Google need not comply with the right to be forgotten outside of the European Union, according to a European Court of Justice ruling released Tuesday.
A global de-referencing would meet the EU’s data protection objectives, the court said, but it found that numerous third states do not recognize the right to de-referencing or have a different approach to that right.
Further, the right to the protection of personal data is not an absolute right but must be considered in relation to its function in society and must be balanced against other fundamental rights, the court ruled.
The balance between the right to privacy and protection of personal data on one hand, and the freedom of information of Internet users on the other, vary significantly around the world, the court noted.
“…it must be found that EU law does not currently provide for such cooperation instruments and mechanisms as regards the scope of a de-referencing outside the Union,” the court’s ruling states.
“It follows that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine,” the court found.
The ECJ ruled that search engine operators have to de-reference all versions of their search engines in the EU and take measures that prevent or seriously discourage Internet users from making an end run by gaining access to the results of a search on versions of the search engine outside the EU.
The regulatory authorities of member states must decide whether or not those requirements have been met.
“while EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice,” the court found.
Reactions to the Ruling
The ruling is “a big win for technology users who do not want to see their access to online information curtailed,” remarked David Greene, civil liberties director at the Electronic Frontier Foundation.
The ruling “correctly recognized that the Right to be Forgotten does not require global de-listing and de-indexing orders,” he told the E-Commerce Times.
“Had the court found otherwise, we would face the prospect of an Internet of lowest common denominator freedom of speech, where the nation with the most restrictive laws would be required to order the takedown of content across the Internet because of a violation of local law.”
The decision is “sensible,” said Ron Moscona, technology partner at Dorsey’s London office.
“It is right to recognize that in a world where information is disseminated globally and accessible from everywhere, there are no perfect solutions,” he told the E-Commerce Times, “and it is right that EU law cannot impose its privacy values on other countries, because that would justify other countries imposing their view of the world on the EU.”
If every country expected its laws to apply globally, “enforcing those laws would not only be a nightmare, but the laws would stack, making it nearly impossible for firms or individuals to comply with them while remaining in business,” observed Rob Enderle, principal analyst at the Enderle Group.
EU member countries might continue demanding that search engines de-reference search results on versions in non-EU nations, he told the E-Commerce Times, but “I don’t think they’ll be successful, because they will be potentially violating the sovereign rights of those foreign countries.”
Why the European Court Got Involved
The dispute over the right to be forgotten originated between France and Google.
The European court of Justice in 2014 ruled that people could ask search engines to remove links to inadequate or irrelevant information in results returned from searches for their names.
Google initially scrubbed search results only across its European websites, arguing that to do otherwise would have a chilling effect on the free flow of information.
It de-listed search results across all its websites, including Google.com, by 2015, when the websites were accessed from the EU member country where the request originated.
French regulators fined Google 100,000 euros in 2016 for not scrubbing Web search results widely enough.
Google then requested that France’s Council of State, the Conseil d’Etat, annul the adjudication. The Conseil approached the European Court of Justice for a ruling.
The Commission Nationale de l’informatique et des liberts, or CNIL, the French administrative regulatory body, “is now required to accept Google’s proposed .fr and IP-based geoblocking,” the EFF’s Greene said.
CNIL “may confer with the data protection authorities of other EU member states to determine whether it would be consistent with their laws to extend the blocking to other EU member states,” he added.
However, “it is not clear from the judgment how a search engine or other online service should be carved up along territorial lines,” Dorsey’s Moscona noted. “Geoblocking can be technically circumvented.”
The decision “is certainly good for Google,” he said. EU citizens “can still rely on their national authorities to protect their privacy in accordance with the policies and laws of each country,” and EU member states can do so within their territories.
Still, the ruling “shows that there are many big questions that GDPR does not fully settle, and that there is room for argument and debate at many different levels of the legislation,” Moscona pointed out.
“There will be more lawsuits because the boundaries between privacy interests and the free dissemination of information, as well as other competing interests — national security, law and order, scientific research — are often open to debate and uncertain.”
The situation “is still a mess,” said Enderle, “but Google can argue they won here.”