Perspective on the “new” right to be forgotten

Privacy Plus+

Privacy, Technology and Perspective

 Perspective on the “new” right to be forgotten. This week, the Court of Justice of the European Union (“CJEU”) ruled the EU’s “right to be forgotten” cannot be enforced against a search engine operator outside the EU’s borders.  A link to the opinion follows:

https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-09/cp190112en.pdf

Reporting about the CJEU’s decision has largely focused on its characterization as “a win” for Google.  For example, Reuters reported “Google Wins in Right to be Forgotten Fight with France,” available here:

https://www.reuters.com/article/us-eu-alphabet-privacy/google-wins-in-right-to-be-forgotten-fight-with-france-idUSKBN1W90R5?feedType=RSS&feedName=businessNews

The Telegraph concluded that “we should all be worried by Google's growing role as the arbiter of knowledge,” available here:

https://www.telegraph.co.uk/technology/2019/09/24/should-worried-googles-growing-role-arbiter-knowledge/

While we don’t disagree with these characterizations, we do think that the decision deserves a closer look.

As background, in 2014, the CJEU ruled in the case of Google Spain SL, Google, Inc. v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González that Google, as a search engine operator, is obliged to remove web search results about an individual when that person makes a request.  A link to that judgment follows, and its (wordy) conclusion can be found in Paragraph 88:

http://curia.europa.eu/juris/document/document.jsf;jsessionid=E58628EA8C66004F5E1C370037339D2F?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=783940

 In so ruling, the court rejected Google’s argument that its only responsibility was finding the information, not deleting it.

 Following this ruling, in 2016, France’s data-protection regulator, CNIL, fined Google €100,000 for not removing links with damaging or false information about an individual on all of its platforms across the world. Google challenged the fine on the grounds that its geoblocking feature — which removes links from search results within the EU — was sufficient to comply with the law.

 On appeal, the CJEU agreed that Google is only required to remove search engine results within the EU.  However, the court pointedly couched its decision, stating “currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject…to carry out such a de-referencing on all the versions of its search engine…However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the [EU] Member States.”  The CJEU particularly reasoned that other countries “do not recognise the right to dereferencing or have a different approach to that right.” Accordingly, its ruling was made on the balance “between the right to privacy and the protection of personal data [in the EU], on the one hand, and the freedom of information of internet users, on the other,…[a balance which] var[ies] significantly around the world.”  The court also noted that at this time, “EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU.”

 Will the EU create an obligation under EU law for search engine operators to globally de-reference links on the request of an EU resident, or create “cooperation instruments and mechanisms” to expand the scope of such de-referencing outside of the EU in light of this decision?  It seems possible and even likely, where now, the EU’s General Data Protection Regulation (“GDPR”) applies to any enterprise in the world that targets the European market in offering goods or services or profiles European residents, and as a result, must process the personal data drawn from EU member states.  Article 17 of the GDPR also now expressly provides that there is a “right to be forgotten,” except in certain circumstances. Moreover, Articles 44-50 of the GDPR contains requirements for the secure transfer of regulated personal data across EU borders and contemplate a handful of legal mechanisms to support such transfers. Accordingly, there is something counterintuitive the CJEU’s decision—if EU residents’ privacy rights are to be protected in a manner consistent with the GDPR (and Article 8 of the EU Charter of Fundamental Rights), then we think that their personal data must either be restricted to processing in the EU, or obligations on data controllers and processors must be made global and applicable even to search engine operators. 

 Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.