"Right to be forgotten" does not extend globally, CJEU rules
The "right to be forgotten" under European Union law does not have to be applied globally, the EU Court of Justice ruled this morning.
Judges ruled in favour of internet giant Google in a dispute with the French privacy regulator CNIL, on the scope of the 2014 judgement that confirmed the right of EU citizens to have certain listings for webpages containing information about them removed from results returned under searches for their name.
Sensitive information such as old criminal offences can be hidden if judged to be "inadequate, irrelevant or no longer relevant or excessive".
In 2015, CNIL ordered Google to remove search result listings to pages containing damaging or false information about an individual, on a global basis. In response, Google introduced a geoblocking feature preventing European users from being able to see the links, but refused to do the same for people elsewhere in the world, and challenged a fine that CNIL tried to impose.
Supported by other internet providers and journalists' groups, Google argued that a ruling applicable outside Europe could be abused by authoritarian governments trying to cover up human rights abuses.
The court's advocate general advised that the right to be forgotten should be limited to Europe, and the court has now adopted the same view.
In its judgment the court recognised that access by internet users outside the EU to information regarding a person in the EU was likely to have immediate and substantial effects on that person within the EU itself. However, numerous third states did not recognise the right to dereferencing or had a different approach to it. The right to the protection of personal data was not absolute, but had to be considered in relation to its function in society and balanced against other fundamental rights.
It was not apparent that the EU legislature had struck such a balance as regards the scope of a dereferencing outside the EU, or that it would have intended to impose on an operator, such as Google, a dereferencing obligation which also concerned the national versions of its search engine that did not correspond to the member states. Furthermore, EU law did not provide for cooperation instruments and mechanisms as regards the scope of a dereferencing outside the EU.
The court therefore concluded that, currently, there was no obligation under EU law for a search engine operator who granted a request for de-referencing made by a data subject, to carry out such a dereferencing on all the versions of its search engine – though it was open to the operator to do so.
However, it had to take sufficient measures to effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the member states through a version of that search engine outside the EU.
Google has said that since 2014, it has received more than 845,000 requests to remove a total of 3.3m web addresses. About 45% of the links are ultimately delisted.
Click here to access the judgment.