Google vs. CNIL: EU Court Limits Right to be Forgotten to Member States
On 25 September, the European Court of Justice (ECJ) issued two rulings on the implementation of the EU’s right to be forgotten. The case had US-tech giant Google facing off against France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) in a long-standing dispute over global injunctions issued on the basis of the right to be forgotten.
The ECJ ruled in favour of Google, holding that, while CNIL can compel the search engine to remove links for offending material for users located in Europe, it may not do so globally. The second decision, less widely publicised, concerned the handling of sensitive data which will require the creation of a notice-and-delist regime for especially sensitive categories of information, such as health data and criminal records.
The ECJ did not dismiss global injunctions all together, but simply made a ruling based on existing EU legislation at the time the case was put forward which, it concluded, did not give France the authority to request global injunctions, but, at the same time added that EU Law did not prohibit the practice. It is worth noting that, because the case was brought to the attention of the court in 2017, the ruling is based on Directive 95/46, not the General Data Protection Regulation (GDPR), which only came into effect on 25 May 2018.
Google VS CNIL
The right to be forgotten was the result of a ruling by the Court of Justice of the European Union (CJEU) against Google in May 2014 that stated that an individual had the right to request that old, inaccurate or irrelevant data be removed from search results and referred in general to the delisting of links by search engines.
Taking into account the ruling, Google began granting EU data subjects the right to be forgotten. However it first limited delisting to EU Member States domains such as Google.de, Google.fr etc. rather than its global search engine Google.com. When pushed by legislators, chiefly among them France’s CNIL in 2015, it also implemented geo-blocking technologies to prevent links whose delisting had been requested from appearing to EU-located individuals even on its global search engine. The links however were still accessible to internet users outside the EU.
CNIL insisted that the injunction should be global and issued Google with a €100,000 fine which the company contested bringing up the issue of censorship.
Right to Privacy VS Right to Freedom of Information
The main issue with the right to be forgotten, brought up by both civil society groups and several governments, is the possibility that it can be used as a tool of censorship. The fear is that, by enforcing the right to be forgotten, data protection authorities are encroaching on the right to freedom of information.
The ECJ itself although ruling in favour of Google in this case, did not close the door on global injunctions. In fact, it left it wide open. The ECJ stated that, in light of national standards of protection of fundamental rights, authorities of the Member States can weigh a data subject’s right to privacy and the protection of personal data concerning them against the right to freedom of information, and, where appropriate, request that the search engine operator carry out a de-referencing concerning all versions of that search engine.
This essentially means that data protection authorities will be able to impose global injunctions if they can prove that the personal data whose delisting is being requested does not interfere with the right to freedom of information.
How Does the Ruling Impact Compliance Efforts of Companies Outside the EU?
Companies outside the EU saw the ECJ’s ruling as a win against what is seen as an attempt by EU law makers of overreaching through extraterritoriality clauses in legislation such as the GDPR. However, the ECJ ruling is unlikely to impact companies that do not deal with publically available information.
The question of the right to freedom of information and how it can differ from country to country was at the heart of the debate around the Google VS CNIL case. If an organization collects information for commercial purposes, chances are it’s not publically available and therefore whether its deletion is being requested or not is of no consequence to internet users’ right to freedom of information.
Companies must also keep in mind that the right to be forgotten as enforced through the 2014 CJEU ruling is not the same as the GDPR’s right to erasure. Forgotten in this case refers to deindexing from public search engines, not the deletion of the content the search engines linked to. Erasure meanwhile refers to the deletion of personal information upon a data subject’s request.
While Google may have won the day, its fight against CNIL is far from over. The tech giant will soon be up against France’s data protection authority in another case which will see Google contesting a €50 million fine issued by CNIL in January 2019 for lack of consent on ads. This time though, the case will be judged under the GDPR and its decision may indeed change the face of data protection compliance.