On September 24, 2019, the highest court of the European Union (EU), the Court of Justice of the EU (CJEU), attempted to limit the territorial scope and authority of EU data protection authorities in its recent decision regarding the applicability of the General Data Protection Regulation’s (GDPR) right to be forgotten to search engine operators. Specifically, the court found that search engine operators are not required to remove (or “de-reference”) search results on all worldwide domain extensions in response to a right to be forgotten request, but may limit their actions only to the EU versions (e.g., .eu, or .fr.).
Under Article 17 of the GDPR, data subjects have, subject to a handful of exceptions, the right to request that a data controller/processor delete all of the personal data that it has collected about the data subject, without undue delay. This is often referred to as the right of erasure or the right to be forgotten (RTBF).
The current case arose after a 2016 decision by the French data protection authority, the Commission Nationale de l’Informatique et des Libertes (CNIL), to impose a €100,000 penalty on Google. The CNIL had issued an initial notice in 2015, and, after finding that Google did not comply with that notice, fined Google for failing to apply the RTBF across all of its global search engine domain name extensions. Google objected to the 2015 notice on the grounds that it did not believe the French authorities could regulate worldwide activities. The search engine operator confined itself solely to removing data displayed following searches conducted from domain names corresponding to the relevant version of Google in a given member state. Google appealed the 2016 penalty and ultimately the case was referred to the CJEU.
In rendering its decision, the CJEU followed the Opinion provided in January 2019 by Advocate General Maciej Szpunar (Advocate Generals assist the CJEU with providing considered opinions which, although not binding, have persuasive authority). The Advocate General’s Opinion in this instance includes helpful analysis, as it emphasized, for example, (1) that the RTBF must be balanced against other fundamental rights, including the legitimate public interest in accessing the information sought, and (2) the need for a search engine operator to ensure effective application of the RTBF within the EU, including through the use of geo-blocking.
Following that Opinion, the CJEU held that there is no obligation under EU law for a search engine operator such as Google to apply the RTBF on all versions of its search engine worldwide. Instead, the court found that Google only has to apply de-referencing on the versions of its search engine in the EU member states. According to the CJEU, “it is in no way apparent from the wording” of the GDPR that the EU legislature would have chosen to confer rights, such as the RTBF, to data subjects which would apply beyond the EU. The court further explained that there was no support in the wording of the GDPR for a proposition that the GDPR “would have intended to impose on an operator which, like Google, falls within the scope of that directive or that regulation a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States.”
The CJEU also stated that search engine operators must implement measures which effectively prevent or, “at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.” This appears to be an attempt by the CJEU to address the possibility that non-EU versions of a search engine could be accessed in the EU, such as through a VPN.
Notably, the CJEU stated that while “EU law does not currently require that de-referencing granted concern all versions of the search engine in question, it also does not prohibit such practice.” The CJEU noted that the supervisory or judicial authorities of the member states could order a search engine to de-reference search results from all of its versions worldwide on the basis of national standards of protection of fundamental rights.
At present, when an internet user types in “Google.com,” Google automatically re-directs the traffic to the appropriate national domain depending on the person’s location. Thus, a person in the United Kingdom is re-directed to Google.co.uk, or in France to Google.fr. The CJEU’s decision means that search engine operators, such as Google, only need to apply de-referencing to those domains that are accessible in EU member states. Notably, since the 2015 notice from the CNIL, Google implemented several procedures to prevent users from accessing another country’s domain while in the EU, or vice-versa (“spoofing”). The CJEU found that the current measures are an acceptable level of assurance that Google had ensured the effective protection of a data subject’s fundamental rights. As technology changes and “spoofers” become more sophisticated, the technicalities of such measures will almost certainly be examined.
The CJEU’s decision provides potential clarity to online service providers who operate multiple versions of their websites because such service providers can rely on this decision to apply the RTBF only to the versions accessible in the EU. However, it remains unclear whether (1) other rights and protections will similarly be limited to the EU versions of websites and (2) whether the RTBF will not apply if the information, although originating in the EU, is processed outside of the EU and is not publicly accessible. As more sovereigns adopt privacy regulations, such questions may be under further investigation.