In Google LLC v. Commission nationale de l'informatique et des libertés (CNIL),Footnote 1 the Court of Justice of the European Union (CJEU or Court) held that the EU law only requires valid “right to be forgotten” de-referencing requestsFootnote 2 to be carried out by a search engine operator on search engine versions accessible in EU member states, as opposed to all versions of its search engine worldwide. While the ruling has been perceived as a “win” for Google and other interveners, such as Microsoft and the Wikimedia Foundation, who argued against worldwide de-referencing,Footnote 3 the Court also made clear that that while the EU law does not currently require worldwide de-referencing, “it also does not prohibit such a practice” (para. 72). As a result, the CJEU found that an order by a national supervisory or judicial authority of an EU member state requiring worldwide de-referencing in accordance with its own national data protection laws would not be inconsistent with EU law where the data subject's right to privacy is adequately balanced against the right to freedom of information. By leaving the door to extraterritorial de-referencing wide open, the CJEU continues to pursue its post-SnowdenFootnote 4 hard-line stance on data privacy in a manner that is likely to transform the data privacy landscape.
In 2017, the French Conseil d’État (Council of State) referred questions about the territorial scope of de-referencing requirements under the (in)famous “right to be forgotten” to the CJEU. That right, now spelled out in Article 17 of the EU General Data Protection Regulation 2016/679 (GDPR),Footnote 5 had previously been derived by the CJEU from Articles 12 and 14 of the now defunct EU Data Protection Directive 95/46/EC (Directive 95/46)Footnote 6 in the case of Google Spain.Footnote 7 The Google LLC v. CNIL case mainly concerned Directive 95/46, but to ensure the future applicability of this decision the Court found:
Although Directive 95/46 was applicable on the date the request for a preliminary ruling was made, it was repealed with effect from 25 May 2018, from which date Regulation 2016/679 is applicable. The Court will examine the questions referred in light of both that directive and that regulation in order to ensure that its answers will be of use to the referring court in any event. (Paras. 40–41)
A “de-referencing” request granted by a search engine operator in accordance with the “right to be forgotten” involves the removal of links to web pages from the list of results displayed following a search conducted of the requester's name. Such a request may only be made by natural persons who are citizens of the EU and only to remove access to web pages that contain personal information about the requester.Footnote 8 A search engine operator can refuse a de-referencing request in certain circumstances, including where it is in the public interest to have access to the information or in the interests of maintaining freedom of speech.Footnote 9
As the world's largest search engine operator, Google operates many different country-specific versions of its search engine “in order to tailor the results displayed to the specificities, particularly the linguistic specificities, of the various States in which that company carries on its activities” (para. 36). Although internet users can no longer access foreign versions of Google by simply typing into their internet browsers the uniform resource locator (URL) of Google with a different geographical domain name extension from their own,Footnote 10 users can still easily access foreign versions of Google by changing their search settings.Footnote 11 Users can also “trick” Google into displaying a foreign version of its search engine by using a virtual private network (VPN), which allows users to pretend they are in a different territory.
It is in this context that the dispute which was the subject of the Council of State referral arose. On May 21, 2015, the president of the Commission nationale de l'informatique et des libertés (French Data Protection Authority or CNIL) issued Google a notice directing it to ensure that granted de-referencing requests are carried out on all of Google's domain name extensions worldwide. Google refused to comply with the notice, arguing that the Google Spain decision did not entitle the CNIL to mandate worldwide de-referencing. Google instead confined the scope of de-referencing to domain names corresponding to versions of its search engines in EU member states. In response to the concern that internet users could access another version of Google's search engine corresponding to a non-member state to get around de-referencing requests, Google proposed a “geo-blocking” solution that would prohibit an internet user located in a member state from seeing de-referenced web pages regardless of the version of Google they accessed. The CNIL regarded this proposal, which was made after the expiration of the time limit set out in the May 2015 notice, as insufficient and fined Google €100,000 on March 10, 2016. Google sought the annulment of this fine by application to the Council of State.
The EU advocate general delivered his opinion on January 10, 2019,Footnote 12 which argued that while “worldwide de-referencing may seem appealing on the ground that it is radical, clear, simple and effective,”Footnote 13 it was not apparent from the wording of Directive 95/46 and the Google Spain decision that the “right to be forgotten” required de-referencing on a worldwide scale. On a more practical level, the advocate general suggested worldwide de-referencing could initiate a “race to the bottom, to the detriment of freedom of expression, on a European and worldwide scale,”Footnote 14 as non-EU countries impacted by worldwide de-referencing could, in response, also implement worldwide de-referencing under their own laws. Furthermore, the advocate general suggested that the objective and practical effect of Directive 95/46 was that de-referencing had to take place on an EU-wide level and that search engine operators had to take all technically feasible steps to ensure effective and complete de-referencing which, in this case, included geo-blocking.
The CJEU largely agreed with the advocate general's opinion. First, the Court found that “currently, there is no obligation under the EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such de-referencing on all of the versions of its search engine” (para. 64). The Court reached this conclusion despite acknowledging that worldwide de-referencing would meet the objectives of Directive 94/46 and the GDPR in full. The CJEU noted that many non-EU states do not recognize the right to de-referencing and that the right to the protection of personal data is “not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights,” such as the freedom of information (para. 60). Ultimately, the Court found that it was not apparent from the wording of Articles 12 and 14 of Directive 95/46 or Article 17 of the GDPR that the EU Parliament chose to confer an extraterritorial scope on the operation of the “right to be forgotten.”
Despite this, the Court went on to find that the “right to be forgotten” as recognized under the EU law does require search engine operators that grant de-referencing requests to carry out such requests on versions of its search engine corresponding to all member states. Interestingly, in reaching this conclusion, the CJEU relied solely on its analysis of the GDPR, and found it pertinent that the EU legislature chose to replace the previous Directive 95/46 with a Regulation, indicating to the Court its intention to “ensure a consistent and high level of protection throughout the European Union” (para. 66).Footnote 15 Moreover, the CJEU placed great relevance on Articles 56 and 60–66 of the GDPR, which establish cooperative obligations between the data protection authorities of each EU member state to reach a single binding decision on the manner in which cross-border processing of data by a data controller within the EU is to take place. This cooperative framework, the Court found, provided a basis for reconciling any concerns of inconsistency between the data subject's rights to privacy and the public's right to access the information subject to the de-referencing request, especially where the interest of the public in accessing the information varies from one member state to another.Footnote 16
Furthermore, the CJEU clarified the technical obligations on search engine operators when granting a request for de-referencing. The Court held that any measures taken by search engine operators to implement such requests must “have the effect of preventing or, at the very least, seriously discouraging, internet users in the Member States from gaining access to the links in question using a search conducted on the basis of that data subject's name” (para. 70). The Court found in this case that it was for the Council of State in France to determine whether the technical measures Google had taken met these requirements.
The Court's last and perhaps most important point went beyond the conclusions reached by the advocate general. It found that, although the EU law does not currently require worldwide de-referencing, competent domestic judicial or supervisory authorities of member states could mandate worldwide de-referencing after adequately weighing the data subject's right to privacy against the right to freedom of information.Footnote 17 The Court also implicitly acknowledged the EU legislature's competence to broaden the scope of the “right to be forgotten” under the GDPR to require worldwide de-referencing.Footnote 18
* * * *
The CJEU's judgment is likely to have a significant impact not only on the operation of Google's search engine, but on the global digital privacy landscape as a whole. In a press release immediately after the Google LLC v. CNIL decision was published, the CNIL specifically noted the Court's concluding points and asserted on this basis that the CNIL had “authority to force a search engine operator to delist results on all the versions of the search engine if it is justified in some cases to guarantee the rights of the individuals concerned.”Footnote 19 This response illustrates that the dispute between Google and the CNIL is far from over and that worldwide de-referencing orders from France could be just around the corner, despite the advocate general's warning of a global “race to the bottom.”Footnote 20
At the time of writing, Google had received over 850,000 requests to de-list over 3.3 million URLs across all member states since the Google Spain decision.Footnote 21 Nearly 190,000 de-referencing requests came from French citizens, who requested the de-listing of more than 670,000 URLs and were successful in removing 49.4 percent of requested URLs.Footnote 22 The number of French requests is likely to increase if, as a result of this decision, the CNIL and French legislators seize upon the Court's approval of worldwide de-referencing in accordance with national law. As mentioned in the decision and advocate general's opinion,Footnote 23 worldwide de-referencing is an attractive prospect for data privacy enthusiasts because it effectively prevents EU citizens from circumventing EU-wide de-referencing through, for example, the use of a VPN.Footnote 24 The scale and success with which French citizens have pursued de-referencing requests, as opposed to citizens of other member states,Footnote 25 suggests that worldwide de-referencing from France is likely to have a non-negligible effect on Google's search engine platform if the number of requests made rises as a result of this decision.
It is important to read this judgment in the context of the Court's more recent data privacy decisions to understand the extent of its implications. In the wake of Edward Snowden's 2013 revelations of U.S. spying on ordinary citizens and world leaders alike, the CJEU has adopted a hard-line stance on data privacy. This position has been reflected in a number of the Court's decisions since 2013, including Schrems Footnote 26 and Opinion 1/15,Footnote 27 where the Court invalidated the EU-U.S. Safe Harbour and EU-Canada Passenger Name Record agreements respectively for their failure to adequately safeguard data privacy, as well as the Digital Rights Ireland Footnote 28 and Tele2 Sverige Footnote 29 cases, in which the Court invalidated an EU Data Retention Directive and national law respectively for disproportionate and unjustified interferences with the rights to privacy and personal data protection enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights.Footnote 30
The Google LLC v. CNIL decision is a clear indicator of the CJEU's persistence in the protection of data privacy post-Snowden. While the Court has been praised for its restraint in finding that the current EU law on the “right to be forgotten” only applies within the EU,Footnote 31 its recognition of the EU Parliament's ability to extend the GDPR extraterritorially and member states’ ability to apply national de-referencing laws beyond their borders suggests the Court may have a contrary intent. Moreover, the CJEU appears to have reached these conclusions at the expense of the GDPR's aims to harmonize the data protection framework across the EU.Footnote 32 The decision allows member states to decide individually the territorial scope of de-referencing obligations, thus creating the potential for different results based on where the requester resides.Footnote 33 By creating the potential for national data protection authorities to apply stronger protections than those afforded by the GDPR, this decision could be seen as another brick in the “data privacy wall” which the CJEU has built to protect EU citizens.
The Court's approach is also reinforced by another “right to be forgotten” decision published on the same day as the Google LLC v. CNIL and in which Google intervened. In the GC, AF, BH, ED v. CNIL decision,Footnote 34 the CJEU extended the grounds upon which EU citizen can request search engine operators to de-reference search results, specifically where such results contain sensitive personal information relating, inter alia, to racial or ethnic origin, political opinions, religious beliefs, and sexual orientation.Footnote 35 When read in the light of this judgment, the real significance of the Google LLC v. CNIL decision and the Court's continued hard-line stance on data privacy protection in EU and beyond becomes clearer.
Google has also dealt with requests for global enforcement to de-list search results outside of the EU. In the 2017 Google v. Equustek decision,Footnote 36 the Canadian Supreme Court ordered Google to globally de-reference all websites of an entity accused of stealing trade secrets from a Canadian information technology company. The decision was strongly condemned, particularly in the United States, for the allegedly improper exercise of extraterritorial jurisdiction and the restrictions such orders impose on the freedom of information.Footnote 37 Indeed, the “right to be forgotten” has been met with similar condemnation on that basis that it “seems like a complete evisceration of a right to open communication if a court can force obfuscation of facts just to protect someone's reputation.”Footnote 38 Despite these criticisms, the CNIL's assertive response to the Google LLC v. CNIL decisionFootnote 39 suggests that while Google has “won the battle” in that case, it is “losing the larger war against global injunctions.”Footnote 40
Notably, the CJEU has already moved to solidify the outcome of this decision. Glawischnig-Piesczek v. Facebook,Footnote 41 published only a few days after Google LLC v. CNIL, concerned an Austrian Supreme Court decision requiring Facebook to remove posts, on a worldwide basis, calling the former Austrian Green Party leader a “lousy traitor,” “corrupt oaf,” and a member of a “fascist party.”Footnote 42 As the case related to the EU Electronic Commerce Directive 2000/31/EC (Directive 2000/31)Footnote 43 and its prohibitions on defamatory content rather than EU data privacy laws, the CJEU did not directly draw upon its decision in Google LLC v. CNIL. However, the Court reached a similar conclusion, finding that because Directive 2000/31 does not make any provision with respect to its territorial limitations, member states are not precluded from ordering worldwide injunctions to remove material deemed unlawful in accordance with Directive 2000/31 under their own national laws.Footnote 44 The case, therefore, serves as a formula for the CNIL, or any other member state data protection or judicial authority, to apply worldwide de-referencing orders under the “right to be forgotten.”
Google LLC v. CNIL's significance can thus only be understood by situating it in this broader context, which reveals the continued forcefulness of the CJEU's stance on data protection. Only time will tell how influential this decision will be in shaping CJEU's future privacy decisions and global data privacy practices more generally. With the hotly anticipated Schrems II decision looming,Footnote 45 we may not have to wait very long.