The September 24, 2019 European Court of Justice (ECJ) press release on the ruling notes that the \u201coperator of a search engine is not required to carry out a de-referencing on all versions of its search engine\u201d in order to comply with the GDPR\u2019s \u201cright to be forgotten.\u201d What this means in practice is that when search engines grant a de-reference request under the GDPR, they will not have to de-list search results that appear in non-EU domains. The search engines, however, are still required to discourage EU citizens from accessing those non-EU domains.\nThis ruling is a positive public policy development because it limits the reach of the right to be forgotten to EU Internet domains such as .de or .fr. From an international relations standpoint, this is also positive because it prevents the EU\u2019s \u201cright to be forgotten\u201d from being applied extraterritorially, which would have strained the transatlantic relationship and the EU\u2019s relations with other countries as well. Nonetheless, there are aspects of the ECJ ruling that are concerning. \u00a0\nECJ acknowledges relevance of non-EU law but says Parliament could impose global de-referencing \u00a0\nThe ECJ said (para. 59) that \u201cit should be emphasized that numerous third States do not recognize the right to de-referencing or have a different approach to that right.\u201d\u00a0 However, the court said (para. 58) that the EU legislature actually does have the \u201ccompetence\u201d (authority) to oblige search operators to \u201cde-reference\u201d right to be forgotten requests on all of its versions of its search engine.\nThe important takeaway here is that had the GDPR been written differently, it is possible that the ECJ would have found that the right to be forgotten was applicable to non-EU domains. The ECJ did not limit the reach of the right to be forgotten on public policy grounds (which was appropriate) or international law grounds, but rather because the GDPR does not require global de-referencing. It arrived at this conclusion because the GDPR does not provide for a balance between the right to privacy and the right to freedom of information of Internet users outside the EU.\nMoreover, the EU\u2019s supervisory authorities do not have the needed mechanisms to coordinate decisions with respect to the scope of de-referencing outside the EU. So, the court found that \u201ccurrently, there is no obligation under EU law\u201d for global de-referencing. That could change, of course, if EU law is amended.\nEven if GDPR not changed, regulators could impose global de-referencing if they document correctly\nThe ECJ held (para. 72) that the law does not \u201cprohibit\u201d regulators from imposing de-referencing \u201cconcerning all versions of that search engine,\u201d i.e. even outside the EU. All the regulators need to do is provide some rationale for why they think that the privacy interest outweighs the right to freedom of information interest.\nIt therefore appears like this is an invitation to regulators to push the envelope to obtain global de-referencing. And, in fact, the French data protection authority (CNIL) said in its reaction to the ECJ ruling that a \u201csupervisory authority, and so the CNIL, has the authority to force a search engine operator to delist results on all the versions of its search engine if it is justified in some cases to guarantee the rights of the individual concerned.\u201d\u00a0 This sets the stage for relitigating the issue.\nDigital single market potentially undermined because of continuing national court role \u00a0\u00a0\nThe ECJ was obviously concerned that even if an internet user in, say, France, was prevented from accessing de-referenced information from EU websites, that it would be relatively easy to obtain the information from elsewhere in the Internet, for example a .com domain. To account for this, the court held (paras. 70, 73) that search engines must go beyond de-referencing in the EU. They must also \u201ceffectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject\u2019s name from gaining access, via the list of results displayed following that search, to the link which are the subjects of that request.\u201d\nWhat this means is that if a search engine detects that the French internet user is trying to access banned information from a non-EU site, she or he must be discouraged from accessing the information. That is technically possible to do using geoblocking, a technique the EU typically otherwise discourages. Hopefully over time, national courts will not diverge too much in their interpretations over how to interpret this provision because that could undermine the digital single market, which is, in fact, the key to unlocking the EU\u2019s undoubted digital potential.\nIn the meantime, the ECJ ruling leaves it to the national court to decide whether Google\u2019s new layout to its search engine meets this requirement (para 71). The new layout involves a geolocation process to automatically direct users to the national version of the Google search engine based on user presumed locations when conducting a search (para. 42).\nECJ October 3, 2019 ruling says court considers worldwide applicability of EU law permissible\u00a0\nThe court\u2019s judgment in Case C-18\/18 Eva Glawischnigh-Piesczek v Facebook Ireland Limited is different from the right to be forgotten ruling because it involves content \u00a0that has been found by a national court to be illegal. However, it is relevant in this context in that it says that national courts can issue injunctions with \u201cworldwide effects,\u201d i.e. beyond the EU. This adds to the view that even though the September 24, 2019 ruling on the right to be forgotten did not result in that case in the extraterritorial application of EU law, the ECJ is open to such extraterritoriality in the future.\nLet\u2019s not export bad public policy\nUS tech does not often get wins in the ECJ nowadays and the right to be forgotten ruling was a win \u2013 at least for the time being. Nevertheless, it\u2019s clear that whether the EU can apply the right to be forgotten or right to erasure globally will be relitigated. In this context it is worth recalling what is at stake.\nThe right to be forgotten allows people to ask that links to websites, news, and databases be taken down if the requestor considers the information \u201cold, no longer relevant, or not in the public interest.\u201d In other words, it mandates the deletion of truthful and accurate information, and thereby limits free expression.\nThe task of determining whether the erasure request is valid is delegated to search engine operators. This is bad public policy not only because privacy is prioritized disproportionately over other rights, such as the right to freedom of information, but because private companies are deputized to make judgments that effectively infringe on the right to freedom of information.\nIt is important, therefore, that stakeholders around the world continue to ensure that the bad public policy of a right to be forgotten as enshrined in the GDPR not be exported beyond the EU.