CJEU rules on the territorial scope of the “right to be forgotten”
Google LLC v Commission Nationale de l'informatique et des Libertés (CNIL)The question
Do online search engines have to apply the “right to be forgotten” globally? Or only to their EU platforms?
The key takeaway
The CJEU has ruled that EU data protection laws do not require the “right to be forgotten” to be applied on a global scale. Instead, in relation to requests for de-referencing, the right is limited in scope to EU search engines only. However, where appropriate, the supervisory authority of an EU Member State may order that non-EU search engines be de-referenced too.
In 2014, the CJEU established the “right to be forgotten” for EU data subjects in Google Spain SL v Agencia Española de Protección de Datos (C-131/12), ruling that, when compelled, online search engine operators were to de-reference (ie remove) links to web pages containing the data subject’s sensitive personal data.
Since this ruling, Google has received over 845,000 de-referencing requests from EU data subjects, and has acted on around half of these requests.
In 2015 a dispute arose between Google and CNIL, the French privacy regulator. On 21 May 2015, CNIL ordered that, when granting a request for de-referencing, Google must remove links from all versions of its search engine, including those outside the EU. Following Google’s refusal to comply with this order - it continued to de-reference links from its EU search engines only – CNIL imposed a public fine of €100,000. Google appealed to the Conseil d’Etat (the French Council of State), which stayed proceedings and referred several questions up to the CJEU. In summary, these were:
- Does the “right to de-referencing” require search engine operators to de-reference all versions of their search engines on a global basis?
- If not, must search engine operators remove links from the full suite of EU search engines, or only the version which corresponds to the Member State in which the request is deemed to have been made?
- Are search engine operators required to use “geo-blocking” to prevent EU users from accessing the complained of links through a non-EU version of their search engine?
Although the CJEU acknowledged that a de-referencing carried out across all of a search engine’s domain names clearly met the objectives which underlie EU data protection law, it ruled that these laws did not provide for the territorial scope of such an exercise to extend beyond the EU. However, to provide EU data subjects with a consistently high level of protection, it was necessary for any de-referencing to be carried out across the entire EU. Further, the CJEU ruled that operators are now obliged to attempt to prevent or at least “seriously discourage” internet users from accessing the links through a search engine’s non-EU domain names.
That said, the CJEU noted that its determination was not prohibitive. It noted that the supervisory and judicial authorities in each EU Member State had the prerogative to order that de-referencing be undertaken on a global basis following an appropriate balancing exercise of a data subject’s right to privacy and the right to freedom of information.
Why is this important?
The clarification of the territorial scope of the “right to be forgotten” is a welcome development for search engine operators. Since the right was enshrined in 2014, privacy regulators have had to grapple with whether or not to extend the right to non-EU search engines and, unsurprisingly, this has led to complications/disputes where regulators have tried to apply the right globally.
However, the CJEU’s ruling will have a significant impact upon data subjects seeking to take advantage of their “right to de-referencing”. The default position now means that, unless the relevant supervisory or judicial authority orders otherwise, links to pages displaying their personal data will remain accessible outside the EU (and, notably, within the EU if internet users use a virtual private network to circumvent any restrictions imposed).
Any practical tips?
It remains unclear how this ruling will be implemented in each Member State but search engine operators would be advised to listen to the CJEU’s emphasis on practical steps to help ensure internet users cannot easily access their non-EU domains as the CJEU said search engine operators should “where necessary” take measures to “effectively present or, at the very least , discourage” users from such access, which must in turn mean considerable focus on geo-blocking.