In October 2019, the ECJ decided that the “right to be forgotten” under the General Data Protection Regulation (GDPR) only required Google to delete the relevant user’s personal data on EU versions of Google’s search engine, rather than worldwide.
Whilst the “right to be forgotten” is not an absolute right under the GDPR, the outcome of this judgment curtails individuals’ rights and gives them less control in respect of their global online presence and potentially reputation. This may at first appear unusual given the acknowledgement and acceptance that the worldwide web is indeed worldwide, and that therefore being required to delete data in the EU on request with no requirement to delete the same data outside of the EU may result in an unnatural distinction.
The right to be forgotten
The right to erasure, also known as the “right to be forgotten” is codified under Article 17 of the GDPR. It derives from a 2014 Spanish case involving Google. The right is not absolute and only applies where one of the grounds set out in Article 17(1) applies. The right further does not apply in certain circumstances, as set out under Article 17(3), such as to the extent that the processing is necessary for exercising the right of freedom of expression and information.
The Google decisions
In 2014, the ECJ held that Google was required to delete personal data in respect of a Spanish individual who had made a request to Google “to be forgotten”.
In seeking to comply with this decision, Google deleted all such references on its EU domains (but not across its worldwide versions of the Google search engine). Google’s actions from the 2014 case i.e. to delete only information requested to be deleted from its EU domains only (the distinction not having been made in the original case), were then challenged by the French Data Protection Authority (CNIL), who disagreed with Google’s EU-only approach to the right to be forgotten. This resulted in CNIL issuing a fine to Google of €100,000. The fine was issued further to CNIL requesting that Google de-reference worldwide and Google refusing.
Google’s challenge of the fine resulted in CNIL seeking a direction from the European Court of Justice (ECJ), to clarify what the ECJ considered was necessary in terms of the extent and territorial reach of the required deletions/de-referencing. The accuracy and appropriateness of Google’s approach came before the ECJ in the Autumn of 2019.
Google’s main arguments were that the obligation could be abused by authoritarian governments trying to hide human rights abuses were it to be applied outside of the EU, and that it would be a way to enforce EU privacy laws and standards in countries without similar laws. Other entities joined Google in this action, given the connection with public international law’s principles of courtesy and non-interference and the freedoms of expression and of the press.
The ECJ held that search engine operators are not required under EU law to remove links on all the versions of its search engine. Further, the GDPR does not suggest that there is scope for Member States to go beyond their territory. As such, it held that Google was required to remove all links across all versions in the EU, but not further.
So, what will this mean for companies operating on a more global platform and for individuals seeking to enforce their rights?
As companies that process personal data expand their global reach, there may be increasing tensions between national regulators in place to protect individuals’ rights and companies. The fact that internet users may conduct searches outside of the EU and still be able to access EU de-referenced links after this judgment potentially undermines the right to be forgotten. However, the ECJ arguably did not wish to encroach of non-EU states by extending its remit to these, where the GDPR was not applicable.
Nevertheless, it is important to note that this judgment is not necessarily the comprehensive, definitive victory for Google as suggested in the press that was publicised towards the end of 2019. In its judgment, the ECJ did not rule out the possibility that certain cases may justify global de-referencing. Indeed, the ECJ stressed that “a supervisory or judicial authority of a Member State remains competent…to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine,” such that while the EU does not strictly require global de-referencing, it equally does not prohibit it.