November 20, 2019

November 20, 2019

Subscribe to Latest Legal News and Analysis

November 19, 2019

Subscribe to Latest Legal News and Analysis

November 18, 2019

Subscribe to Latest Legal News and Analysis

EU Limits Territorial Scope of ‘Right to Be Forgotten’ on the Internet

On Sept. 24, 2019, the Court of Justice of the European Union (CJEU) decided that the “right to be forgotten” does not require a search engine operator to carry out de-referencing on non-EU member state versions of its search engine.

Background

The case relates to a penalty of €100,000 that the French data protection authority, CNIL, had imposed on Google in March 2016. In granting a de-referencing request, the search engine – on free speech grounds – declined to apply the de-referencing worldwide to all domain-name extensions of its search engine. Arguing for global freedom of expression, Google appealed the penalty and filed an application for the annulment of CNIL’s decision with the French Council of State. The French court then referred several questions concerning the territorial scope of the “right to be forgotten” to the CJEU for preliminary ruling.

The CJEU reviewed the case both under the former Data Protection Directive 95/46/EC (Privacy Directive) and the General Data Protection Regulation (GDPR), which replaced the Privacy Directive on May 25, 2018.

CJEU’s Considerations

In its ruling, the CJEU first reiterates that where its requirements are met, the “right to be forgotten” imposes a de-referencing obligation on search engine operators to remove from the list displayed following a search made on the basis of a person’s name all links to web pages that contain information relating to that person. According to the CJEU, this applies irrespective of whether the publications on those web pages are lawful or not.
In relation to the territorial scope of the “right to be forgotten”, the CJEU then explains that:

  • numerous third countries outside the European Union do not recognize a right to de-referencing;
     
  • the protection of personal data is not an absolute right but must be balanced against other fundamental rights, such as the right to freedom of information of internet users;
     
  • the EU legislature has not, to date, struck such a balance in relation to the scope of de-referencing outside the European Union; and
     
  • the relevant legal texts of the Privacy Directive and the GDPR do not imply that the scope of the “right to be forgotten” should go beyond the territory of the EU member states.

Conclusion

Consequently, the CJEU concludes that there is no obligation under EU law for a search engine operator to carry out de-referencing on all worldwide versions of its search engine as part of a data subject’s request to be forgotten.

However...

The court’s decision is unlikely the last word on the issue. A closer look is warranted regarding three additional explanations made by the CJEU:

  • First, the court concludes that where the “right to be forgotten” applies, de-referencing, in general, needs to be carried out in all EU member states.
     
  • Second, the CJEU explains, that where necessary, a search engine operator needs to take additional measures that effectively prevent, or at the very least, seriously discourage, internet users in the EU from gaining access to the links in question. These measures can, for example, include geo-blocking technologies or the automatic redirection of EU users to the national version of the search engine.
     
  • Third, the CJEU explains that while EU data protection law does not require search engine operators to carry out worldwide de-referencing, it also does not prohibit such a practice. Therefore, supervisory and judicial authorities of EU member states, in consideration of their national standards, may continue to weigh the individual’s right to the protection of his or her data against other individuals’ right to freedom of information and, where appropriate, order the search engine operator to carry out a de-referencing concerning all worldwide versions of its search engine.

Outlook

It remains to be seen how the CJEU decision will be implemented by EU authorities, particularly when it comes to whether “additional measures” are necessary or whether EU authorities can ask search engine operators for worldwide de-referencing on the basis of their national data protection standards.

We will keep you updated on further developments. In the meantime, we will gladly answer any questions you might have on this subject matter.

©2019 Greenberg Traurig, LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney
Counsel

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

490-30700-171119
Willeke Kemkers IP lawyer Greenberg Traurig
Associate

Willeke Kemkers is an associate in the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.  

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border transfers of data, privacy policies and data breaches. With respect to the coming into force of the GDPR, Willeke prepared clients from many different industries (transport, medical, legal) to be GDPR compliant.

Willeke also has experience with drafting and reviewing of IT contracts including hosting (cloud), outsourcing (SaaS, Iaas and Paas) and IT development contracts.

+31 (0) 64.718.0845