“Proactive harmonization of international data protection laws is key to effectively implementing the “right to be forgotten” across the globe.”
On September 24, the Court of Justice of the European Union (CJEU) delivered its decision in case C-507/17, Google v. CNIL regarding the territorial scope of the “right to be forgotten”.
Google Inc. had filed an appeal with the French Council of State (FCS), the Highest Administrative Court in France, requesting the annulment of a decision by the French Data Protection Authority (CNIL), which imposed a penalty of EUR 100,000 (approximately USD 110,300) on Google.
The case arises from a request to Google by a natural person for deletion of certain links from the list of results displayed following a search of his name (“request for de-referencing”). In response, Google refused to remove certain content from all versions of the domain name of its search engine (i.e., worldwide), leading to the penalty imposed by the CNIL.
The FCS then made a request for preliminary reference to the CJEU for guidance on the interpretation of the “right of de-referencing”, popularly known as the “right to be forgotten”.
The FCS asked the CJEU whether the “right to de-referencing”—as established by the CJEU before, in case C-131/12 Google Spain and Google—should be interpreted to mean that a search engine operator, like Google:
- is required to perform the “de-referencing” procedure on all domains of its search engine, so that the disputed links no longer appear, even outside the EU;
- is required to delete the contested results either: a) only on the domains corresponding to the State in which the request is made, or b) on domains corresponding to national extensions of the search engine for all Member States;
- is required to remove the contested results using the so-called “geo-blocking” technique, regardless of the domain used by the user performing the search.
The CJEU Answers
While replying to these questions, the CJEU considered Directive 95/46 and Regulation 2016/679 on the processing and free movement of personal data, or the General Data Protection Regulation (GDPR), which entered into force on May 25, 2018 and repealed Directive 95/46.
The CJEU provided that, when a search engine operator receives a “de-referencing request” filed by a user and grants that request, the “de-referencing” procedure need not be carried out by the operator on all versions of its search engine worldwide, but rather only on those versions corresponding to the European Member States.
Despite the question raised by the FCS, the CJEU did not explicitly say whether the operator of a search engine is required to use the “geo-blocking” technique. Instead, it indicated that the operator must adopt “measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an Internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request”.
Implementation of the Decision
The CJEU provided clear answers to questions 1 and 2. When a de-referencing request is granted, the contested links must not be accessible on the versions of the domains for the EU Member States and, therefore, the search engine must erase these links.
However, the boundaries of the Internet are not as sharp as geographical boundaries. If, following a de-referencing request, a link is no longer available on the search results of the versions of the search engine corresponding to the Member States, it may (legitimately) remain available on other versions, which do not correspond to the Member States.
For example, a user located in Italy may gain access to Google Japan where, searching an individual’s name, the user can gain access to links that were de-referenced from (only) the Member State Google pages. Indeed, such access would be just a click away.
The FCS explicitly asked the Court whether the operator of a search engine is required to remove the contested links using the “geo-blocking” technique, which identifies user locations on the basis on their IP addresses. Unfortunately, the CJEU did not give a clear reply to this question, concluding that “it is for the referring court to ascertain whether, also having regards to the recent changes made to its search engine as set out in paragraph 42 above, the measures adopted or proposed by Google meet those requirements”.
Accordingly, the CJEU specified that, where necessary, the search engine operator must adopt measures preventing or discouraging Internet users from having access to links relating to the contested content. However, the scope of these “measures” is undefined. In principle, the adjectives “effectively” and “seriously” convey that such measures need to be appropriately selected to achieve the purpose of avoiding access to content identified in the de-referencing request through shortcuts, thus bypassing the de-referencing procedure itself.
While the CJEU’s answer confers discretion on search engine operators and the national courts, it also creates an aura of uncertainty, as it will be necessary to assess, on a case-by-case basis, whether the measures that have been adopted are truly capable of achieving the objectives.
- Will this decision have effects outside the area of search engine operators, such as on other entities that process personal data online?
Although the facts of the case are very specific, the ratio of the decision is to require compliance moving forward with the GDPR in guaranteeing a high level of protection of personal data throughout the EU.
In the present case, the GDPR was found to apply to Google since:
- Google’s establishment in France carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned; and
- Google France must, in view of the existence of gateways between Google’s various national versions of the search engine, be regarded as carrying out a single act of personal data processing.
Thus, if an entity—not a search engine operator—processing personal data has an online presence that is similarly divided into domains with geographic extensions tailored to the needs, e.g. linguistic needs, of the States where the entity carries out its activities, there is no reason it should not be affected by this decision.
- Absence of boundaries on the Internet versus boundaries set by the CJEU: is user privacy truly protected?
The CJEU identified two obstacles to extending the effects of data protection afforded by the GDPR outside the EU:
- third party States that do not recognize the right to de-referencing or have a different approach to protecting that right; and
- there is no evidence from the wording of the GDPR that the EU legislator intended to impose de-referencing obligations on an operator world-wide, further asserting that the GDPR should not apply outside the EU.
However, it is legitimate to wonder whether, in a globalized world, these obstacles justify an only partial enforcement of the right to be forgotten. Ultimately, the question is whether partial protection of personal data is capable of preserving an individual’s right to privacy, regardless of status as an EU national.
- Balancing of rights/public interest
The CJEU noted that, while EU law does not require de-referencing on all versions of the search engine, it also does not prohibit it: “Accordingly, a supervisory authority or judicial authority of a Member State remains competent to weigh up, in light of national standards of protection of fundamental rights, a data subject’s right to privacy and protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighting those rights against one another, to order, where appropriate, the operator of that search engine to carry out a de-referencing on all versions of that search engine.”
Accordingly, the CJEU admits that the objective of the GDPR is to guarantee a high level of protection of personal data throughout the EU, and that the Internet is a global network without borders. Therefore, this justifies “the existence of a competence on the part of the EU legislature to lay down the obligation, for a search engine operator, to carry out, when granting a request for de-referencing made by such person, a de-referencing on all the versions of its search engine”.
At the same time, the CJEU asserts that such right to privacy is not absolute, and must be balanced against competing rights, like the freedom of information of Internet users. The public’s interest may vary, indeed, according to whether the individual is a public figure. Here, the search engine operator is tasked with undertaking this balancing exercise.
However, when balancing the competing rights, Member States may adopt a different approach. This is the why the CJEU required that the various national supervisory authorities cooperate to reach a common decision and provide clear guidelines, which the search engine operators must comply with. Until this happens, there will be some uncertainty and unpredictability on how search engine operators should behave.
Comparison with the U.S. Regime
The EU concept of the “right to be forgotten” conflicts with the First Amendment of the Constitution of the United States, which protects freedom of speech, with the result that American courts are less likely to allow censorship of information. An additional challenge is found in the tension between privacy and freedom, leading one to speculate whether, in each case, free speech or privacy shall prevail.
Many U.S. commentators have noted that the concept of “forgive and forget” is a fundamental human value, and that U.S. law actually provides some elements of a “right to be forgotten”. Similarly, U.S. courts have recognized that it is the task of any court to preclude access to information “for improper purposes”, such as to “gratify private spite or promote public scandal” (see Nixon v. Warner Communications, Inc., 435 U.S. 589 (1978)).
Building on this approach and absent legal provisions concerning the “right to be forgotten”, the U.S. courts develop solutions on a case-by-case basis, sometimes siding with freedom of expression, and others with privacy. While this may eventually lead to consensus in the United States, proactive harmonization of international data protection laws is key to effectively implementing the “right to be forgotten” across the globe.
To conclude, despite that there has been substantial development of the “right to be forgotten”, U.S. and EU views of privacy protection and the “right to be forgotten” are currently in conflict due to cultural divisions. The disparity of views over Internet activities can create barriers, and it is difficult to find common ground for discussion among regulators and lawmakers. What is clear, however, is that control policies and international law enforcement should be enhanced to ensure efficiency, promote consumer trust online and, overall, reinforce actions taken to combat inadequate information.
Not the End
According to the CJEU, the effects of the GDPR are currently limited to the EU. The CJEU came to this decision despite admitting—incidentally—that the EU legislator has the competence to impose on search engine operators a worldwide de-referencing obligation, and that the right to privacy is truly protected only through global de-referencing, due to the borderless nature of the Internet.
This conclusion seems to be based on political rather than legal grounds and takes into account both the legal framework and the values of non-EU countries, which may be different on both privacy and the balancing of rights. Indeed, while in the EU the right to privacy is provided by law and generally prevails, with few exceptions, the U.S. provides no statutory right to privacy as understood in the European sense, and instead such right seems to be in the course of being defined by the courts.
This ruling should not put the end to the discussion of whether international organizations might ignore the GDPR outside the EU. Instead, it should leave the door open for further decisions by legislators on the territorial scope of EU law, which might also see the extension of the GDPR obligations outside the EU.