France
Court of Justice of the European Union: Territorial scope of the “right to erasure” limited to the EU
IRIS 2019-10:1/4
Melinda Rucz
Institute for Information Law (IViR)
On 24 September 2019, the Court of Justice of the European Union (CJEU) delivered its judgment in the case of Google v. CNIL. The case builds on the Google Spain decision, in which the CJEU recognised search engine operators’ obligation to remove certain links upon request (see IRIS 2014-6/3). In the present case, the CJEU clarified the territorial scope of this obligation. Specifically, the CJEU held that EU law does not require search engine operators to remove links from all domain name extensions when granting an “erasure request”.
The case concerned a dispute between Google and the French data protection authority (Commission nationale de l’informatique et des libertés – CNIL). In 2015, the CNIL ordered Google to remove links from all of its search engine’s domain name extensions when acting on a request for erasure. Google refused to comply with the order, and it removed links only from those domain names of its search engine that corresponded with EU member states’ versions of Google (such as google.fr). In response, the CNIL issued a decision imposing a fine of EUR 100 000 on Google for failing to comply with its order (see IRIS 2016-5/13). Google challenged the decision of the CNIL before the Council of State of France, arguing that the right to erasure (also known as the “right to be forgotten”) does not require search engine operators to carry out the removal of links on a global basis. The Council of State decided to refer the matter to the CJEU, essentially asking the European court to clarify the territorial scope of the right to erasure, as enshrined in Article 12 of the Data Protection Directive (DPD), which has been replaced by Article 17 of the General Data Protection Regulation (GDPR) since the initiation of the case (see IRIS 2018-6/7).
In its judgment, the CJEU emphasised that the aim of the DPD and the GDPR is to ensure a high level of protection for personal data throughout the EU, and that to require search engines to carry out the removal of links globally would certainly meet this objective. Nonetheless, the CJEU emphasised that the right to the protection of personal data is not an absolute right and that it needs to be balanced against other rights – including Internet users’ right to freedom of information. The CJEU reasoned that in view of the fact that the right to erasure does not exist in several non-EU states , the balancing of the right to data protection with the right to freedom of information is likely to produce different results around the world.
The CJEU furthermore noted that the EU legislature has not set up any mechanism facilitating cooperation between EU and third states regarding the balancing exercise, whereas such a mechanism clearly exists to facilitate cooperation between EU member states. Consequently, the CJEU held that the EU legislature had not intended the scope of the right to erasure to extend beyond the territory of the EU. As a result, the CJEU found that no obligation exists under EU law to carry out the removal of links on a global basis. Instead, search engine operators are only required to remove links from the EU member states’ respective domain-name versions of the search engine. The CJEU furthermore stated that search engine operators must implement effective measures that prevent or seriously discourage Internet users in the EU from accessing removed links that appear on non-EU versions of the search engine. Lastly, the CJEU held that while EU law does not require the removal of links on a global basis, it does not actually prohibit this. Supervisory authorities in member states retain the authority to impose such an obligation, but only after careful balancing the right to the protection of personal data and the right to freedom of information.
References
- Judgment of the CJEU (Grand Chamber), Case C-507/17, 24 September 2019
- http://curia.europa.eu/juris/document/document.jsf?text=&docid=218105&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1536535
Related articles
IRIS 2018-6:1/7 Council of the EU: General Data Protection Regulation becomes applicable
This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.