Turkish Law Blog

Responsibility of Search Engines

Deniz Saltık Deniz Saltık/ Rheinische Friedrich-Wilhelms-Universität Bonn
03 September, 2019


Search engines have a central meaning for the meaningful use of the Internet. You override the Gatekeeper feature to access information available on the Internet. Only when something is executed on a search engine does it really exist for the normal user. The importance of these services for the fulfillment of individual and social information law cannot be ignored and should be universally accepted. This central role has called on the government to play an important role in regulating the functioning of search engines, in particular in providing impartial access to information or publishing the activities of search engines.

For the data protection analysis of data processing by search engine providers, the process of data creation is subdivided into different process stages for processing the data. First, the crawler[1] of the search engine must collect information that is freely available on the Internet. This information is stored and evaluated for suitability to provide pre-classified information about a user's search query. In this context, it should be noted that content providers may use the design of a website called Search Engine Optimization, which may affect the collection of information they publish. At the second level, search engine operators will become service users depending on the personal data business model. A data protection law rating can and should be made on this topic[2].


In Germany, about 90 percent of the Internet search services use the offer of the US company Google. Google's privacy policy is particularly criticized by the right to privacy. This is due in particular to the lack of transparency of data processing and the excessive storage of personal data usage. The deadline of 18 or 24 months should not be an actual restriction on Google's data storage. If you use your computer again with a Google service before it expires, start the deadline again. Contrary to the assessment of data protection authorities in Europe, Google believes that IP addresses are not personal data[3].

In addition to the search engine feature, Google also offers a user ID and other services that require a previously assigned password. This allows the company to uniquely identify the user through the email program, for example. Thus, a name assignment can be made from the calls. The company can create and use more detailed profiles for each person. If someone uses other services provided by Google, such as Gmail, by default the user is automatically logged in when they visit the homepage. This Sign-In-Service feature clearly identifies the user and makes it even easier for Google to assign search queries to a specific person[4].

To sign up for Gmail, you must provide information about your name, place of residence, age, and more. This is data that can be combined with existing electronic data from IP addresses and cookies. The content of received and written emails is automatically analyzed by Google and supported by ads. The use of Google Maps is possible with the movement profiles of the users. Google Web History stores all browsing history and can be viewed later, including web pages, pictures, videos, and messages[5]. Data stored by Google is analyzed, evaluated and then used for advertising purposes by data mining tools[6]. Advertising in web offers is the company's main source of income. For this reason, information about the users is the most important asset of the company and at the same time forms the basis for further developments and projects. Google's computer network is probably the largest and most powerful in the world with a single power of disposal.

When in doubt, the providers of these services choose their own economic interests in order to benefit from their economic interests and to use their own services in order to obtain full access to information.

Most likely, the data will not only be used by Google. There is a big risk that data stored by Google will have to be released under pressure from government agencies. Based on past research, it is not possible to know how many requests have been made to Google by police and security agencies around the world and how many requests have been answered by Google[7].

Processing of Personal Data by Search Engine Providers

The data protection law evaluation of data processing by the provider of a search engine is subject to data protection law, such as the General Data Protection Regulation, the E-Privacy Directive and the Commission's draft of the E-Privacy Regulation. Meanwhile, it should be known that the business purpose of the operator of a search engine involves the processing of personal data[8].

Many major search engine providers are developed in the US. Basic data processing operations cannot be located at least outside the European Union or the European Economic Area. In some cases, companies try to avoid German or generally European control on the grounds that the European Data Protection Act does not apply to them. However, it is true that the place of data processing is crucial to the applicability of the privacy law in internet search engines. This is, in addition, the location of the customer of the search engines. German or European data protection laws can also be applied to major US search engines. If a German Internet user uses one of the major American search engines, he is not dependent on US legal protection. Rather, German law can be applied before German courts.

In the case of Google Spain[9] in the European Court of Justice, the Court has considered the identification, indexing, presentation, and publication of personal data as the processing of personal data in the sense of the Data Protection Act. This also applies if the operator does not make any significant changes to the information available. Even under the processing concept of Art. 4 No. 2 GDPR, the essential elements of the processing do not require a significant change in the personal data[10].

According to Art. 4 No. 2 GDPR, the search and indexing of personal data is understood as the processing of collecting and storing personal data. Typically, search engine operators are not interested in certain personal information when indexing Internet content[11]. On the contrary, it is even important that this information is collected and shared with users. However, this requires the technical knowledge of the content of the information contained. Otherwise, a search query could not be answered[12].

Another form of personal data processing is to respond to the user's search request as long as the search results relate to personal data. In this context, the European Court of Justice found that the operation of the search engines is a reorganization of the information, with the exception of the general distribution of personal data. These personal data can be used by the persons concerned to create comprehensive personality profiles. The suitability of the search results for data protection explains not only the previously unknown information but also the data from different sources by being linked to a general image. Depending on the technical design of the search service, search engine providers store the information in the cache to improve the response rate. This refers to short-term memory, for example, to answer frequently asked questions in advance with recorded results. In some cases, the contents of the sources are also saved. In addition, the operator processes so-called snippets, which consist of information clippings from the referenced sources, as well as other information, in order to give an overview of the contents on the results page. These website contents and caching operators are responsible for the privacy and must meet the appropriate requirements.


The controversial view until the decision of the European Court of Justice is that search engine providers may be responsible for data processing in accordance with data protection laws. However, a search engine operator is responsible for privacy, both in terms of indexed data and the extent of retransmission. In fact, the provider controls the extent of data processing in relation to the selection of sources, the way in which they are answered, the number of results and the extent of processing of the resulting personal data. This also applies if the technical creation of the result is done only with a search query. Depending on the specific kind of information the inquiry is answered by the responsibility of the provider[13]. A search engine operator continues to assume responsibility by expressly referring to a well-defined violation of the right to privacy. Before displaying a search result, the content found by the search algorithm does not need to check for violations of personal rights[14].

Many obligations of the DS-GVO are punishable by a fine. At the same time, this is one of the most striking changes brought about by the new law. This change is likely to increase the importance of corporate privacy in the future. The legislature, which deliberately provides for dissuasive fines, also emphasizes the importance of the Data Protection Act and raises the awareness of those responsible[15]. It should also be noted in this regard that Article 82 of the GDPR provides for a right to compensation to the controller or the processor. This includes immaterial damages. Under Article 82 DPA, any person who has suffered material or immaterial damage as a result of a breach of this Regulation is entitled to claim damages against the controller or the processor. "Any person involved in processing shall be liable for the damage caused by processing not in accordance with this Regulation. A processor shall be liable for the damage caused by processing only if he has failed to comply with his obligations under this Regulation imposed specifically on the processor or if he has acted in breach of the lawful instructions given by the controller or against such instructions.

[1] Patil, Yugandhara/Patil, Sonal, International Journal of Advanced Research in Computer and Communication Engineering Vol. 5 2016, 220; Elixmann, Robert, Datenschutz und Suchmaschinen Neue Impulse für einen Datenschutz im Internet , Beitrage zum Informationsrecht Band 29, Duncker-Humblot Berlin, 2012   p. 41.

[2] Jandt/Steidle, Datenschutz im Internet, Rechtshandbuch zu DSGVO und BDSG, Baden-Baden ( Nomos), 2018 Paragraph 99.

[3] Weichert , Thilo, Datenschutz bei Suchmaschinen, Handbuch Internetsuchmaschinen ( Hrsg. D. Lewandowski), AKA Verlag Heidelberg  2009, p. 287.

[4] Weichert, Handbuch, p. 287.

[5] Tene, Omer, What Google Knows: Privacy and Internet Search Engine, Utah Law Review 2007, p. 2.

[6] Weichert, Handbuch, p. 288.

[7] Weichert, Handbuch, p. 289.

[8] Jandt/Steidle, Datenschutz, Paragraph. 100.

[9] Keller, Daphne, The Right Tools: Europe’s Intermediary Liability Laws and EU 2016 General Data Protection Regulation, Berkeley Technology Law Journal Vol.33:28, p. 312.

[10] Eifert, M., Datenschutzrechtliche Pflichten eines Suchmaschinenbetreibers (Google Urteil), JURA- Juristische Ausbildung, Band 36, Heft 9, Seite 1.

[11] Epiney, Astrid, Das Google Urteil des EuGH und seine Bedeutung für die Schweiz, FS Peter Hänni, Bern, 2015, p. 470.

[12] Jandt/Steidle, Datenschutz, Paragraph. 102.

[13] Jandt/Steidle, Datenschutz, Paragraph 105.

[14] Specht, Louisa, Die Entwicklung des IT-Rechts im Jahr 2018, https://beck-online.beck.de/Dokument?vpath=bibdata%2Fzeits%2Fnjw%2F2018%2Fcont%2Fnjw.2018.3686.1.htm&pos=9&hlwords=on, 08.04.2019.

[15] Egberts/Monschke, Einführung in das neue Datenschutzrecht unter der EU Datenschutzgrundverordnung JURA 2018(11),  p. 1107.

Leave a comment

Please login or register to comment