The 'right to be forgotten' hit the headlines following the shock judgment in the Google Spain case. The judgment pre-empted both the extended territorial scope and the right to erasure in the EU General Data Protection Regulation 2016 (GDPR), and highlighted the frequent tension between the rights to privacy and data protection on the one hand, and to freedom of expression and access to information on the other. The 'right to be forgotten' online applied to outdated and irrelevant data in search results unless there was a public interest in the data remaining available and even where the search results linked to lawfully published content.
Following the Google Spain judgment, regulators have considered whether or not this EU right (and the subsequent GDPR version of the right) extended to non-EU search engine URLs. If Google gives effect to a right to be forgotten request in Europe, is it obliged to de-list the results on all versions of its search engine?
The CNIL (the French data protection regulator) decided it did and that Google had to de-list or de-reference search results on a global scale where they were the subject of a successful de-listing request under the Data Protection Directive and as a result of the Google Spain ruling. The CNIL's view was that only de-listing results within the EU meant that they remained accessible from the EU which defeated the object of the de-listing. Google did not comply with the CNIL's order but de-listed searches on its EU domains and proposed using geo-blocking to prevent access to results appearing on other domains. The CNIL fined Google EUR100,000 for failing to comply in full. When Google sought an annulment of the CNIL's decision, the matter was referred to the CJEU.
The CJEU has folloTechnology, media & communicationswed an earlier AG Opinion in Google v CNIL, and found that when Google responds to 'right to be forgotten' requests, it is only required to remove links to search results on versions of its search engines corresponding to Member States. There is no obligation under EU law to go further and de-list from all versions of a search engine. Therefore, the position relating to such requests remains the same: right to be forgotten requests made under EU data protection law (whether the Data Protection Directive or the GDPR) will not be effective for individuals seeking to have their personal data removed from searches conducted using non-EU domains.
In line with the AG Opinion, the CJEU said that the right to data protection is not an absolute right and must be balanced against competing rights and interests. In what the court called "third States" (like the USA), it said the right to be forgotten is not recognised or a different approach is taken to that in the EU and the EU legislation has not struck the right balance between the scope of de-listing outside the EU. Nor has it created rights for data subjects beyond the scope of Member States and EU law "does not provide for co-operation instruments and mechanisms as regards the scope of de-listing outside the EU".
The CJEU went on to say that search engine operators have to take sufficiently effective measures to protect the fundamental rights of data subjects. This includes, if necessary, measures which effectively prevent or seriously discourage users (who conduct a search from one of the Member States) from gaining access to de-listed data via a version of the same search engine outside the EU. It will be up to Member States to determine whether sufficient steps have been taken.
The final point made by the CJEU is that while global de-listing is not required, neither is it prohibited. Member States remain competent to weigh up, in the light of national standards of protection of fundamental rights, a data subject's right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to de-list across all versions of that search engine.
This is clearly a victory for Google and other search engines, but the judgment also has a profound effect on those seeking to manage their online reputations globally, even when the data being processed may be inaccurate, out of date or excessive under EU law.
It will obviously be a blow to individuals seeking to have inaccurate, out of date or excessive data removed from search results on a global scale under the GDPR. Having made a successful right to be forgotten request and had unlawful data removed from Google search results generated under a search of their name conducted via EU Google domains, the same data will remain accessible in (for example) the US, via a search using a US Google domain. The conflict between unlawful data being removed from some search results in some countries, but not others, is an example of the differences between the EU and the approach of other countries (including the US) to privacy issues. In a globalised, online world, data subjects' rights have only partial coverage.
Individuals who have successfully had unlawful URL links to their data removed from EU Google domains may gain some comfort that their de-listed data will not remain easily accessible from Member States by users simply using a non-EU domain to circumvent de-listings to access the data as a result of the requirement to seriously discourage EU-user access.
The CJEU does suggest that on an individual, case by case basis, there may be a requirement to de-list globally. However, the judgment does not shed a great deal of light on how or when this might occur and it remains unclear how any such requirement, order or direction from a court in a Member State would or could be enforceable in the US compelling Google to comply. For the time being, right to be forgotten requests, as a reputation management tool, remain imperfect.