On 24 September 2019, whilst the country was focused on the United Kingdom Supreme Court as it ruled that the prorogation of the UK parliament was unlawful, the Court of Justice of the European Union (CJEU or ECJ), handed down judgment in Google LLC, successor in law to Google Inc. v Commission nationale de l'informatique et des libertés (CNIL), C‑507/17, effectively a sequel to the landmark data protection ‘Google Spain’ decision in May 2014.

In Google Spain (formally known as Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, C-131/12), the CJEU held that in operating its search engine Google was performing the role of a “Data Controller” and, accordingly, was subject to the “Data Protection Principles” enshrined in EU law. As a consequence of that decision, Google has become required to remove (or ‘delist’) search results that are in breach of the Principles. This will arise where the returning of identified webpages against a search for an individual’s name amounts to the inaccurate, unfair or unlawful processing of personal data and/or where the information being returned is excessive, outdated or irrelevant. This was referred to as the ‘right to be forgotten’, a qualified right that was subsequently codified in 2018 in the General Data Protection Regulation (EU) 2016/679 (GDPR) as the ‘right to erasure’ (albeit that it has a much broader application than search engines).

The practical effect of Google Spain, is that for the past five years individuals have been able to request that Google delist specified URLs/webpages from the results returned against searches for their name. As at the date of this blog, Google claims to have received 102,151 requests from the UK alone in respect of 450,868 URLs (the respective figures for requests across all EU member states are 846,327 and 3.3 million).

Google does not accede to all requests to delist. Indeed, a majority (some 57% in the UK) are rejected. The factors a Data Controller in Google’s position are required to consider were considered and discussed by the English High Court in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB) . If Google, or indeed any Data Controller, rejects a ‘right to erasure’ request, an individual has two choices: to issue civil proceedings and request that the court grants a delisting order (as in NT1 & NT2) or to make complaint to the state’s data regulator – in the UK’s case the Information Commissioner’s Office (ICO) – which has the power to issue enforcement notices against Google compelling it to delist webpages (which in turn Google can challenge in the courts). To date, NT1 is the only such case to reach trial and the ICO has issued only one enforcement notice (although it regularly advises Google to delist results, thus resolving complaints informally).

Where Google agrees to delist search results, the offending results are blocked where searches are made for the complainant’s name on all of Google’s EU domains (such as Google.co.uk, Google.fr, Google.de etc.) and, since 2016, all versions of Google when accessed from the complainant’s country (see below). Significantly, versions of Google beyond the EU are unaffected. Thus, the offending search results will continue to appear against complainant’s name in the USA, Canada, South Africa, Australia, Japan etc.

A number of individuals from across the EU lodged complaints with their national data regulators that Google had refused to delist search results from non-EU domains (most significantly, from Google.com). On 21 May 2015, the Commission nationale de l'informatique et des libertés (CNIL), the French data regulator, issued an enforcement notice against Google requiring it to extend delisting of French residents’ search results to all Google domains, within 15 days. Google failed to comply and CNIL commenced enforcement action against Google for breach of the notice.

Subsequently, in October 2015, the ICO amended an existing enforcement notice against Google to include a requirement that relevant results for searches of UK residents’ names be delisted from all Google domains when they are accessed from within the UK.

In March 2016 Google implemented a ‘compromise’: it began to use geolocation signals (such as IP addresses) to identify the location from which searches are conducted and to restrict access to delisted URLs on all Google search domains when accessed from the country of the person who requested their delisting. In practical terms, this means that if Google agrees to delist certain results for searches of the name of a UK resident, for example, all searches for that name conducted within the UK will exclude those results, irrespective of which Google domain is used. The ICO was satisfied with this solution.

CNIL was unimpressed with Google’s compromise (unsurprisingly, given that it was seeking global delisting and the vast majority of those using Google within the EU would be using an EU version of Google in any event). By an adjudication dated 10 March 2016 CNIL’s Restricted Committee imposed a fine of €100,000 on Google for its refusal to apply delisting to all search engine domains. It held that the request was not extraterrestrial in scope because Google’s search engine is a single processing system and France’s data protection laws therefore applied to all its processing, in so far as that processing relates to a French resident. It also held that global delisting did not represent a disproportionate attack on freedom of expression because delisting does not actually remove content from the internet (merely from search results for the individual’s name) and only applies where the processing is in breach of data protection law.

Unsurprisingly, Google appealed to the Council d’État (the French Council of State, broadly equivalent to the Administrative Court in England and Wales), requesting that the adjudication of 10 March 2016 be annulled. The Council d’État duly referred several questions to the CJEU for a preliminary ruling on whether, on the correct interpretation, European data protection law (now encapsulated in the GDPR – and associated national laws) requires a search engine operator (such as Google) to delist results on (a) all versions of its search engine, (b) all versions of the search engine corresponding to all Member States or (c) only on the version corresponding with the Member State in which the requestor is resident.

On 10 January 2019 Advocate General of the CJEU, Maciej Szpunar, provided his written Opinion to the court, siding with Google. He advised against imposing an obligation on search engines to delist worldwide results which, he noted, could create a dangerous precedent and might be used by less democratic regimes to censor the World Wide Web. He recommended that Google be required (i) to delist results on versions of the search engine corresponding to all Member States and (ii) to delist results on all search domains when accessed from the country of the person who requesting their delisting – as Google has been doing in any event since March 2016.

The CJEU handed down its judgment on 24 September 2019, essentially following the Advocate General’s Opinion.

The CJEU recognised that, in a globalised world, access by internet users outside the EU to a link referring to information regarding a person whose centre of interests is within the EU is likely to have an impact on that person within the EU, and so global delinking would meet the objective of EU data protection law. However, it also recognised that many non-Member states see things differently, and have no (or at best primitive) data protection laws relating to online information. It also emphasised that the right to protection of personal data is not an absolute right and must be balanced against other fundamental rights, in accordance with the principle of proportionality. The way in which the balance is struck between the right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, varies in different parts of the world.

In interpreting EU law, the CJEU found that the EU legislature had not chosen to give individuals data protection rights that extend in scope beyond the territory of the Member States. Nor did it intend to impose obligations upon search engine operators, such as Google, to delist results from domains corresponding with non-Member States. Indeed, the CJEU noted that EU data protection law does not provide for mechanisms to determine the scope of extra-terrestrial delisting. It had been open to the EU to expressly provide such rights and mechanisms had it wanted to.

This case confirms that there is no general obligation under EU law for a search engine operator to carry out delisting on all versions of its search engine, only the versions corresponding to all the Member States. However, the CJEU stressed that search engine operators must prevent (or, at least, seriously discourage) internet users within the EU from gaining access to links that have been delisted by using a version of that search engine from outside the EU. It will be for the French national court (in this instance) to determine whether the measures put in place by Google are sufficient.

The CJEU also observed that while EU law does not currently require delisting to be carried out on all territorial versions of a search engine, it also does not prohibit it. It will be for national data protection authorities to weigh up, in light of national laws, how to strike the balance between an individual’s privacy rights and the right to freedom of expression and, where appropriate, to order that a search engine provider delist worldwide. The door has technically been left open for a fresh challenge, although it is unclear how the rights of those in non-EU Member States highlighted in the judgment would be any different in a future case.

The CJEU’s ruling is not surprising. There are obviously considerable ramifications in the courts of one territory dictating what information can and cannot be published in another territory. Nevertheless, where Google (or another search engine) agrees to delist certain results in searches within the EU, it can seem arbitrary and unfair to the individual concerned that no remedy is available with regard to searches conducted outside the EU. In a world in which business and personal interests routinely cross borders, search results in other parts of the world may be just as significant to the individual concerned as those in the UK (or elsewhere in the EU).

In practical terms, this decision will have little if any impact on ‘the right to be forgotten’ as it simply reflects Google’s practice over recent years. Individuals living in EU Member States have a right to be forgotten if they confine their lives to the borders of the EU, but not so if they stray beyond.