing of personal data for the purposes of the service of a search engine (…) which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable. In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.” (Google Spain 55-56). In light of the above, when the operator of a search engine (in this case, Yahoo! EMEA) establishes in a Member State a subsidiary  (in this case, Yahoo! Italia) which shall promote and sell advertising space offered by the search engine, the processing of personal data may be considered as being carried out in the context of the activities of an establishment of the controller under Article 4(1) of Directive 95/46 (see Google Spain 60).
• On the applicability of the law of a Member State other than the one where the controller is registered, the Court recalled the CJEU’s ruling that Article 4(1)(a) shall be read “as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out” (C-230/14, Weltimmo 41).

Reading these three principles together, the Supreme Court upheld the Court of First Instance’s finding that the matter fell precisely within the scope of the CJEU’s rulings Google Spain and Weltimmo.

As a matter of fact, the Court found that Yahoo! Italia had provided support services to Yahoo! EMEA and the latter used its Italian establishment to promote and sell advertising space offered by that engine. Accordingly, the Judges ruled that the processing of personal data under analysis is subject to Italian provisions because it was carried out in the context of an establishment of the data controller located in the Italian territory.

The Court rejected Yahoo’s fourth objection, in light of the first principle explained above, according to which the operation of loading personal data on an internet page constitutes processing of personal data.

The fifth objection of Yahoo, the disproportionality of the Data Protection Authority’s order to delete the cache copies in addition to de-referencing, was accepted by the Judges.

Recalling the caselaw of the Supreme Court’s United Sections, the Court asserted the place of de-referencing of internet results as part of the right to have personal data deleted. The latter was considered one of three manifestations of the right to be forgotten, the other two manifestations being (1) the right not to see a piece of news republished after a significant period of time when it has been lawfully disclosed in the past and (2) the right to have lawfully published information contextualized.

The Court observed that, in the internet era, it is natural that information can be easily found after a significant period of time and that the remedy of de-referencing has gained increased relevance in that allows the name of the person involved in a certain event to be detached from the memory that the internet keeps of it. De-referencing protects the interest of the data subject not to be found easily on the internet while protecting the general public’s right to information on the specific event involving that subject (when his or her involvement is no longer specifically relevant).

The Judges, again, referred to the decision of the CJEU in Google Spain. There, the Luxembourg Court, with regards to de-referencing, stated:

• “[I]nasmuch as the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information (…) a fair balance should be sought in particular between that interest and the data subject’s fundamental rights under Articles 7 and 8 of the Charter. Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life” [para. 81].

• “[S]ince the inclusion in the list of results, displayed following a search made on the basis of a person’s name, of a web page and of the information contained on it relating to that person makes access to that information appreciably easier for any internet user making a search in respect of the person concerned and may play a decisive role in the dissemination of that information, it is liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page” [para. 87].

In light of the CJEU’s caselaw, the Supreme Court affirmed that de-referencing a result strikes a fair balance between rights in that “it excludes the two alternative and extreme solutions that may come into play, namely, the choice to leave everything as it stands, and the choice to completely delete the information from the web, by removing it from the website in which it was located”. De-referencing does not fully delete information from the internet. It can still be found by directly accessing the website where it is “contained” or by inserting keywords that differ from the name of the data subject. In the CJEU’s words, “the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name” (Google Spain, 99). Conversely, deleting the cache copies would prevent internet users from accessing the information altogether and not only from accessing the information by typing the name of the data subject. Thus, they might be prevented from accessing information which remains relevant, even when the involvement of the data subject no longer is. The Court expressly stated that “the deletion of cache copies relating to information accessible through the search engine, insofar as it affects the ability of the search engine to provide an answer to the query posed by the user by means of one or more keywords, does not directly follow from the existence of the conditions necessary for the de-referencing; instead, to proceed with the deletion, it is necessary to strike a fair balance between the right to be forgotten of the data subject with the right having as its object the disclosure of information, concerning the fact in its entirety, through key words also different from the name of the data subject”.

The Supreme Court, accepting the fifth complaint, ruled that the decision of the Court of First Instance of Milan should not be upheld.

---