IP Insight is a series by Virtuoso Legal, the intellectual property specialists. This entry concerns the latest big decision concerning “the right to be forgotten” in the European Courts.

Background

The “right to be forgotten” is the right to require a search engine to “de-reference” links returned by a search for an individual’s name using a search engine, such as Google. This IP Insight looks back at the confirmation of the right to be forgotten and the recent case of Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) (C-507/17). That case sets out that

The CJEU case of Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) established the right to be forgotten. In that case, Google searches of Costeja González’s name returned newspaper articles from 1998. The articles included his name in the context of a real estate auction with the proceedings to recover social security debts.

The Spanish Data Protection Agency AEPD had accepted that the publication of the newspaper articles was lawful and justified, but the court considered that Google was a data “processor” for the purposes of personal data. This was not affected by the fact that the data had already been published online and the information contained was not altered by the search engine. The court agreed that data protection rights may require take-down or de-referencing, even where the publication is lawful.

The Fallout

Since that case was decided in 2014, Google has received over 845,500 “right to be forgotten requests referring to over 3 million individual links. Around half of the links have been removed in accordance with the request. The consequence is that the content remains online but cannot be retrieved through online searches of the individual’s name.

The right to be forgotten has also been formally included in the General Data Protection Regulation (GDPR), on which see our primer here. Individuals can request the removal of the data for various reasons, including when they simply withdraw their consent for their data to be used (and the organisation has no other legal basis for collecting it).

A recent CJEU case on the right to be forgotten has developed some guidance on the de-referencing right. In Google LLC v CNIL (C-507/17), the French Privacy authority, Commission nationale de l’informatique et des libertés (CNIL) formally notified Google that, when granting a request to de-reference links displayed in the list of a results following a search of that person’s name, that removal must apply to all its domain name extensions. That is, to google.fr, google.es, google.uk, google.com and so on.

Google refused to comply and removed links within the Member States of the European Union only. The company explained the domain name entered by the user no longer determines the national version of the search engine that will be accessed by that user. Instead it is automatically redirected to a domain name based on the corresponding IP (internet protocol) address. On that basis, Google proposed to use geo-blocking which would block results based on the IP address in the State of residence of the data subject (that is, the person to whom the data relates).

The questions for the court to consider were:

(1) Does “right to de-referencing” mean that a search engine operator is required to deploy the de-referencing to all of the domain names used by its search engine?

(2) If not, does it mean that a search engine operator is required only to remove the links at issue from the results on the domain name corresponding to the State in which the request is deemed to have been made?

… or, more generally, on the domain names distinguished by the national extensions used by that search engine for all of the Member States…?

Before the CJEU delivered their judgment, Advocate General Szpunar gave an Opinion on the case where he considered that de-referencing does not mean deploying worldwide de-referencing, but also that de-referencing on a national level would not be good enough. It must be done at the EU level, so as to “comprise an area without internal frontiers”.

Google argued that a requirement to de-list on every domain name extension would be disproportionate. The CJEU noted that in a globalised world, internet users’ access (including users outside the Union) to links to information referring to a person can have “substantial and immediate” effects on that person. However, they observed that many states around the world do not recognise the de-referencing right, or take a different approach. Protection of personal data is not an absolute right: it must be considered in relation to its function in society and balanced against other fundamental rights. Moreover, the GDPR and EU legislature do not currently provide for cooperation instruments or mechanisms for de-referencing outside the EU.

The court concluded that the de-referencing need not take place on all domain names, but also that it should not only be in the corresponding state to where the request was made. Instead, the right to be forgotten by a search engine means that access to the links should be effectively prevented throughout the EU.

Our insight: Forget everything you know about “the right to be forgotten”…

What’s next? In this case the CJEU clearly left hanging the possibility of worldwide orders for de-referencing, noting that while such an order is not required by EU law, it does not prohibit them either!

This means that a supervisory or judicial authority could indeed make a worldwide request to be forgotten, if appropriate. A Global de-indexing order against Google has been made and affirmed by the Supreme Court of Canada before, in respect of trade secrets and confidential (business information). Enforcing that order has been extremely challenging for the parties involved.

Personal data is, now more than ever, a top policy priority. Although it did not walk through it this time, the CJEU has opened the door for global de-referencing orders in the future.