On 24 September 2019 the European Court of Justice (CJEU) made a landmark ruling on the territorial scope of the right to de-referencing, or as it is better known, the ‘right to be forgotten’ (see Google C 507/17) concluding that Google only had to ‘de-reference’ from all its sites within the EU and not all its sites worldwide.
Unsurprisingly, Google and other search engines have welcomed the judgment as a victory for freedom of information. In the judgment the CJEU recognises the difficulty in creating a global level of protection, and it would have been brave for the CJEU to extend the territorial reach of the GDPR in this area, even though it held that it is not prohibited from doing so. Search engines will still be relying on national data protection supervising authorities and the national courts to ascertain whether measures put in place to ‘de-reference’ are adequate.
The dispute between Google and the French Data Protection Authority
The case concerns a dispute which arose almost 5 years ago between Google LLC (a subsidiary of Google Inc.) and the French Data Protection Authority (CNIL). The CNIL imposed a €100k penalty on Google due to its failure to apply a de-referencing request to all of its search engine’s domain name extensions. Google had only de-referenced the search from the European Union (EU) versions of its search engine.
At the heart of this judgment is the interpretation of Article 17 of the General Data Protection Regulation (GDPR), the purpose of which is to protect the fundamental rights and freedoms to have one’s personal data removed from a search engine, and to prevent the free-movement of such data.
What was in dispute was whether Google was required to carry out this de-referencing on all versions of its search engine or only on the versions of the search engine located in Member States. Google had only de-referenced the search from the EU versions of its search engine using ‘geo-blocking’ in order to achieve this, which restricted results from being accessed according to a user’s geographic location.
Had Google ‘de-referenced’ sufficient information?
The CJEU found that the objective of the GDPR is to ensure a high level of protection of personal data across the EU. While carrying out de-referencing on all versions globally would fulfill this objective, the CJEU recognised that many third States do not recognise, or have different approaches to, the right to de-referencing. In a strong statement, the CJEU asserted that the right to the protection of personal data is not absolute and must be measured against other fundamental rights such as the right to freedom of information. This balancing act itself is also likely to vary globally, and Article 17(3)(a) of the GDPR which encompasses the right to be forgotten had not yet struck this balance with regards to de-referencing outside of the EU. Therefore, there was no obligation under EU law to carry out such de-referencing on all versions of Google’s search engine, although the CJEU noted that EU law does not prohibit such a practice. However, on the versions existing in Member States, the CJEU stated that the measures taken must have the effect of “preventing or seriously discouraging” internet users in the Member States from gaining access via a list of search results to non-EU links which contain information subject to a de-referencing request.
The CJEU also found that the interest of the public accessing such information may vary within the Union, and that derogations will need to be made within individual Member States by supervising authorities in order, for example, for artistic, journalistic or literary expression to reconcile the rights under Article 17 with those rights pertaining to freedom of expression and information. Search engines will still be relying on national data protection supervising authorities and the national courts to ascertain whether measures put in place to ‘de-reference’ are adequate.