The Law and Business of Social Media
October 02, 2019 - Data Security, Privacy, Right To Be Forgotten

Forget Me…or Not: Europe’s High Court Limits Territorial Reach of Right to Be Forgotten, But Not of GDPR

Forget Me…or Not: Europe’s High Court Limits Territorial Reach of Right to Be Forgotten, But Not of GDPR

In a landmark ruling, the European Court of Justice—Europe’s highest court—dealt Google a clear win by placing a territorial limit on the “right to be forgotten” in the EU. The court’s holding in Google v. Commission nationale de l’informatique et des libertés (CNIL) clarifies that a search engine operator that is obligated to honor an individual’s request for erasure by “de-referencing” links to his or her personal data (i.e., removing links to web pages containing that personal data from search results) is only required, under the GDPR, to de-reference results on its EU domains (e.g., in France and in Italy), and not on all of its domains globally.

However, in the same ruling, the Court also stated that the GDPR applies to Google’s data processing on all of its domains globally (by virtue of such processing comprising “a single act of processing”). Therefore, an EU Member State’s supervisory authority and courts are free to treat the ECJ’s EU-wide de-referencing requirement as a “floor” and go one step further, requiring search engines to implement the right to be forgotten on all of its domains worldwide, including those outside the EU.

Background – The Right to Be Forgotten

The right to be forgotten—codified at Article 17 of the GDPR—grants individuals the right to obtain erasure of their personal data without undue delay, where, for example, the data are no longer necessary for the purpose for which they were collected or processed. However, the right is not unlimited; exceptions apply if the processing is deemed necessary for the exercise of freedom of expression, compliance with a legal obligation, public interests such as public health, scientific or historic research, or the establishment or defense of legal claims.

Article 12(b) of the EU Data Protection Directive 95/46/EC (“the Directive”) conferred a similar (though slightly narrower) right. The Directive required Member States to guarantee individuals the right to obtain rectification, erasure, or blocking of personal data when the processing of that data does not comply with the Directive’s provisions. Although the GDPR replaced the Directive, the court examined the questions posed under both the Directive and the GDPR because the case originated when the Directive was still operative.

The Case

In 2014, the ECJ ruled in Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos that individuals have the right to request that Google delete links to webpages containing their personal data from Google search results even if the publication of such information on those webpages is lawful. This was a significant expansion of rights as it granted the right even where the information was rightfully made public. The ECJ held that because search engines make it easier to find information, the search engine operators are responsible (i.e., are data controllers) with respect to search engine results. Search engine operators are therefore fully responsible for the content they display, and individuals have a right to request that links to third-party websites containing their personal data be deleted from search results when the personal data are inadequate, irrelevant, or excessive in relation to the purposes of the processing.

Google responded to the ruling by using geolocation data to route users to the appropriate national version of its search engine and by de-referencing the relevant search results on its EU domains only. The CNIL, France’s data protection authority, subsequently levied a €100,000 fine on Google, asserting that Google should de-reference the search results all of its domains globally. Google appealed the fine to the ECJ.

The Court’s Reasoning

Siding with Google, the court reasoned that while both the Directive and the GDPR aim to guarantee a high level of protection of personal data throughout the EU, and “de-referencing carried out on all the versions of a search engine would meet that objective in full,” there is currently no obligation to do so under EU law. Instead, the court held that search engine operators need only carry out de-referencing on all of their EU Member State domains, regardless of the Member State from which the erasure request originates.

In its decision, the court emphasized that it is not apparent from the text of either the Directive or the GDPR that the EU legislature intended for the right to be forgotten to have an extraterritorial reach.  An individual’s data protection rights are not absolute and must be balanced against other fundamental rights, including freedom of expression and information.  The court indicated that the EU legislature performed this balancing test for the EU only, and the outcome “is likely to vary significantly around the world.” Accordingly, the right to be forgotten is not necessarily recognized outside of the EU and there is currently no obligation under EU law for a search engine to de-reference its search results around the world.

However, the court noted that while EU law does not require global de-referencing, it likewise does not prohibit it. As it has been left up to Member States to balance individual rights and the freedom of expression and information (based on GDPR Article 85), a Member State’s supervisory authority or courts may reach a different conclusion on global de-referencing.

The GDPR’s Extra-Territorial Applicability

While it may appear to be limited to search engines and the right to be forgotten, the court’s ruling is in fact much broader. The court already decided, in the 2014 Google Spain case, that Google Search in the United States is subject to the GDPR because its activities are inextricably linked with the activities of Google’s EU sales office. In that case, the court reasoned that the EU establishment was “intended to promote and sell in that Member State advertising space offered by the search engine which serves to make the service offered by the search engine profitable.” Selling advertising space renders the search engine economically profitable, while the search engine provides the platform on which the advertising activities are performed. As a result, the court held that Google’s activities in the U.S. and the EU are “inextricably linked” and the GDPR therefore applies directly to Google in the U.S. The subsequent question of whether the GDPR applies to personal data processed in the context of the EU domains only, or to all of Google’s processing activities in the U.S. (including those on non-EU domains), was left unresolved.

The ECJ appears to answer that question in this latest decision. The ECJ ruled that although Google operates different national versions of its search engine, the “entire search engine must still be regarded as carrying out a single act of personal data processing” due to the existence of gateways between the various national versions.  In other words, because national versions of the Google search engine are considered part of a single act of processing, GDPR applies to data processing in the context of the entire search engine, not just the EU versions. This clarifies the court’s holding that national EU regulators and courts may conduct their own balancing test and potentially require de-referencing outside of the EU if they find that the processing is inextricably linked.

The decision may also apply outside of the search engine context. Any company that operates a single service (such that it constitutes a single act of processing of personal data) and has establishments in the EU runs the risk that the GDPR will “taint” all of its global data processing operations. However, it remains to be seen whether regulators will focus enforcement on global processing of personal data. As the European Data Protection Board acknowledged in its (draft) Guidance, the GDPR’s territoriality principle (under Article 3(1)) should not be applied overly broadly, such that even a remote link to data processing in the EU would be sufficient to bring that processing within the GDPR’s scope. At a minimum, it seems highly unlikely that regulators will make such extraterritorial enforcement of GDPR a priority.