By Andy Liu (HMC ’23)
The European Union has a reputation for stringent data rights regulations, with the 2018 passing of the General Data Protection Regulation (GDPR) further strengthening personal data rights and data protection across member states. However, a recent ruling in the European Court of Justice (ECJ) in a case between Google and CNIL, a French privacy regulator, relaxed regulations by deciding that one of these GDPR regulations, the “right to be forgotten”, did not have to be enforced outside of the EU. This ruling has drastically limited the EU and France’s ambitions to enforce their data protection mechanisms globally; however, the wording of the court case makes it unclear how long this will last.
The right to be forgotten, which was codified in Articles 17 and 19 of the GDPR, regulates the erasure of personal data. It requires companies to immediately erase personal data no longer needed for their original processing purpose or if erasing the data is required by the data subject or some other regulation. In practice, it gives Europeans the right to request that pages containing sensitive personal information about them be removed. This right was first established in a 2014 European Court of Justice case (also involving Google) when Spanish national Costeja González demanded that Google remove online newspaper records describing his 1998 legal proceedings. However, this version of the right to be forgotten is far from universal – outside of Europe, major nations like the United States have no such regulation.
The dispute began in 2016 when French privacy watchdog CNIL fined Google 100,000 euros for not delisting search results that citizens had requested to be delisted on all of its web domains, rather than just on EU ones. The search results included a satirical photo montage of a female politician, an article referring to someone as a public relations officer of the Church of Scientology, the placing under investigation of a male politician and the conviction of someone for sexual assaults against minors.
Google contended that it did not need to be delisted outside of the European Union due to GDPR’s status as an EU regulation. Google attempted to compromise by delisting search results on all domain names, as long as the searches were conducted within the EU. However, the CNIL insisted that “only delisting on all of the search engine’s extensions, regardless of the extension used or the geographic origin of the person performing the search, can effectively uphold this right”, citing the extraterritoriality of the internet when making this demand.
While this was not the largest fine levied on Google by CNIL, Google remained committed to contesting the case, arguing that an obligation to follow right to be forgotten regulations worldwide would conflict with the public’s right to know important information about their elected officials. Additionally, they argued that a pro-CNIL ruling could, by enforcing European Union regulations worldwide, “encourage more authoritarian regimes to impose their values on the rest of the world”.
Ultimately, the ECJ agreed with Google, stating in a press release that: “…the right to the protection of personal data is not an absolute right…the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.” As a result, the ECJ officially ruled that there was no obligation under EU law for Google to de-link search results in all versions of its website. Yet, they were still obligated to delink search results in all EU versions of its website.
Although Google may have won this landmark case, the ECJ ruling may still harm Google and other large tech companies in the long run. Most notably, the court ruling specifically ruled that “while, as noted…above, EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.”
In other words, while the ECJ ruled that EU law currently does not require companies like Google to respect the right to be forgotten in non-EU websites, it left the door open for further cases to do so. In fact, the ECJ even went as far as to encourage global regulations, saying in its ruling that the globalized nature of the internet would justify the EU if it decided to “lay down the obligation, for a search engine operator, to carry out, when granting a request for de-referencing made by such a person, a de-referencing on all the versions of its search engine.”
Much has been made of this judgment, with critics claiming a landmark victory for Google and the tech industry as a whole and suggesting that the EU’s ability to police tech companies outside their borders had been halted. However, while this ruling may buck the trend of increasingly comprehensive data privacy regulations, it seemingly encourages further EU legislation to regulate external tech companies through the wording of its ruling.
While Google and other technology companies can claim a landmark data rights victory in the ECJ, the verdict is still out on whether this will last. Whether it does will depend on how multinational bodies such as the EU respond to the globalization of the internet – an issue that, due to the growing influence of the internet and its freedom from national borders, is as pertinent as ever.