Last September 24th, 5 years after the Google Spain decision in 2014, the Court of Justice of the European Union ruled again on the controversial right to be forgotten. Applying the European law, the justices denied that a provider can be ordered to remove (or deindex) content from search results around the world.
As part of a lawsuit filed against Google, Inc. (now Google LLC), in 2015, the French Data Protection Authority (CNIL) ordered Google to deindex some of the content from all versions of the search engine that are available worldwide. Google objected and claimed that it would only deindex content for users who were accessing the search engine from a specific Member state. As a result, the CNIL imposed an €100,000 fine on Google.
Google appealed the decision before the Conseil d’Etat, requesting the sanction be voided. The Conseil d’Etat decided to suspend the proceedings and refer the matter to the Court of Justice, asking, in essence, whether the right to be forgotten could extend beyond the European territory’s borders, and whether a provider may be obliged to de-index certain content globally.
The Court decided to address the issue, not only in light of the Directive (EC) 95/46, the first legal basis of the right to be forgotten, but also under the new Regulation (EU) 2016/689, the so-called “GDPR.” The latter, in Article 17, precisely codifies the “right to be forgotten.”
The Court reaffirmed the well-known principles of international comity between states, and thus confirmed that the European legislation cannot extend beyond its borders. The justices noted that were the European law to be imposed on a third country, the latter’s sovereignty would be infringed. The right to be forgotten is confined within the boundaries of the European Union.
There can be no doubt that the GDPR applies to search engines which, although established in third countries, process data in the context of one or more Member states. However, this factor does not justify an unacceptable broadening of the scope of said Regulation. Indeed, many third countries do not recognize the right to deindex or to otherwise take a different approach to deindexing.
The Court recalls that similar differences exist in the balance between the person’s right to deindex and the freedom of information in the different Member states of the European Union. However, the GDPR provides mechanisms of liaison and coordination between various data protection authorities. It is therefore possible, for an authority to issue a decision that orders providers to de-index a piece of content from all the versions of the search engine that are accessible within the European Union.
While it is true that European law does not deny the possibility that a national court impose a global deindexing of content, it is also true that such a rule cannot be identified among the European provisions on the protection of personal data. Indeed, on the contrary, the justices would have reached a completely opposite decision. Additionally, since the European data protection laws are now based on a regulation, i.e., a source of law that is immediately applicable in every state, and it appears difficult that a Member state’s privacy law can be reasonably identified as the basis for a global deindexing order.
As this is the legal framework, the balancing point appears to be what the Court’s Attorney General had identified, i.e., the geoblocking mechanism. This method prevents access to a specific piece of content by people accessing the Internet from the European Union, via an identification of the IP address from which the connection starts.
The question remains whether this technology suffices to ensure adequate protection: an issue that the Court referred back to the Conseil d’Etat to assess.