Google has recently triumphed in the fight against a worldwide application of the European “right to be forgotten” following the European Court of Justice’s ruling that Google does not have to take down search results revealing sensitive personal information of EU citizens worldwide, rejecting demands by the French Data Protection Authority. The long anticipated judgment by Europe’s top Court in Google v CNIL, delivered on 24th September 2019, was a test of the ‘right to be forgotten’, which allows EU citizens to request, among other things, the removal of search engine results that reveal their personal information. This right is now explicitly recognised in Article 17 of the influential EU’s General Data Protection Regulation (GDPR).
The ruling has been welcomed by US tech giants as an iconic curb of what they see as a ‘European overreach’- extension of its laws beyond borders. However, not many have noticed that the Court intentionally left a glaring loophole – an opportunity for EU countries to force worldwide de-listing if they deem so fit. In other words, EU countries could still compel Google to de-list beyond Europe, and this decision comes as no surprise in light of the broader context of EU’s pushback against US tech giants.
In the wake of Edward Snowden’s 2013 mass-surveillance revelations about US spying on ordinary citizens and world leaders alike, Europe’s top Court demonstrated leadership by taking a hard line stance on the enforcement of data privacy law, even against other EU bodies. Although many have perceived the latest judgment as a restraint on the Court’s expansive interpretation of EU law, the CJEU has in fact continued its hard line data privacy crusade with this judgment, which has significant implications for data privacy law, US tech companies, and Internet users.
How does de-referencing work and what does it have to do with Google?
As the world’s largest search engine, Google operates on many different country-specific domains (e.g. .au, .fr, .nz, etc.) that deliver search results calibrated to particular territories. Previously, one could easily access a foreign domain by changing the URL extension to that of the desired country. Google has since removed the ability to do this, but users can still access the results from other countries by changing their search settings.
To conform with EU law, Google uses geo-blocking systems to remove de-referenced search results for EU users regardless of which country’s results they attempt to access. However, geo-blocking systems can be overcome quite easily using, among other things, a virtual private network (VPN). The concern then is to ensure the ‘right to be forgotten’ is respected, and one way to do this it to require worldwide de-referencing – that is, to remove search engine results on all domains rather than one or more country-specific domains.
It is important to note, however, that it is not all that easy to make a de-referencing request with Google. Google doesn’t have to grant the request where they deem the requested link to be necessary for the freedom of speech, for reasons of public interest in public health, scientific or historical research, or for the defence of a legal claim. Moreover, the right to de-referencing can only be exercised by EU citizens.
French citizens have been some of the most successful in de-referencing Google search results. Since 2014, Google had received over 850,000 requests to de-list over 3.3 million URLs across all EU Member States. French citizens in particular have made nearly 190,000 requests to de-reference over 670,000 links and have been successful in removing 49.4% of them, which is higher than the EU average of 45%.
What actually happened in the CJEU?
The French Data Protection Authority (CNIL) served formal notice on Google in 2015 requiring it to effect de-referencing requests on all of its domains worldwide, not just its French google.fr domain or the domains of EU Member States. Google argued that they were not required by EU law to do this, and refused to comply with the notice. When Google was fined for its non-compliance, the matter was escalated to the CJEU.
The CJEU held that de-referencing of search engine results in accordance with a ‘right to be forgotten’ request under EU law does not require de-referencing on all the search engine’s domains worldwide. It was found that EU law only mandates de-referencing on Member State domains using appropriate technical means to seriously discourage access by EU residents to the de-referenced search results.
Not many noticed, but the CJEU went further to state that EU law does not actually prohibit worldwide de-referencing. As such, the courts or data protection authorities of Member States may require worldwide de-referencing where the circumstances necessitate it to protect the balance between freedom of information and the right to privacy. In essence, then, Europe’s top court has welcomed the extraterritorial application of de-referencing by Member States under their own domestic laws rather than EU law. Although, the Court also recognised that EU law could be amended in the future to require worldwide de-referencing from all EU Member States.
How does this judgement fit within a broader context?
Since 2013, the CJEU has, among other things, invalidated bilateral data transfer agreements between the EU and other countries (including the US) for their inadequate protection of data privacy, and has also invalidated EU and domestic Member State law for disproportionately interfering with data privacy rights. From these judgments the CJEU has emerged as the worldwide bastion of data privacy protection in the post-Snowden dystopia, whose aim is to combat data privacy overreach.
Moreover, this is not the first stoush between Google and the CJEU on data privacy. In 2014, the CJEU derived the ‘right to be forgotten’ from now defunct EU law, and found that it was applicable to search engines like Google. This was an important development – the law applies to entities that control and process data, and before the 2014 judgment it was not clear that Google was such an entity.
The court actually handed down another judgment relating to the ‘right to be forgotten’ on the same day as Google v CNIL. In that case, the Court extended the grounds upon which EU citizens can request a search engine to de-reference search results, specifically where such results contain sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs and sexual orientation. In this context, it is clear that the CJEU has continued its post-Snowden hard line stance on privacy in Google v CNIL by recognising the extraterritorial applicability of the ‘right to be forgotten’. Realistically, then, the decision should come as no surprise.
The CNIL has already indicated that it intends to consider using this opening created by the Court to order worldwide de-referencing. Worldwide de-referencing is a much more attractive prospect to data privacy enthusiasts than EU-wide de-referencing because it cannot be overcome using a VPN. Hence, if the CNIL seizes on the opening granted by the CJEU in this decision, it is arguably likely that the number of de-referencing requests from French citizens will rise. If these requests are granted on a worldwide scale, it is not hard to see the impact this may have on the global data privacy landscape.
This decision can therefore be seen as another brick in the data privacy wall which the CJEU has built to protect the privacy of EU residents. When read together with the Court’s other post-Snowden data privacy decisions, the global impact of EU data privacy law that the CJEU has articulated becomes clear. This goes to show that privacy enthusiasts can continue to rely on the CJEU to make progressive and strong judgments in favour of maintaining data privacy, which should worry the likes of Google.