On January 10, 2019, Advocate General Szpunar issued his much awaited opinion in the Google case that was referred to the European Court of Justice by the French “Conseil d’Etat”, the highest administrative court of the country. The Conseil d’Etat basically asked the European Court of Justice to follow-up on its Google Spain decision: is the right to be forgotten – i.e., the right of individuals to request an operator of a search engine to remove links to web pages containing information relating to them – national, European or worldwide?
Since the Google Spain decision, many individuals have asked Google to delete information that can be obtained when their names were entered in the search engine. In France, a number of individuals whose requests had been turned down, filed complaints. On May 21, 2015 the French Data Protection Authority (“the French DPA”) ordered Google to delete the links from the results that could be obtained through all the extensions or domain names of the search engine (including google.com for example). The reasons given by the DPA were that there is one global data processing, that the various domain names are simply a technical path to access the data and that this is necessary for an effective implementation of the right to be forgotten.
Google took the view that they had no obligation to do this and on March 10, 2016 the French DPA fined Google (in an amount of 100,000€) for not complying with its previous decision. Google appealed and on July 19, 2017 the “Conseil d’Etat” held that there was indeed a single data processing and referred three questions to the European Court of Justice.
A Worldwide Right to be Forgotten? Non mais….
The first question is, basically, whether the French DPA is right: when an individual requests delinking, does such delinking have to be effective worldwide, irrespective of the place where the search is made, even though a search is made from a country outside the EU? The Advocate General’s answer is a “No but….” European laws do not have extra-territorial effects except in certain areas such as antitrust. Data protection and the freedom of information are fundamental rights protected by the European Charter of Human Rights, but to give them extra-territorial effect would create a dangerous precedent. However, there may be circumstances in which the interest of the EU requires that the Data Protection Directive should be enforced beyond the EU borders. The Advocate General, however, took the view that this case did not fall within this exception.
National or European domain names?
The second question is whether the search engine has to delete the links that would normally be accessed using the domain name of the country where the claimant made the delinking request or more broadly from what can be accessed using all EU domain names? In other words, is the territorial scope national or European? Not surprisingly, the Advocate General said that in a single common market, the right to be forgotten had to be enforced at the EU level.
National or European IP addresses?
The third question is very practical. Even though the search engine restricts the access to links on EU domain names, internet users based in the EU can still access the links simply by using a non-EU domain name. For example, a French user can very well use google.ca (the Canadian domain name) rather than google.fr (the French one). There is a technical solution to overcome this and it is what is called “geo-blocking”. Geo-blocking allows to restrict access depending on the origin of the user’s IP address, irrespective of the local domain name that is used. The question is whether search engines must use the geo-blocking technique when they implement the right to be forgotten? And if they have to, should they restrict access for IP addresses of the country where the claimant made the delinking request or for all EU IP addresses?
The Advocate General noted that the Google Spain decision did not help in that it had not gone into the details of what Google had to do in practice but the Court had nevertheless made clear that the protection of personal data must be fully effective. As a consequence, the search engine has to do whatever is necessary and this includes “geo-blocking”, irrespective of the local domain name which is used.
A decision is expected to be rendered by the Court in a few months. In a majority of cases, the Court follows the opinion of the Advocate General. It did so for example in the Schrems v/ Facebook case which led to the invalidation of the Safe Harbor but not in the Google Spain case.
In any event, it should also be kept in mind that the rules discussed in this case are those set out in the 1995 Directive which applied when the relevant facts took place, but which has now been replaced by the GDPR – in which the right to be forgotten is enshrined, as we commented on this blog – and that the territorial scope of the GDPR is much broader than that of the 1995 Directive.