On 24 September 2019 the European Court of Justice (“ECJ”) handed down judgment in the case of Google v CNIL C-507/17. The effect of the case was that right to be forgotten requests only need be applied to domain names of Member States and not extra-territorially globally. The case, therefore, has implications for the processing and effectiveness of the right to be forgotten requests, particularly for requestors who seek de-listing of search results from multiple non-EU jurisdictions. Notably, the administrative burden upon search engine operators has been limited by the ruling.
The facts
The President of the French data protection authority the CNIL issued Google with a formal notice on 21 May 2015. The notice stated that, when granting a request to delist search results of a natural person, the search engine must remove search results from all its domain name extensions. The CNIL also viewed Google’s application of geo-blocking, which operates to block users of accessing the results at issue from an IP address in the State of Residence of the data subject following the expiry of the notice.
Google refused to comply with the notice, continuing to remove search results only from the domain names of Member States. Accordingly, on 10 March 2016, the CNIL found Google failed to comply with the formal notice and was fined EUR100,000.
Google subsequently appealed the fine to the Council of State of France which referred three issues to the ECJ:
- Following the Google Spain case, must the right to de-referencing be applied to all domain names of all jurisdictions despite the fact that they fall outside the territorial application of Directive 95/46 (which only applies to EU Member States).
- In the event that the response to question 1 is no, does the right to de-reference only need be applied to the Member State in which the requestor resides or for the national domain name extension of all Member States?
- Is the search engine operator required to apply geo-blocking for searches against the requestors name originating from within the Member State they reside?
The Court’s consideration of the issues
The Court begins by noting that Directive 95/46 and Regulation 2016/679 (the General Data Protection Regulation) provide legal grounding for the right to de-referencing. The most important provision for our purposes is Article 17 of the Regulation which establishes the right to be forgotten and Article 12(b) and 14(a) of the Directive:
“12(b) [has the right to obtain] as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular, because of the incomplete or inaccurate nature of the data…”
“(a) at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data…”
The Court noted the legal process for delisting involves the balancing of the requestors’ right to erasure of personal data against the public interest in access to the data. These are well-established principles from the seminal case on the right to be forgotten, the Google Spain case.
The Court considered the importance of protecting personal data of data subjects and that “de-referencing carried out on all the versions of a search engine would meet that objective in full” (at p[55]).
The Court markedly noted the propensity for harm caused by the internet in the case of links outside Member States continuing to be listed:
“In a globalized world, internet users’ access — including those outside the Union — to the referencing of a link referring to information regarding a person whose centre of interests is situated in the Union is thus likely to have immediate and substantial effects on that person within the Union itself.” – at p[57]
Despite this, the Court noted that in many third party countries data protection regimes do not include the right to de-referencing. The Court had to have due consideration of such positions, territorial jurisdiction and the fact that the right should be applied proportionately.
The Court noted that the wording of both the Directive and Regulations as stated above does not confer any rights outside the jurisdiction of Member States.
The Court succinctly concludes that therefore, there can be no obligation for a search engine operator to remove search results from domain names outside Member States. The CNIL therefore has no right to compel Google to do so.
As to the second issue, the Court considered that de-referencing requests applied to all Member States in order to ensure consistent and high-level protections for data subject rights throughout the European Union. The Court noted however, that Member States may derogate or vary the rights of residents.
The Court does not directly address the issue of geo-blocking however does state:
“In addition, it is for the search engine operator to take, if necessary, sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Those measures must themselves meet all the legal requirements and have the effect of preventing or, at the very least, seriously discouraging internet users in the Member States from gaining access to the links in question using a search conducted on the basis of that data subject’s name”
Comment
The judgment of the ECJ is clear and unqualified. A de-referencing request only applies to the search results against a person’s name in the domain names of Member States. Such a policy is well-founded and reflects the attempt of the GDPR to harmonise data subject rights between Member States. It is difficult to see how these principles could be applied outside the jurisdiction of other Members States; surely such matters would be for the laws of each jurisdiction in question.
Indeed many jurisdictions outside the European Union have legislated a right to be forgotten that complements the GDPR. Thus the right to be forgotten is sufficiently broad to have the desired effect of harmonization without being overly board in application territorially or effectively.
The Privacy Perspective 