The Right to Be Forgotten Only Applies Within EU, ECJ Rules

This post discusses the recent case of Google v. CNIL. The decision is available here.

The supreme court of the European Union, the European Court of Justice (ECJ), ruled on September 24 that the “right to be forgotten” only applies within the boundary of EU member states.

The “right to be forgotten” was first recognized by the ECJ in the case of Google Spain SL v. Agencia Espanola de Proteccion De Datos (“Google Spain”) in 2014. The right guarantees that individuals have the ability to ask data controllers, like search engines, to remove links with personal information about them. The specific issue addressed in Google Spain was the right of de-referencing, which is the right to have information relating to the individual no longer linked to their name in search results following a search of their name (i.e. certain results would not be shown after googling his or her name).

Recognizing that the internet and search engines render information “ubiquitous” and the seriousness of that interference with the right of privacy, the ECJ ruled that the right of de-referencing overrode, “as a rule,” not only the economic interest of the search engine but also “the interest of the general public in having access to that information.” However, the presumption in favor of de-referencing could be overcome by “the preponderant interest of the general public in having…access to the information in question” for reasons such as “the role played by [the individual] in public life.”

The European Parliament later codified the right as the “right to erasure” or “right to be forgotten” in the General Data Protection Regulation (Regulation (EU) 2016/679) in 2016. Pursuant to Article 17(1) of that regulation, the data controller has the obligation to erase personal data where one of the grounds listed in that article applies. This right is not absolute, as Article 17(3) provides several exceptions to Article 17(1). Specifically, the regulation allows data to remain available when necessary “for exercising the right of freedom of expression and information.”

However, after Google Spain and the new regulation, it was not clear whether the rules applied outside of the EU territories. This issue needed to be resolved in order for the right to be forgotten to have any bite. After the ruling in Google Spain, Google adopted the practice that they would only remove results based on a de-referencing request from its EU domains. This meant that, without the extraterritorial effect of the rules, the information would still be widely accessible. Google has different domain names by geographical extensions, such as “google.fr” for France or “google.ru” for Russia. The search results from each domain were tailored to the corresponding country and the internet users were free to use any domain name of Google regardless of their locations. In other words, EU users could just switch to another domain and access those results.

The case of Google v. CNIL arises from a dispute between Google and the French data protection agency, the Commission nationale de l’informatique et des libertés (CNIL). In 2015, CNIL served formal notice on Google that it must remove results from all of its domains when granting an individual’s request to remove links from search results. Google refused, but proposed a compromise called “geo-blocking.” This approach would prevent users using any domain extension from accessing results from an IP address within the state of residence of the data subject. For example, if a French individual requests certain information about him to be removed, then anyone using a French IP address cannot find that information through Google searches. CNIL rejected the proposal and imposed a penalty of € 100,000. Google lodged an application with the French administrative court, who referred the question to the ECJ for a preliminary ruling.

The ECJ first stated that the objectives of Regulation 2016/679 were “to guarantee a high level of protection of personal data throughout the European Union” and that the de-referencing on all domain extensions of a search engine “would meet that objective in full.” The Court also recognized that the internet was a global network and that in a globalized world, “internet users’ access — including those outside the Union — to the referencing of a link referring to information regarding a [EU resident]…is thus likely to have immediate and substantial effects on that person….”

However, the court also observed that “numerous third States do not recognize the right to de-referencing or have a different approach to that right,” and that the right is not absolute. Rather, the right must be considered “in relation to its function in society and be balanced against other fundamental rights” and the balance “is likely to vary significantly around the world.”

The ECJ also examined the texts of Regulation 2016/679 and held that it was not intended to have extraterritorial effects. The court found that the EU legislature did not establish a balancing test regarding the scope of de-referencing outside the EU and no cooperation instruments or mechanisms for de-referencing outside the EU were provided for. As a result, the Court decided that the right could not be interpreted to go beyond the EU territory and held that “there is no obligation under EU law, for a search engine operator…to carry out such a de-referencing on all the versions of its search engine.”

The ECJ also addressed the concerns that EU internet users could just switch to a different Google domain and gain access to the information that the data subject sought to remove. The ECJ required search engines to take “sufficiently effective measures” to “at the very least, seriously discouraging internet users in the Member States from gaining access to the links in question.” Further, the Court emphasized that EU law did not prohibit the national authorities from requiring Google to remove links on all versions of its search engine.

The globalized and borderless nature of the internet makes the ruling quite significant. Even with the “geo-blocking” system in place, internet users can just use the VPN (virtual private network) services to change their IP addresses to access the blocked information. However, the ECJ also granted EU member states leeway to enact national data protection laws and reach outside their borders. Therefore, the implementation of the EU “right to be forgotten” may start to diverge at the national level.

It should be noted that Google adopted the “geo-blocking” method in 2016. A summary of Google’s implementation of the EU right to be forgotten, prepared and updated by Google itself, can be found here.

Yang Ni is a second-year student at Columbia Law School and a Staff member of the Columbia Journal of Transnational Law. Yang graduated from the University of Hong Kong in 2018 with a Bachelor’s degree in Economics and Finance.