On the 24th September 2019, the Court of Justice of the European Union (CJEU) ruled in Case No C-507/17 in the names ‘Google LLC v Commission Nationale de l’Informatique et des Libertes (CNIL)’ that the ‘right to be forgotten’ principle is limited to the EU territory. This is the first important decision identifying the geographical scope of the EU’s data protection regulation.
Data Protection – Right of Erasure
Directive 95/46 provides that Member States shall guarantee every data subject the right of erasure of data the processing of which does not comply with the provisions of this Directive because of the incomplete or inaccurate nature of the data.
Article 17 of Regulation EU 2016/679 (General Data Protection Regulation), which is directly applicable in Member States, specifically provides on this ‘right of erasure’ (‘the right to be forgotten’) whereby data subjects have the right to obtain the erasure of personal data concerning him with undue delay where, inter alia, (a) the personal data is no longer necessary in relation to the purpose for which it was collected or processed; (b) the data subject withdraws consent on processing of the data collected and there is no legal ground for such processing; (c) the data subject objects to the processing of the data and there is no overriding legitimate ground for such processing ; (d) the personal data was unlawfully processed; (e) the personal data has to be erased for compliance with a legal obligation in the EU or MS law to which controller is subject.
However, such right for erasure shall not apply to the extent that processing is necessary for exercising the right of freedom of expression and information.
Data Protection – Territorial Scope
Article 3 of the same Regulation provides that this Regulation applies to:
- The processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU regardless of whether the processing takes place in the EU or not’
- The processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU but where the processing activities are related to the offering of goods/services to data subjects in the EU or the monitoring of data subject’s behaviour within the EU
- The processing of personal data by a controller not established in the EU but in a place where MS law applies by virtue of public international law.
In 2015, CNIL, the French Data Protection Regulator, had fined Google the amount of €100,000 for failing to comply with its formal notice to remove from all its search engine’s domain name extensions the list of results displayed following a search conducted on the basis of the person’s name who would have requested for the erasure of all data in his regard in terms of the data protection regulation.
Google had complied to removing the links from only the results displayed following searches conducted from its search engine in the Member States. Google argued that this right at issue is not without geographical limitation and disregarding such limitation would infringe on the freedom of expression, information, communication and the press.
The French Conseil d’Etat requested a preliminary ruling to the CJEU to determine the territorial scope which must be conferred on a de-referencing exercise.
After considering all observations submitted, the Court emphasized that numerous third States do not recognize the right to be forgotten or have a different approach. Moreover, the right to the protection of personal data is not an absolute right but is considered in relation to its function in society and must be balanced against other fundamental rights in accordance with the principle of proportionality. The Court also recognized that the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.
The Court noted that neither the wording of Directive 95/46 nor that of Regulation 2016/679 seem to indicate that the EU legislature would, for the purposes of guaranteeing a high level of protection of personal data through the EU, have chosen to extend the scope beyond the territory of its Member States and intended to impose on an operator, like Google, an obligation of de-referencing also on search engines that do not correspond to Member States.
The Court confirmed that EU law does not currently provide for such a scope of de-referencing outside the EU and, hence, there is no obligation for a search engine operator who grants a request for de-referencing made by a data subject to carry out such a de-referencing on all the versions of its search engine but only on all versions corresponding to all Member States.
However, the Court closed by emphasizing that while EU Law does not require de-referencing from all versions of a search engine, it also does not prohibit such a practice. Hence, a supervisory or judicial authority of a MS remains competent to weigh up, in light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data, on the one hand, and the right to freedom of information, on the other, and to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.