News September 2015: Right to be forgotten and delisting
The "right to be forgotten" must be implemented by search engines on all relevant domains
A considerable step forward for personal data protection has been made by the Court of Justice of the European Union (CJEU) in its decision dated May 2014[1] : the « right to be forgotten » entitles individuals to request from search engines, under certain conditions, the de-listing of specific links arising from web searches based upon their names.
Further to this decision, 2.000 de-listing claims have been registered, most of them relating to Google.
Since Google restricted the de-listing to its EU domains as regards European claimants, the French Data Protection Authority (CNIL) summoned Google, on June 12 2015, to implement the de-listing of all accepted claims to all its domains, within the 15 days following this formal notice.
Google filed a petition against this formal notice, alleging that the CJEU decision was only enforceable as regards EU domains and blamed the CNIL for trying to make an extraterritorial application of European case law.
On September 21, 2015, the CNIL rejected such petition and its conclusion is clear: as from the moment Google accepted a de-listing claim, such de-listing must be operated on all relevant domains of the search engine. The domains being only different pathways to access one data processor, the de-listing shall not be limited to the domains related to the country where the claimant is located; otherwise, such geographical restriction will necessarily deprive the CJEU decision of all practical effectiveness.
How would it be possible indeed to give full effectiveness to the “right to be forgotten” if the claimant is only granted with a de-listing right on the “.fr” domain whereas it is possible to find easily its related personal data through the”.com” domain of same search engine?
The CNIL does not behave as an “imperialist” by applying the decision dated May 13, 2014 outside the French and European boundaries; its only intent is to “ask for the full compliance with European law by non-European operators providing services in Europe”.
By doing this, the CNIL simply applies the common position stated, on November 26, 2014 by the group G29[2] in its guidelines specifically dedicated to the CJEU decision: “in order to give full effect to the data subject’s rights as defined in the Court’s ruling, de-listing decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient mean to satisfactorily guarantee the rights of data subjects according to the ruling. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com”.
In such circumstances, it will be most difficult for Google to refuse to implement the « right to be forgotten » in its « absolute » meaning such as defined by CJEU – which is the only acceptable interpretation with respect to the European citizens personal data protection rights; especially while it is quite clear that a number of safeguards already exist to make sure that, in the context of implementing the « right to be forgotten », there remains a fair balance between the data privacy protection rights on the one hand, and the access to information public right on the other hand.
Undoubtedly, if Google persisted in its refusal to operate the de-listing on all relevant domains, it would become a litigation matter with the CNIL and Google may incur some fines at the end of the day. In any case, the supporters of data privacy in the United States - which voices are much less taken into account by local authorities – are very much interested in those last developments and strongly hope that European case law may have a positive impact on the data privacy protection rights in the US.
by Sarah Temple-Boyer, Attorney at law
[1] CJUE C-131/12 dated May 13, 2014 Google Spain SL et Google Inc. V. Agencia Espanola de Proteccion de Datos (AEPD) et Mario Costeja Gonzales
[2] G29 is a working group gathering the representatives of all Data Protection Authorities in Europe.