On 24 September 2019, the Court of Justice of the European Union (the "Court") issued a long-awaited decision regarding the territorial scope of the European "right to be forgotten" in the context of search engines (also referred to as "de-referencing").
Facts and proceedings
The case at hand (Case C-507/17) opposed Google and the French Data Protection Authority (the "CNIL"). Their dispute concerned the right to de-referencing, which enables a natural person to request the operator of a search engine to remove links to web pages from the list of results displayed by the search engine following a search conducted on the basis of that person's name.
In 2015, the CNIL served a formal notice imposing on Google an obligation to de-reference all the results appearing in a search carried out on the basis of a person's name from all the versions of its search engine, meaning on all the search engine's domain name extensions globally.
Google refused to comply with this formal notice on the grounds that the right to de-referencing as established under existing data protection laws should only apply in the European Union. In other words, Google considered that it should only remove the links to the results of searches conducted on versions of its search engine that are available to individuals living in the EU. Google nonetheless offered to implement some technical measures (known as geo-blocking) to ensure that internet users would be prevented from accessing the results at issue from an Internet Protocol ("IP") address deemed to be located in the country of residence of the person making the request, regardless of the version of the search engine used. The CNIL however found this proposal to be insufficient and imposed a EUR 100,000 penalty on Google for failing to comply with the formal notice.
Google sought annulment of this decision before the French highest administrative court ("Conseil d'Etat"), which then decided to raise the thorny issue of the territorial scope of the right to de-referencing before the Court by way of preliminary questions.
Question brought before the Court
The question brought before the Court is whether a search engine operator is required, when granting a request for de-referencing, to carry out that de-referencing on all versions of its search engine, or whether, on the contrary, it is required to do so only on the versions of that search engine corresponding to all EU Member States (or even only on the version corresponding to the Member State in which the request for de-referencing was made), using a "geo-blocking" technique where appropriate.
Thus, the question at the heart of this case was to determine the territorial scope of the right to be forgotten on search engines (i.e., national, European or global), in particular, whether the right to de-referencing has an extra-territorial effect outside the EU.
It is worth noting that although Directive 95/46 was still applicable on the date the request for a preliminary ruling was made, the Directive has since then been repealed by the GDPR, but the Court decided to answer the preliminary question in light of both this Directive and the GDPR.
The Court's ruling
The main conclusion of the Court's decision on 24 September 2019 is that EU law does not impose an obligation to remove the links at issue globally on search engines. While this may appear as a "victory" for Google, the Court's ruling does leave room for interpretation and therefore needs to be nuanced.
- Global de-referencing would indeed meet the objective
The Court begins its analysis with a rather bold statement: "It is true that a de-referencing carried out on all versions of a search engine would meet that objective in full". Admitting that de-referencing on all versions of a search engine would indeed serve the purpose of protecting the right to de-referencing for EU citizens, the Court continues to say that because the "Internet is a global network without borders" it renders information made accessible on search engines more ubiquitous. In a "globalised world", internet users' access to information is "likely to have immediate and substantial effects" on individuals in the EU. For this reason, the Court suggests that the EU legislature would be justified to impose on search engine operators an obligation to carry out de-referencing on all the versions of their search engines when granting a request for de-referencing made by an individual in the EU.
The Court does recognise, however, that the right to de-referencing is not a global concept and either does not exist, or may be interpreted differently, outside the EU.
2. The right to the protection of personal data is not an absolute right
The Court also reminds that "the right to the protection of personal data is not an absolute right" and "it must be balanced against other fundamental rights", including the right to freedom of expression. Following this important statement, the Court acknowledges that such a balance "may vary significantly around the world". We come back to this later in this article.
3. The data protection rights granted by EU law apply only in the EU
According to the Court, there is no evidence that the EU legislator specifically intended for EU data protection rights to have an extra-territorial scope and thus to apply beyond the territorial limits of the EU.
4. No global de-referencing, but EU de-referencing is required
In light of the above considerations, the Court reaches the conclusion that EU law does not impose any obligation on search engine operators to carry out a de-referencing on all the versions of their search engines (i.e. at a global level).
Nonetheless, the Court says that de-referencing should be carried out in respect of all Member States as this was clearly the intention of the EU legislator when adopting a "regulation". Therefore, it cannot be limited only to the Member State in which the individual making the request is located but must apply consistently across all the EU.
5. Search engine operators must block access to de-referenced data
When required to carry out a de-referencing, search engine operators should take "sufficiently effective measures" to ensure the "effective protection" of the individual's fundamental rights. The Court does not give any details about such measures but specifies that they must "have the effect of preventing or, at the very least, seriously discouraging internet users in the Member States from gaining access to the links in question". Google had initially suggested to apply geo-blocking techniques based on the user's IP address in order to block access to the data in question. Ultimately, the Court says it is up to the French courts to assess whether the measures proposed by Google meet these requirements.
It is interesting to note, however, that such measures will not prevent internet users from re-publishing the data on the Internet, with the possible effect of having new links appearing in a search engine's results that are similar to those that were removed following a de-referencing request. In this context, a single de-referencing request, although granted at a European level and combined with geo-blocking measures, may not be enough to ensure an effective protection of the data subject's right to privacy.
6. The need to strike a balance between the individual's right to privacy and the freedom of information of Internet users
The Court also says that the right to privacy (and to the protection of personal data) of individuals must be reconciled with the general public's interest to access information, and it explains the role of the data protection authorities (DPAs) in striking this balance. The Court makes this analysis on the basis of EU and non-EU law.
- Right to privacy vs the freedom of information outside the EU
According to the Court, the balance between the right to privacy (and to the protection of personal data) and the freedom of information of internet users is likely to vary significantly around the world. The Court also says that, to this day, the EU legislature has not struck a balance between the EU right to privacy and the freedom of information outside the EU, thus implying that it has no legal basis for deciding how the right right to privacy under the EU can be reconciled with fundamental rights outside the EU.
The Court also says that, despite the existence of legal mechanisms under the GDPR that allow the DPAs to cooperate with one another for the purpose of reaching a common position on the balance between an individual's right to privacy (and to the protection of personal data) and the right of the public to have access to information, these mechanisms currently do not apply to de-referencing outside the EU. As a result, the DPAs are not able to reconcile the right to de-referencing under the GDPR with the freedom of information outside the EU.
- Right to privacy vs freedom of information within the EU
On the contrary, article 17(3)(a) of the GDPR does provide for a balance between the right to be forgotten and the right of freedom of expression and information within the EU. The Court does highlight the fact that, even within the EU, the right to access information may vary between Member States, thus suggesting that this balancing exercise may not necessarily produce the same result in every EU Member State. However, the Court argues that the DPAs now have a legal obligation (based on articles 56 and 60 of the GDPR) to cooperate in order to reach a consensus for cross-border processing and to ensure a consistent interpretation of the GDPR throughout the EU. On this basis, the Court says that the DPAs have the required legal tools and mechanisms that enable them to reconcile the individual's right to privacy (and to the protection of personal data) with the general public's right to access information within the EU. As a result, the DPAs may interpret the right to de-referencing consistently across the EU for all internet users and for all searches that are carried out within the EU. Following this ruling, some guidance from the EDPB to further explain how the right to de-referencing applies in the EU and how it may be balanced against other fundamental rights in the EU would be welcome.
However, this may prove to be challenging given the fact that article 85 of the GDPR also gives exclusive competence to the Member States to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression. Consequently, the EDPB may find it difficult to reach a consensus between 28 (or soon 27) EU Member States who each have their own laws, guidance and case law on fundamental rights.
7. Global de-referencing nonetheless remains possible on the basis on national laws
The decision of the Court ends with a twist. Having explained that there is "currently" no right to global de-referencing under the GDPR, the Court finishes by saying that "it also does not prohibit such practice".
The use of the word "currently" once again suggests that the EU legislature could decide to extend the scope of de-referencing outside the EU, for example, if it were to amend the GDPR.
But more importantly, the Court considers that a national court or DPA individually is competent to order a search engine operator to carry out a de-referencing globally where appropriate, i.e. after weighing an individual's right to data protection against the right and freedom of expression, "in light of national standards of protection of fundamental rights".
In other words, although it has closed the door to global de-referencing based on the GDPR, the Court leaves that door open based on Member State laws. The specific reference to "national standards" is particularly interesting as it suggests that a court or DPA in a Member State would remain competent to order a global de-referencing, despite the fact that such order cannot be issued exclusively on the basis of the GDPR. This could possibly create awkward, conflicting situations whereby the same DPAs would combine their efforts to reach a common position on the right to de-referencing at EU level while maintaining the right to order a global de-referencing at a national level.
Unsurprisingly, the CNIL has already announced in a recent press release that it has competence to order a de-referencing globally and that it will comply from now on with the Court's decision in all requests for de-referencing that it receives.
Internet users in the EU may also obtain different results depending on the country in which they reside. Indeed, one DPA in one Member State may decide to grant a global de-referencing while another DPA in another Member State may limit the de-referencing to the territory of the EU. Ultimately, the national DPAs and courts are likely to issue decisions and rulings that will vary depending on the facts of each case and how the fundamental rights are reconciled in each country. This somehow appears to contradict the spirit of the GDPR, i.e. to harmonize the legal framework for data protection across the EU and to avoid national differences and it is not clear how the DPAs will enforce the Court's ruling in such situations.
In conclusion, while the Court's ruling does provide clarity on the scope of the right to de-referencing under the GDPR, it also leaves room for further guidance and interpretation, and ultimately empowers the national DPAs and courts to decide whether and when to pronounce a global de-referencing.