On 24 September 2019, the European Union’s top court issued a landmark ruling declaring that Google does not have to extend the “right to be forgotten” rules to its search engines globally.1 This decision provides important guidance about this right, one of the well-known provisions of the General Data Protection Regulations (GDPR).
Prior Treatment of the “Right to Be Forgotten”
The “right to be forgotten” originates from a 2014 decision, where a Spanish businessman successfully argued that it was contrary to data protection law for links to 12-year-old news reports revealing his financial difficulties to come up against Google searches of his name. The decision was based on the principle that the data in the search results was no longer relevant and was excessive.2
As a result of this right, subsequently replicated in GDPR3, it is open to EU individuals to request Google to “de-reference” data from search results linked to their name. Google receives well over 100,000 such requests per year, nearly half of which it finds justified. When Google delists the results, it does so only on EU domains, such as Google.co.uk or Google.fr, and not on Google.com or other non-EU domains.
2019 Ruling’s Limitation on the Geographic Scope of the “Right to Be Forgotten”
The 2019 ruling stems from a 2015 dispute between Google and the Commission nationale de l’informatique et des libertés (CNIL), the French data protection supervisory authority. In 2015, CNIL required Google to delist results from all of its search engine domains to effectively protect individuals’ rights. Google refused. CNIL then fined Google €100,000. Google appealed to the Court of Justice of the European Union (CJEU), arguing that European authorities should not extend their own privacy rules around the world, where they might infringe other laws such as the right to freedom of expression.
In the court proceedings, Google explained that it had implemented a new system, under which users are automatically directed to the national version of the search engine corresponding to the place where they are conducting the search, as determined by its geo-location process. So even if French users searched Google.com, they would get the results from Google.fr.
The CJEU first confirmed that Google was subject to GDPR, even though its search engine operated from the US, because the engine obtained financial benefit from advertising activities carried out by Google’s French subsidiary.
The Court went on to note that internet search results are ubiquitous and likely to have immediate and substantial effects on people within the EU. This justified EU law requiring a search engine operator to de-reference results from all versions of its search engine, on a world-wide basis. Nevertheless, the Court then emphasized the following points:
- Many non EU states do not recognize the right to be forgotten, in this case a de-referencing right;
- The right to protect personal data must be balanced against other fundamental rights such as the freedom of internet users; this balance varies significantly around the world;
- It was not apparent from the GDPR that it imposed, on operators, a de-referencing operation which extended to the national versions of its search engines located in countries outside the EU.
The CJEU concluded that “[c]urrently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject...to carry out such a de-referencing on all the versions of its search engine.” However, the ruling further stated, “EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights.”
Therefore, Google, and other operators, do not need to de-reference links containing personal data from search results on their non EU search engines. They are, however, subject to an obligation to prevent or seriously discourage internet users in the EU from gaining access to the non-EU links concerned. In other words, users in the EU who try and search on Google.com must be automatically directed to the applicable EU google search engine in their own country, and will only obtain de-referenced results.
The Future of the “Right to Be Forgotten”
That may not be the end of the matter. In a final aside, the CJEU emphasized that an authority of an EU member state remained competent to order “where appropriate” a search engine operator to de-reference data from all versions of its search engines, both EU and non-EU. This suggests there may be exceptional cases, but the scope of this exception is at best uncertain.
In practice, the result in this particular case is that internet users in, say, North America might obtain more comprehensive search results than users in Europe when they search against a person’s name.
On a conceptual level, this judgment represents a balanced approach. While still claiming GDPR jurisdiction over non-EU organizations with activities in the EU, the European Court has recognized that there are territorial limits to its effect (“[t]he balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world….”). It remains to be seen whether this approach has wider implications for the application of GDPR to the non-EU activities of organizations subject to GDPR but based outside the EU.
1 Judgment in Case C-507/17, Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) (2019), accessed HERE.
2 Judgment in Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014). Google was required to remove links to search engine results that “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed….”
3 The GDPR provides the “right to erasure (‘right to be forgotten’).” See Art. 17, Regulation (EU) 2016/679 (General Data Protection Regulation). Specifically, the regulation states, “[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…” under certain conditions. According to the regulation, personal data must be erased where one of the following grounds exists: (1) the data is no longer needed for its original processing purpose, (2) the data subject has withdrawn his or her consent and there is no other legal ground for processing, (3) the data subject has objected and there is no overriding legitimate grounds for the processing, or (4) erasure is required to fulfil a statutory obligation under the EU law or the right of the Member States. Additionally, data must be erased if it was unlawfully processed in the first place. Members of the public can make a request to any organization either verbally or in writing, and the recipient of such request has one month to respond.