The September 24, 2019 European Court of Justice (ECJ) press release on the ruling notes that the “operator of a search engine is not required to carry out a de-referencing on all versions of its search engine” in order to comply with the GDPR’s “right to be forgotten.” What this means in practice is that when search engines grant a de-reference request under the GDPR, they will not have to de-list search results that appear in non-EU domains. The search engines, however, are still required to discourage EU citizens from accessing those non-EU domains.
This ruling is a positive public policy development because it limits the reach of the right to be forgotten to EU Internet domains such as .de or .fr. From an international relations standpoint, this is also positive because it prevents the EU’s “right to be forgotten” from being applied extraterritorially, which would have strained the transatlantic relationship and the EU’s relations with other countries as well. Nonetheless, there are aspects of the ECJ ruling that are concerning.
ECJ acknowledges relevance of non-EU law but says Parliament could impose global de-referencing
The ECJ said (para. 59) that “it should be emphasized that numerous third States do not recognize the right to de-referencing or have a different approach to that right.” However, the court said (para. 58) that the EU legislature actually does have the “competence” (authority) to oblige search operators to “de-reference” right to be forgotten requests on all of its versions of its search engine.
The important takeaway here is that had the GDPR been written differently, it is possible that the ECJ would have found that the right to be forgotten was applicable to non-EU domains. The ECJ did not limit the reach of the right to be forgotten on public policy grounds (which was appropriate) or international law grounds, but rather because the GDPR does not require global de-referencing. It arrived at this conclusion because the GDPR does not provide for a balance between the right to privacy and the right to freedom of information of Internet users outside the EU.
Moreover, the EU’s supervisory authorities do not have the needed mechanisms to coordinate decisions with respect to the scope of de-referencing outside the EU. So, the court found that “currently, there is no obligation under EU law” for global de-referencing. That could change, of course, if EU law is amended.
Even if GDPR not changed, regulators could impose global de-referencing if they document correctly
The ECJ held (para. 72) that the law does not “prohibit” regulators from imposing de-referencing “concerning all versions of that search engine,” i.e. even outside the EU. All the regulators need to do is provide some rationale for why they think that the privacy interest outweighs the right to freedom of information interest.
It therefore appears like this is an invitation to regulators to push the envelope to obtain global de-referencing. And, in fact, the French data protection authority (CNIL) said in its reaction to the ECJ ruling that a “supervisory authority, and so the CNIL, has the authority to force a search engine operator to delist results on all the versions of its search engine if it is justified in some cases to guarantee the rights of the individual concerned.” This sets the stage for relitigating the issue.
Digital single market potentially undermined because of continuing national court role
The ECJ was obviously concerned that even if an internet user in, say, France, was prevented from accessing de-referenced information from EU websites, that it would be relatively easy to obtain the information from elsewhere in the Internet, for example a .com domain. To account for this, the court held (paras. 70, 73) that search engines must go beyond de-referencing in the EU. They must also “effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the link which are the subjects of that request.”
What this means is that if a search engine detects that the French internet user is trying to access banned information from a non-EU site, she or he must be discouraged from accessing the information. That is technically possible to do using geoblocking, a technique the EU typically otherwise discourages. Hopefully over time, national courts will not diverge too much in their interpretations over how to interpret this provision because that could undermine the digital single market, which is, in fact, the key to unlocking the EU’s undoubted digital potential.
In the meantime, the ECJ ruling leaves it to the national court to decide whether Google’s new layout to its search engine meets this requirement (para 71). The new layout involves a geolocation process to automatically direct users to the national version of the Google search engine based on user presumed locations when conducting a search (para. 42).
ECJ October 3, 2019 ruling says court considers worldwide applicability of EU law permissible
The court’s judgment in Case C-18/18 Eva Glawischnigh-Piesczek v Facebook Ireland Limited is different from the right to be forgotten ruling because it involves content that has been found by a national court to be illegal. However, it is relevant in this context in that it says that national courts can issue injunctions with “worldwide effects,” i.e. beyond the EU. This adds to the view that even though the September 24, 2019 ruling on the right to be forgotten did not result in that case in the extraterritorial application of EU law, the ECJ is open to such extraterritoriality in the future.
Let’s not export bad public policy
US tech does not often get wins in the ECJ nowadays and the right to be forgotten ruling was a win – at least for the time being. Nevertheless, it’s clear that whether the EU can apply the right to be forgotten or right to erasure globally will be relitigated. In this context it is worth recalling what is at stake.
The right to be forgotten allows people to ask that links to websites, news, and databases be taken down if the requestor considers the information “old, no longer relevant, or not in the public interest.” In other words, it mandates the deletion of truthful and accurate information, and thereby limits free expression.
The task of determining whether the erasure request is valid is delegated to search engine operators. This is bad public policy not only because privacy is prioritized disproportionately over other rights, such as the right to freedom of information, but because private companies are deputized to make judgments that effectively infringe on the right to freedom of information.
It is important, therefore, that stakeholders around the world continue to ensure that the bad public policy of a right to be forgotten as enshrined in the GDPR not be exported beyond the EU.