Google has received millions of requests from individuals to remove links to inaccurate, irrelevant, excessive, and out-of-data information following searches performed on the requesters’ names since 2014, when the Court of Justice of the European Union (“CJEU”) first ruled that an individual has such “right to be forgotten” in the Internet. The scope and the enforcement of the right to be forgotten has been contested in several EU Member States. In a recent case, Google challenged a French regulator’s order to expand the scope of the “right to be forgotten” judgment globally. In the recent Advocate General’s opinion, it is argued that the enforcement of the right should be limited to the EU Member States.
A global right to be forgotten?
In 2015, a French agency responsible for regulating data privacy, the Commission nationale de l’informatique et des libertés (“CNIL”), served a formal public notice on Google that, when fulfilling the request to remove links displayed following a name search, Google should not only delist, or de-reference, the results on the European Extensions of the search engine, such as Google.com.fr, but that it delist on all of Google’s domain names. The CNIL was also unsatisfied with the “geo-blocking” approach proposed by Google, whereby search engine users would be denied the access to the links in question from an IP address located in the state of residence of the person requesting the delisting. Google refused to comply with the CNIL’s order and the CNIL subsequently issued a €100,000 fine against Google for failure to comply. Google filed an application with the Conseil d’État, France’s highest administrative court, seeking the adjudication annulled. Prior to resolving the case, the Conseil d’État decided to refer several questions regarding the scope of the right to be forgotten to the CJEU for a preliminary ruling.
The questions referred to the CJEU mainly concern the territorial scope of a previous CJEU ruling on the right to be forgotten. The first question addresses whether the right to de-referencing established in the previous CJEU decision should be interpreted as requiring a search engine operator to delist any link at issue displayed following the search of the requester’s name, irrespective of place where such search is conducted. If the first question is answered negatively, the CJEU is asked to decide whether a request for de-referencing should only be implemented in the Member State where the request is made, or the it should be applied across all the EU countries. As the French court points out, the former, more restrictive option could be achieved by deleting the links only from the respective national version of the search engine (i.e. Google. fr if the request is made from France). Alternatively, the search engine could use the “geo-blocking” technique to prohibit the access to the information by any IP address located in the same country as the requester.
The right to be forgotten is derived from the Directive 95/46/EC on the protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“the Directive”). The Directive, enacted in 1995, was first proposed before the Internet took its current form, as pointed out in the Opinion of Advocate General Jääskinen in Google Spain v. AEPD and Mario Costeja González (“AEPD case”). Article 2 of the Directive defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’),” and “an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” Article 12(b) of the Directive states that every data subject has the right to obtain “erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data.” Article 14 of the Directive further provides that the data subject has the right to “object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation.”
On January 10, 2019, Advocate General Maciej Szpunar issued an opinion against the CNIL’s global enforcement of the de-referencing right. He takes the view that a search made outside EU Member States should not be affected by a delisting request in general, although extraterritorial applications are possible in certain, clearly defined cases affecting the internal market. The Advocate General further argues that the fundamental right to be forgotten must be balanced against other fundamental rights, and a worldwide de-referencing may create difficulty for EU authorities in defining and determining the right to receive information. He also warned of the risk that, if the EU decides to preventing people in other countries from accessing information, those countries may apply information blocks against EU residents. However, the Advocate General emphasizes that the search engine operator has the obligation to take every possible measure, including the use of the “geo-blocking” technique, to ensure a full and effective enforcement of the de-referencing right within the EU.
The recent advocate general opinion is expected to be followed by a final preliminary ruling from the CJEU. Although the January 10 opinion is not binding on the Court, the Advocate General plays an important advisory role by proposing an independent and impartial legal solution to the CJEU.
The 2014 Landmark Case
This recent ruling is a clarification of the CJEU’s ruling in the AEPD case. In the AEPD case, the CJEU was requested to interpret Directive 95/46, which aims to protect individual privacy with regard to the processing of personal data, as well as promote the free flow of such data. The dispute started with a complaint lodged by Mr. Costeja González, a Spanish national, with the Agencia Española de Protección de Datos (“AEPD”), the Spanish data protection agency, in 2010. The plaintiff requested that Google Spain and Google, Inc. remove links to a newspaper announcement of a foreclosure auction of Mr. Costeja González’s property in 1998 from the list of the Google search results of his name. Mr. Costeja González argued that the relevant attachment proceedings had been completely resolved years ago and that the reference to the announcement was now irrelevant. The AEPD decided that it had the power to require that search engine operators prohibit access to certain data, if, for example, the person concerned wants for the data to be unavailable to third parties. The AEPD’s decision was challenged by Google Spain and Google, Inc. before the Audiencia Nacional, Spain’s highest court. In determining the obligations owed by a search engine operator, the Audiencia Nacional referred the question regarding the interpretation and the application of Directive 95/46 to the CJEU.
The CJEU, in the 2014 decision, first confirmed that the Directive is applicable to search engine operators, including Google, Inc., even if the company conducted relevant data processing outside Europe. The Court further held that Article 12 and 14(a) of the Directive obligate Google, Inc. to remove from the search results links to web pages containing information relevant to the person, when the information is found inaccurate, out-of-date, inadequate, irrelevant, and excessive in light of the purpose of processing the personal data. It is unnecessary to show any prejudicial effect of such information. In addition, the removal may be required even if the web pages are lawfully published by third parties, and the name or information is not excluded from the web pages, themselves. In light of Article 7 and 8 of the EU Charter of Fundamental Rights concerning the protection of privacy and personal data, a data subject, such as a natural person, could make a request to a search engine operator that certain information should no longer be displayed. Nonetheless, by proposing a balancing test, the CJEU makes it clear that the right to be forgotten is not absolute and should be weighed against other fundamental rights on a case-by-case basis. The right may be upheld when the individual’s privacy right overrides the economic interest of the search engine operator and the interest of the general public to have free access to such information. On the other hand, as in the case of information concerning public figures, making such information available may be justified by the preponderant public interest.
Codification in the GDPR
The right to be forgotten is now formally codified in Article 17 of the EU’s General Data Protection Regulation (“GDPR”). Approved by the EU Parliament in 2016 and enforced in May, 2018, the GDPR replaces Directive 95/46/EC, and imposes a set of stricter data protection rules on all companies operating within the EU. According to the new rule, if any of the conditions listed in Article 17(a) is met, the controller, which is defined in Article 4 as the one who “determines the purposes and means of the processing of personal data,” is responsible for informing all other controllers in data processing that all links to this personal data, as well as copies or replications of the personal data, must be deleted.