Data ProtectionPrivacy

Google can limit the right to be forgotten to Europe according to the ECJ

The European Court of Justice issued a landmark decision on the right to be forgotten

The EU Court of Justice sided with Google over a claim from the French data protection authority on the right to be forgotten in a landmark decision.

This article was initially published on DLA Piper blog Privacy Matters.

The Google ECJ case on the right to be forgotten

The right to be forgotten refers to the ability for individuals in Europe to demand that data controllers, including search engines, such as Google, to erase their personal data. This activity in the case of search engines means that the removal of search results linked to such an individual’s name, also known as de-referencing.

The case was brought before the European Court of Justice (CJEU) by Google via the French ‘Conseil d’Etat’, reacting to a € 100,000 fine imposed by the French data protection authority, the CNIL. According to the CNIL, Google’s practice of confining itself to only de-reference, as a consequence of the right to be forgotten requests, on European versions of its search engine following a request thereto was unlawful.

In particular, according to the CJEU

siding with the Advocate General Szpunar’s opinion, the Court held that EU law does not require search engines to carry out a de-referencing on non-European versions of its search engine as claimed by CNIL.

Indeed, if the CNIL’s position was followed by the CJEU and a worldwide de-referencing was required by default under EU law, European data protection authorities would have been able to determine the search results that Internet users see around the world, setting a dangerous precedent for censorship that could be exploited by other countries.

It is not a full victory for Google

Notwithstanding the above, the Court left to the national data protection authorities to assess the measures to be taken on a case-by-case basis. And the CJEU even recognized that, in particular cases, those measures may still imply carrying-out a de-referencing concerning all versions of that search engine on a worldwide scale.

The right to be forgotten and information on crimes

On the same day, the Court also issued another ruling on the right to be forgotten. In that case, the European Court of Justice found that for search results on criminal proceedings, a search engine operator must, in any event, and at the latest on the occasion of a de-referencing request, adjust the list of results in such a way that

the overall picture it gives the Internet user reflects the current legal position of an individual.

What does this mean in practice for the right to be forgotten?

The main takeaways of the above-mentioned decisions can be summarized as follows:

  1. Search engine operators are generally not obliged to remove search results linked to an individual (or de-reference) on non-EU versions of the concerned search engine under EU law. As a result, the operator is not required to remove such references in its Brazilian version of Google (i.e., Google.br);
  2. De-referencing under EU law should in principle occur on all EU versions of a search engine, but exceptions may apply, extending the scope of the right on the basis of the assessment of the competent data protection authority;
  3. If necessary, search engine operators should take measures to prevent or discourage EU internet users from accessing the relevant references to the individual (notwithstanding the version of the search engine used). These measures may include geo-blocking solutions and even de-referencing on non-EU versions of its search engine.

My view on the decision

It appears that the decision crGiulio Coraggioeates an additional layer of uncertainty and complexity on the scope of the right to be forgotten. The criteria that data protection authorities might follow to extend worldwide the right to be forgotten are uncertain.

Additionally, it should be considered that the decision applies not only to Google and in general search engines. It also applies to any data controller which might have difficulties in dealing with such right in practice.

Also, it is interesting to see that the interpretation of the CJEU is in contrast with even the guidelines of the topic of EU data protection authorities. On the issue, you can read the article Right to be forgotten reviewed by privacy regulators.

Don't miss our weekly insights

Tags
Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button
Close