Gemma Townley, Partner and Nadia Ahmed, Trainee Solicitor in the Technology team at Sharpe Pritchard consider the recent judgment by the CJEU in Google v CNIL, which gives a landmark ruling on the territorial application of the right to be forgotten for global search engines.
On the 24 September 2019, the Court of Justice of the European Union (‘CJEU’) held that the right to be forgotten, now codified in Article 17 of the General Data Protection Regulation (“GDPR”), requires a search engine to carry out a request for de-referencing only within the territory of the EU, and not on a global basis, confirming the territorial scope of the right to be forgotten.
This is the first case that has ruled on the interpretation of the GDPR and will have a substantial impact on the approach search engine companies take to receiving requests to erase personal data.
Background and Facts
Article 17 GDPR affords data subjects with the right to erase their personal data and places an obligation on the controller to then erase that personal data without delay. This right is widely known as the ‘right to be forgotten’.
The Commission Nationale de l’informatique et des Libertés (‘CNIL’) is an authority which regulates the compliance of data protection laws in France.
In 2015, CNIL served notice on Google that, when granting a request for links to web pages to be removed from the list of results displayed following a search of that requester’s name, it must apply that removal to all its search engine’s domain name extensions, not just the EU member states domain.
Google refused to comply with the notice and proposed a ‘geo-blocking’ feature on the search engine. This feature would prevent EU member state users from accessing the search results in question even if searched from a Google domain outside of the EU.
This meant that the search result in issue was not removed and therefore users outside of the EU could access the search result when searching from a domain outside of the EU.
In response, CNIL imposed a EUR 100,000 fine on Google in respect of the refusal to remove search results worldwide.
Google took the issue before the Conseil d’État (Council of State, France) who referred the issue to the CJEU.
The Judgment AND COMMENT
The CJEU held that where a search engine operator grants a request for de-referencing … that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States.
The decision reveals the CJEU’s attempts to perform a balancing act between the right to be forgotten and the right to freedom of information.
The decision to not impose the GDPR on non-EU member states mirrors the borderless nature of the World Wide Web, and reflects the remit of European data regulators.
While this outcome is a welcome relief for companies who rely on personal data on a global scale, this undoubtedly will disappoint champions of data protection laws.
Gemma Townley, Partner and Nadia Ahmed, Trainee Solicitor sit in the Technology team at Sharpe Pritchard LLP. We advise our clients on data protection compliance, including advising on compliance in commercial contracts and more broadly, advising on Privacy Notices, Data Protection Impact Assessments and Data Protection Officer responsibilities.
This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published.