On 13 May 2014 the Court of Justice of the European Union (CJEU) issued a judgment which Google called a “landmark ruling” (Google v. Costeja Gonzalez case, C-131/12). The court held, based on the 95/46 Directive on protection of personal data that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person” where the data are “inadequate, irrelevant or no longer relevant, or excessive in relation to [the] purposes [for which they were originally collected or processed] and in the light of the time that has elapsed.”
With this decision, the Court of Justice established what is now dubbed the “right to be forgotten”. The rights to respect for private life and personal data are fundamental rights but they are not absolute and the Court held that a “fair balance” should be sought between these rights and “the interest of the general public in having access to that information”, especially if the data subject has had a “role in public life.”
In that case a Spanish private individual, Mr Mario Costeja Gonzalez, had failed to pay social security contributions, the creditors had attached some real property and the auction sale had been advertised in a Spanish newspaper. Sixteen years later, when people entered his name in the Google search engine, they would find that publication. Three weeks after the Court of Justice decision, Google published an online form for search removal requests.
One year later, where do we stand?
Google has been publishing a “transparency report” about the implementation of the right to be forgotten and as of August 10, 2015 they had received almost 300,000 requests from European citizens, France having the highest number (approximately 61,000 requests). In approximately 41% of the cases, they had removed the results from the European versions of the search engine.
However, certain individuals were still unhappy since they had requested the removal from other versions, including google.com.
On June 12, 2015 the Commission Nationale de l’Informatique et des Libertés (CNIL) therefore issued a notice ordering Google to remove search results from all domain names. The rationale behind this order is that the service provided by Google Search constitutes a single data processing and the “right to be forgotten” can only be effective if the litigious search results are removed from all versions.
On 30 July 2015 Google published a post on its EU blog in which they stated that they disagreed for three reasons.
First, “while the right to be forgotten may now be the law in Europe, it is not the law globally”.
This is of course accurate, although US entities that operate worldwide like Google know perfectly well that there are US laws which apply to activities conducted outside the US borders. The question here is: what is the scope of the European data protection laws? In the Gonzalez case, the issue of the extensions was not discussed at all. The Court of Justice held that the Spanish data protection law applied because Google Inc., the operator of the search engine, has an establishment in Spain through its subsidiary which promotes and sells advertising space offered by that engine. The Court also considered that since Google processes data, it is a “data controller” within the meaning of the Directive. The same reasoning can certainly be made for France with the same conclusion that French law applies.
Secondly, Google argued that “content that is declared illegal under the laws of one country, would be deemed legal in others…If the CNIL’s proposed approach were to be embraced…the Internet would be only as free as the world’s least free place”. Again, from a legal point of view, this is beside the point. In the Gonzalez decision the Court of Justice specifically held that the right to have the information removed applies “even, as the case may be, when its publication in itself on those pages is lawful.”
Thirdly, Google argued that the CNIL’s “order is disproportionate and unnecessary, given that the overwhelming majority of French internet users …access a European version of Google’s search engine like google.fr”. However, it seems that at least for some French judges, the criterion is not what a majority of French users do but rather whether it is possible for them to access the information. Thus, on September 16, 2015 a Paris District Court judge ordered Google to delete the links to statements that had been held defamatory. Google argued that the court order should be limited to the google.fr extension but the judge disagreed and held that Google failed to establish that it was impossible to access the information from the French territory by using other versions of the search engine.
This situation could well lead CNIL to take the matter further with, at the end of the process, a maximum fine of 150,000 euros. Not necessarily a very strong incentive to comply….
Pingback: GOOGLE AND THE RIGHT TO BE FORGOTTEN: THE FRENCH DATA PROTECTION AUTHORITY TAKES THE MATTER FURTHER | Security, Privacy and the Law
Pingback: Google and the Right to be Forgotten: The French Data Protection Authority Takes the Matter Further | Innovations in Law