The ‘right to be forgotten’ within the European Union

In the case of Google LLC (as successor in law to Google Inc) vs Commission Nationale de l’informatique et des libertés (“CNIL”) decided by the Court of Justice of the European Union (the “CJEU” or the “Court”) on the 24 September 2019, the Court delivered a landmark preliminary ruling with respect to the applicability of the ‘right to be forgotten’ within the European Union.

The request for a preliminary ruling revolved around the proper interpretation of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Directive”), specifically article 12(b) of the Directive and subparagraph (a) of the first paragraph of Article 14 of the Directive. The former provides that each Member State shall ensure that every data subject has the right to obtain from a controller of information, the rectification, erasure or blocking of data due to the incomplete or inaccurate nature of the data whereas the latter guarantees every data subject the right to object to the processing of data relating to him on compelling legitimate grounds. Collectively, both articles afford every data subject ‘the right to de-referencing’ as established by the Court in its judgment of the 13 May 2014 in the case of Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD).

The facts surrounding the request were as follows. On the 21 May 2015, the CNIL served formal notice on Google informing it that when processing a request from a natural person to remove links to web pages from the list of hits displayed following a search conducted on the basis of that person’s name (a “de-referencing request”), Google must apply such removal to all its search engines domain name extensions and not limitedly to those domain extensions of its search engines based in Member States. Google refused to apply such de-referencing request to all of its search engines and confined itself to removing those hits resulting from searches conducted from the domain names based in Member States. Google also put forward a ‘geo-blocking’ proposal whereby internet users would not be able to access the relevant hits after conducting a search on the basis of such data subject’s name from an IP address located within the State of residence of a data subject no matter which version of the search engine used. The CNIL rejected this proposal and after adjudicating that Google failed to comply with its formal notice, imposed a penalty of EUR 100,000 which penalty was also made public.

Google filed an application with the Conseil d’Etat requesting the annulment of the adjudication made by the CNIL. It argued that the penalty given by the CNIL was based on a misinterpretation of the provisions of the applicable French law at the time which transposed Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of the Directive. Considering that the matter at hand revolved around the interpretation of the Directive, the Conseil d’Etat decided to stay proceedings and refer two questions to the Court for a preliminary ruling. Essentially both questions sought to ascertain whether a search engine operator is required to carry out a de-referencing request on all versions of its search engine or whether it is required to do so only on those search engines which correspond to the Member State, or even more limitedly, to the version of the search engine corresponding to the Member State of residence of the data subject making the request using geo-blocking techniques.

Primarily the Court noted that although the provisions of the Directive were applicable at the time the request for a preliminary ruling was made, this was repealed by the General Data Protection Regulation[1] (the “GDPR”) with effect from the 25 May 2018. The Court noted that it will examine the questions referred to it by the Conseil d’Etat in the light of the Directive and the GDPR in order to ensure that its answers will be of use to the referring court in any case. The Court referred to recital 65 of the GDPR which provides that a data subject should have a “right to be forgotten” where the retention of such data infringes the GDPR or the Member State law to which the data controller is subject. However, this further retention of the personal data is lawful were it is necessary for exercising the right of freedom of expression and information. The territorial application of the GDPR extends to the processing of personal data in the context of the activities of a controller or a processor established in the European Union, regardless of whether the actual processing takes place in the European Union or not. Article 17(1) of the GDPR enshrines the right to be forgotten and provides that the data subject shall have the right to obtain the erasure of personal data concerning him or her from the controller without undue delay and the controller shall have the obligation to erase personal data where any of the grounds provided in the GDPR apply.

The Court noted that the internet is a global network without borders and search engines render the information generated on an individual following a search on the basis of such individual’s name ubiquitous. As such one would justify the existence of a competence of the part of the EU to oblige a search engine operator to carry out a de-referencing on all the versions of its search engine. Nevertheless, it emphasised that numerous third states do not recognise the right to de-referencing or have a different approach to such right. Moreover the right to the protection of personal data is not an absolute right but must be considered in relation to its functions in society and be balanced against other fundamental human rights in accordance with the principle of proportionality. Whilst EU legislation has struck a balance between the right to de-referencing and other fundamental human rights on an EU level, the Court observed that it has not struck such a balance as regards the scope of a de-referencing request outside the European Union. From a proper construction of the applicable provisions, the Court concluded that it was not the intention of the EU legislature to confer a scope of application on these provisions which would go beyond the territory of the Member States. Accordingly, the Court held that Google cannot be obliged by a supervisory or judicial authority of a Member State, to carry out a de-referencing request on all the versions of its search engine, including those found outside of the European Union.

As to whether such a de-referencing is to be carried out on the versions of the search engine corresponding to all Member States or only on the version of the search engine corresponding to the Member State of residence of the data subject in question, it follows that the de-referencing in question is, in principle, supposed to be carried out in all Member States.

Nevertheless, the Court made it clear that the interest of the public in accessing information within the EU may vary from one state to another, meaning that the balance between such an interest and a data subject’s right to privacy is not necessarily the same for all Member States. The Court pointed out that in terms of the Directive and the GDPR; it is for each Member State to provide for the exemptions and derogations necessary to reconcile the right to be forgotten with the freedom of information. The regulatory framework established by the GDPR provides national supervisory authorities with the tools necessary to reconcile a data subjects rights to privacy with the freedom of information and accordingly it also empowers national authorities to determine whether a de-referencing decision should cover all searches conducted from the territory of any Member State. In this regard, the Court held that it is the search engine’s operator’s duty to adopt effective measures that protect a data subject’s fundamental rights and discourage internet users in Member States from gaining access to the links in question. In its submissions, Google explained that following the request for a preliminary ruling, it implemented a new layout for national versions of its search engines whereby the internet user is automatically directed to the version of Google’s search engine that corresponds to the place from where he or she is presumed to be conducting the search and the results of such search are displayed according to that place which is determined by Google’s geo-location process. The Court held that it is up to the national court to determine whether Google’s measures satisfy these requirements.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data on the free movement of such data.

 

This law report was first published in The Malta Independent, 2 October 2019.