Although attention this week has been largely focussed on a certain Supreme Court ruling, there has also been a significant decision of the Court of Justice of the European Union (CJEU) that should not go unnoticed.
On 24 September, the CJEU ruled that Google does not have to remove search engine results globally in order to comply with a "right to be forgotten" request under data protection law.
This is the first case that has ruled on the territorial scope of individuals' fundamental rights under the GDPR. It is a significant result for big tech companies and civil liberties organisations, reinforcing the principle that privacy rights are not always absolute and will need to be balanced against other fundamental rights, such as free speech and access to information. It also shows that, despite the GDPR's extra-territorial scope, EU privacy standards will not always be automatically enforced in other countries without equivalent laws.
Back in 2014, the CJEU ruled in the Google Spain case that EU citizens could request search engines to remove search results about them if the results are "inadequate, irrelevant or no longer relevant or excessive". Since that ruling, the "right to be forgotten", or the "right of erasure" has been crystallised into statute by the General Data Protection Regulation 2016 (GDPR). This right requires organisations that are subject to the GDPR to delete personal data about individuals on request in certain circumstances, for example where the organisation no longer requires the personal data, or the individual objects to the processing and the organisation cannot continue to justify holding the personal data.
In 2015, following the Google Spain case, the French data protection authority (the CNIL) ordered Google to remove search result listings not just within EU member states, but across all of Google's domains in other parts of the world. In response, Google introduced a "geo-blocking" feature, meaning that European users could not view delisted results even if they searched using a non-EU Google domain (such as Google.com). However, Google did not remove search results from those domains; so non-EU users could still see the results if searching using a non-EU domain. The CNIL fined Google €100,000 (£88,376) in respect of the refusal to censor search results globally.
Google then took the case to the French Conseil d'État (council of state), which referred the question of whether the right to be forgotten requires search results to be delisted globally to the CJEU.
The CJEU agreed with Google that global delisting of search results is not required in order to comply fully with a right to be forgotten request. As long as search results are removed from all versions of the search engine corresponding to the relevant EU member states, according to the court's ruling, this will be a compliant response to a right to be forgotten request.
The judgment makes clear that the right to privacy and rights associated with protection of personal data (such as the right to be forgotten) must be balanced with the right of freedom of information of internet users and the legitimate public interest in accessing the information sought. Given that this balance would vary significantly around the world, the court did not think it appropriate to impose EU standards on countries that sit outside EU jurisdictions.
The court also agreed with the Advocate General's opinion that the right to be forgotten provisions in the GDPR do not expressly cover the territorial scope of the right or automatically mean that the right must apply on a global basis. The GDPR itself does have limited "extra-territorial" effect, which means that it applies to processing of personal data by organisations outside the EU, where the processing relates to offering goods or services to EU citizens or monitoring EU citizens. However, the court's view was that, in relation to the right to be forgotten, this did not extend as far as requiring a search engine to apply the right globally across all domains.
The CJEU's refusal to impose a key GDPR right on countries that do not recognise the GDPR as law will be of general interest to multi-national organisations with processing operations across different jurisdictions. But those organisations should bear in mind that the facts of the case are very specific and involve particular intricacies, such as the balance of other fundamental rights and the borderless nature of the internet, which undoubtedly affected the decision. The ruling is therefore unlikely to give "carte blanche" to international organisations to ignore the GDPR outside the EU. Further decisions on the law's territorial scope will be interesting to see how far the courts are willing to extend the application of the GDPR outside the EU.