Google v CNIL Case C-507/17: The Territorial Scope of the Right to be Forgotten Under EU Law

29 October 2019/ By / 7

In its landmark ruling in Case C-507/17 Google v CNIL, the Court of Justice held that there is no obligation under EU law[1] for Google to apply the European right to be forgotten globally.[2] The decision clarifies that, while EU residents have the legal right to be forgotten, the right only applies within the borders of the bloc’s 28 Member States.

In its analysis, the Court considered the 1995 Data Protection Directive and the General Data Protection Regulation (GDPR) which entered into force on 25 May 2018 repealing the Directive.[3] The decision is critical because, at first glance, it appears to have closed the door for EU residents to demand a worldwide removal of their information, in certain circumstances, from search engine results under the GDPR. The Court explicitly set limits on the territorial scope of an individual’s right to de-reference. In simple terms, this means that Google is only required to remove links to personal data from internet searches conducted within the EU.

However, while Google and proponents of the freedom of expression and access to information have claimed this case as an ostensible win, a closer analysis of the Court’s decision shows a more nuanced approach which leads to a different conclusion. Though the Court conceded the limitations of current EU law in requiring global delisting, it also asserted salient points which open the possibility for national data protection authorities (DPAs) to require search engine operators to delist globally by recognizing their competence to enact laws with regards to the matter. In this sense, CNIL and other EU national DPAs could arguably lay claim to a more substantial victory under this ruling.

The Right to be Forgotten

In 2014, the CJEU developed the jurisprudence establishing the European legal right to be forgotten (Google Spain and Google, C-131/12)[4] also referred to as the right to de-reference or delist. It allows individuals in the EU to request search engines to remove links containing personal information from web results appearing under searches for their names.[5] In that judgment, the Court also highlighted that the right (codified at Article 17 of the GDPR) is not absolute and is granted only when one’s personal data protection rights outweigh the public’s interest in continued access to the information.

 Five years after the development of this legal framework in Google Spain[6], the territorial scope of this right continues to confuse the individuals seeking to enforce it and controllers of processed data receiving requests to de-reference. Notably, national DPAs tasked with monitoring the application of the Directive within their territories and national courts have faced serious difficulties in interpretation.[7] The uncertainty of its scope prompted France’s Conseil d’État to seek clarifications from the CJEU in Case C-507/17.

Background: Case C-507/17

The case concerned a dispute between Google Inc. and CNIL, the French DPA, with regards to the scale on which de-referencing is to be given effect. In 2015, CNIL notified Google that it must apply the removal of links from all versions of its search engine worldwide. Google refused to comply and continued to limit its de-referencing of links only on search results conducted in the versions of its search engines with domain extensions within the EU and EFTA[8] and used geo-blocking, a measure which prevents the links from showing in searches made in France regardless of the version used. Google appealed to the Conseil d’État seeking to annul a EUR 100,000 fine imposed by CNIL. The Conseil d’État, noting “several serious difficulties regarding the interpretation of the directive,”[9] subsequently referred questions to the Court of Justice for a preliminary ruling concerning the scope of application of Articles 12(b) and 14(a) of the Directive.

CNIL’s Arguments

 CNIL contends that for the right to be effective, Google must de-list links universally. It held insufficient both measures implemented by Google to comply with the Directive: 1) de-listing links from all EU and EFTA extensions, and 2) de-listing links from all searches conducted in the French territory. CNIL argued that internet users located in France are still able to access the other versions outside the EU (e.g. Google.com). Therefore, removing links about an individual residing in France only from the French version (google.fr) or even from versions in other EU member states is not enough to protect the individual’s right, violating the Directive.

Google’s Argument

Google argues that CNIL misinterpreted the provisions of the law recognizing the right to de-reference by explaining that the right “does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.”[10] Google contended that CNIL’s misinterpretation amounted to: 1) a disregard of public international law’s principles of courtesy and non-interference; and 2) the disproportionate infringement of the freedoms of expression, information, communication and the press.[11]

Legal Question

The Court addressed whether EU data protection law on de-referencing should be interpreted to mean that a search engine operator is required to remove links:[12]

1. on all versions of its search engine (worldwide), or

2. only on the versions corresponding to all Member States (within the EU), or

            3. only on the version corresponding to the Member State of residence of the person requesting the de-referencing.

The Court’s Reasoning

 Taking the side of Google, the Court held that search engine operators are not required under EU law to remove links on all the version of its search engine. To support its assertion, the Court explained that the texts of the Directive and GDPR do not indicate that EU legislature has chosen to confer a scope which would go beyond the territory of the Member States or has intended to impose on a search engine operator a de-referencing obligation on non-EU national versions of search engines.

In its ruling, the Court also emphasized the goal to provide a high level of protection of personal data throughout the EU. Accordingly, it held that search engine operators are required to remove all the links on all the versions in the EU regardless of where the request to de-reference originates in the EU. It also held that search engine operators are required to supplement the de-referencing through measures that would prevent or seriously discourage an internet user located in the EU to gain access to de-referenced links when using a search engine version outside the EU.

 However, it is important to point out that a key part of the CJEU’s judgment appears to neutralize Google’s purported victory in this case.  Paragraph 72 of the judgment reveals the Court’s effort to establish the lawfulness of global de-referencing as a general principle. By finding that EU law does not prohibit it and that Member States remain competent to order search engine operators to de-reference globally after balancing the conflicting rights of personal data protection against the right to freedom of information under national standards of protection of fundamental rights,[13] the Court leaves the door wide open for the possibility of global de-referencing as determined by a national DPA or a national court in the EU.

Comment

Google v CNIL is a long-awaited clarification of, at the very least, the geographical boundaries of the right to be forgotten. As the Court held, there is little room for interpretation under the current legal framework of data protection to establish a global application of such a right. It highlighted the difficulties of global de-referencing noting that public interest in access to information substantially vary among third States, therefore, the balancing of fundamental rights would also differ. The court seemingly faced a difficult choice: either to consider a global application, which would ensure the full protection under the right, at the risk of jeopardizing its legitimacy by encroaching on third States’ sovereignty, or to avoid a potential overreach by concluding a regional application which still provides its residents protection of their personal data, albeit limited, within the Union.

 Ultimately, the Court went on to say that the EU framework does not provide for cooperation instruments and measures outside its territory and chose the EU-wide approach. However, in an apparent attempt to mitigate the consequences of a non-universal application, it did not rule out the possibility that certain cases may justify a global de-referencing.

Implications for EU Residents

 On another level, the clarity of the law does not render the nature of data protection and privacy uncontroversial. Just because the law stands as it currently does, it does not mean that it is adequate. By explicitly limiting the territorial scope of the right to be forgotten, the Court may seem to have inadvertently limited the impact and protective effect of this right.

Acknowledging the global nature of the internet, the Court held that access, even by non-EU internet users, “to the referencing of a link referring to information regarding a person in the EU is likely to have immediate and substantial effects on the person.”[14]  The Court also made it clear that due to such substantial effects, the EU legislature has the competence to oblige operators to de-reference links on all versions of its search engines.[15] These statements imply that the right can only truly be protected through global de-referencing owing to the internet’s borderless nature.

Given the importance of a global application of the right, allowing internet users conducting searches outside the EU to still be able to access the links de-referenced in the EU after this judgment will potentially undermine the right to be forgotten and weaken the protection sought to be achieved by the right or, at the minimum, the Union’s objective of guaranteeing a high level of protection of personal data cannot be fully met. Consequently, the Court’s decision could arguably be seen as a step backwards in its goal to set a more comprehensive data protection standard for its residents.

Significance: More than Just a Territorial Limit on the Right to be Forgotten

 The importance of this decision also lies in the fact that it has been viewed as a test of whether the EU can extend its data protection and privacy standards beyond its territory. As companies which process personal data continue to expand their reach on a global scale, the tension between national regulators and these companies is expected to escalate.    

Without current international standards governing the processing of private information, national jurisdictions are anticipated to try to implement regulations with a global impact and extend their own privacy standards universally to ensure the protection of their citizens’ rights with regards to the processing of personal data. Thus, beyond setting the limits on the territorial scope of the right to be forgotten, the legal significance of the Court’s ruling is also found on what it will do to reinforce the GDPR’s role in setting data protection standards as a floor, not a ceiling, which has potential implications for companies worldwide.

EU Data Protection Law: A floor, not a ceiling

Perhaps more significant than providing clarity on the territorial scope of the Directive and GDPR on de-referencing, this ruling appears to have paved a path towards a global reach by providing Member State DPAs and courts the option to individually oblige search engine operators to implement the right to be forgotten worldwide, where appropriate.

The ruling establishes the legitimacy of global dereferencing in general. First, by holding that Google “must be regarded as carrying out a single act of personal data processing”, the Court subjects Google’s data processing on all of its domains under the jurisdiction of the GDPR.[16] Second, despite conceding that there is no current obligation under EU law to carry out de-referencing globally, the Court pointed out the justified “existence of a competence on the part of the EU legislature to lay down the obligation” if it chooses to do so.[17] Third, the Court stressed that while EU law, as it stands, does not require global de-referencing, it also does not prohibit the practice of requiring operators to grant de-referencing requests in all versions of its search engine.[18] Lastly, the Court gave national DPAs and courts the competence to order a global delisting, on a case by case basis, by referencing the need to protect fundamental rights under national standards in order to sustain a universal application.[19] The Court stressed that “a supervisory or judicial authority of a Member State remains competent…to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.”[20]

Here, the Court’s assertions indicate its efforts to preserve the option for Member States to globally apply the right to be forgotten by allowing the adoption of more protective national laws, effectively creating a floor for privacy and data protection regulation.

Conclusion

To conclude, this ruling is far from the highly publicized victory claimed by Google. It is clear that the Court’s decision upholds the lawfulness of the global application of the Right to be Forgotten. This decision comes at a critical time when the EU’s new legal framework in data privacy, the GDPR, has just taken effect. The GDPR has already placed the rest of the world on notice and global tech companies are keen to know how it could affect their operations. Thus, understanding the scale of its practical application is essential.

While the CJEU’s decision provided clarity on the scope of the right under EU law, it also left areas of uncertainty. For example, since the Court left the option open for DPAs to determine the conditions which will justify a delisting on all versions of a search engine based on national standards of the protection of fundamental rights, it is expected that the CJEU will continue to see more questions about the global reach of the EU’s data protection. In fact, a related case (Case C-18/18, Glawischnig-Piesczek) allowing a Member State court to block access to unlawful information worldwide has just been decided by the CJEU a few days prior to this publication.

Finally, although this case narrowly focuses on the geographical limit of the right to be forgotten, its ruling could have a broader implication on the GDPR’s territorial scope, in general. Beyond the context of search engines, any company which the EU or its Member State DPAs and courts regards as providing services that carry out a single act of personal data processing could potentially be deemed subject to GDPR’s jurisdiction.[21] Indeed, the ruling may have limited the territorial scope of the right to be forgotten but it definitely did not limit that of the GDPR. It remains to be seen what this decision means to the development of a harmonized international data protection law. What is clear, however, is that the impact of the decision will likely be as important and influential, if not more so, than the decision itself.

[1] General Data Protection Regulation (EU) 2016/679 (GDPR) replacing Directive 95/46/EC (Data Protection Directive)

[2] Judgment of 24 September 2019, Google Inc v Commision nationale de l’informatique et des libertés (CNIL), C-507/17, paragraph 64

[3] Although the Data Protection Directive was applicable on the date the request for a preliminary ruling was made, it was repealed with effect from 25 May 2018, from which date the GDPR is applicable. Hence, the Court examined the questions in light of both the Directive and the GDPR to ensure that the decision will be of use to the referring court.

[4] Google Spain and Google C-131/12, EU:C:2014:317

[5] Google Spain and Google, Paragraph 93

[6] Google Spain and Google, C-131/12, EU:C:2014:317

[7] Google v CNIL, Paragraph 39

[8] The Court notes on Paragraph 36: The search engine operated by Google is broken down into different domain names by geographical extensions (.fr, .de, .com, etc). Where the search is conducted from ‘google.com’, Google automatically redirects that search to the domain name corresponding to the State where the search is made. In addition: Google utilizes different factors such as IP address to determine the location of a user performing a search on Google. The search engine will yield different results depending on the domain name extension and location (e.g. through IP address) of the user.

[9] Google Inc v CNIL, Paragraph 39

[10] Google v CNIL, Paragraph 38

[11] Id.

[12] Google v CNIL, Paragraph 43

[13] Google v CNIL, Paragraph 72

[14] Google v CNIL, Paragraph 57

[15] Google v CNIL, Paragraph 58

[16] Google v CNIL, Paragraph 37

[17] Google v CNIL, Paragraph 58

[18] Google v CNIL, Paragraph 72

[19] Id.

[20] Id.

[21] See Google v CNIL, (In Paragraph 37, the Court found that GDPR applied to all of Google (including US/non-EU Google versions) not just Google France because: (1) Google’s search engine domain names can all be accessed from French territory and, (2) of the existence of gateways between Google’s various national versions. Thus, it “must be regarded as carrying out a single act of personal data processing for the purposes of applying the Law of 6 January 1978.” – Note:  The potential application of this reasoning to non-search engine companies in future GDPR cases is important.)