In the wake of the Google Spain decision, debates have continued as to whether non-EU search domains can be subject to ‘right to be forgotten’ requests for content removal. This issue previously arose with guidance issued by the Article 29 Working Party (“Working Party”) - the collective body of EU data protection regulators (“DPAs”) - in late 2014. While search engines had sought to limit the removed content to EU-only search results (such as on google.ie), the Working Party’s guidance suggested that global results (such as google.com) should also be covered. In France, a recent appeal by Google to the French DPA – the CNIL – has seen the French regulator take the view that Google must take down content on Google.com, not just its EU website.
The CNIL’s decision arose from an informal appeal by Google. Google lodged an appeal against the CNIL’s previous ruling that Google must apply the ‘right to be forgotten’ globally. Google claimed that applying the ‘right to be forgotten’ globally would inhibit the public’s right to information and would constitute censorship.
The CNIL rejected Google’s appeal. In stark language, the CNIL stated that once a ‘right to be forgotten’ request satisfied the criteria set out by the Court of Justice of the European Union (“CJEU”) and the Working Party, the removal of the search result(s) must be applied across all versions of the search engine.
The CNIL stated that a failure to apply the ‘right to be forgotten’ in such a manner would allow search engines to undermine the CJEU’s ruling and the privacy rights of data subjects. According to the CNIL, Google’s various domain names merely offered different paths to the same processing operation; limiting the right to be forgotten to some domains only would make it easy to circumvent EU law.
Google argued that the CNIL was going beyond its jurisdiction, but this was rejected. The CNIL stated that it simply wants non-EU companies to respect EU laws when offering their services here.
If followed, the CNIL decision could result in Google removing thousands of search results from google.com and other non-EU domains.
Should Google refuse or fail to comply with the CNIL’s ruling, it could be subject to stiff administrative sanction.
The finding by the CNIL that a US company is required to remove search results on its US targeted ‘.com’ domain is likely to give rise to much debate. This is primarily due to the fact that it shows, in stark terms, the clash between EU privacy law and US law, particularly the First Amendment. This conflict is also seen in the Schrems decision, and the on-going debate over transfers of EU residents’ information to the US. It remains to be seen how this issue will play out. However, for now it is clear that the “long arm” of EU data protection law is seeking to reach outside the EU’s bounds.