CJEU Confirms Territorial Limits of Right to be Forgotten in Google v. CNIL (Case C-507/17)
Introduction
The Court of Justice of the European Union (CJEU) clarified the scope of the “right to be forgotten” in its landmark judgment in Case C-507/17, Google LLC v. Commission Nationale de l’Informatique et des Libertés (CNIL). The ruling addressed the extraterritorial reach of the General Data Protection Regulation (GDPR) and its predecessor, Directive 95/46/EC, in the context of internet search engines. The CJEU held that while de-referencing (also known as de-listing) requests must be respected across all EU versions of a search engine, they do not apply on a global scale. This judgment has far-reaching implications for search engines, data controllers, and national supervisory authorities.
Facts of the Case
The case began when the French Data Protection Authority (CNIL) fined Google €100,000 for not de-referencing content globally after receiving a request to exercise the right to be forgotten. Google had complied by de-referencing links on its EU domain versions (e.g., google.fr, google.de) but left them accessible on other non-EU versions, such as google.com.
The Conseil d’État (French Council of State) referred the case to the CJEU, seeking clarification on whether the right to be forgotten required global de-referencing or if it was sufficient to limit the scope of the removal to the EU.
Legal Issues
The key legal questions referred to the CJEU included:
- Does the “right to be forgotten” under EU law require global de-referencing?
- What is the territorial scope of the de-referencing obligation under Article 12(b) and Article 14(1)(a) of Directive 95/46/EC and Article 17(1) of GDPR?
- Can EU Member States impose broader de-referencing obligations on search engines operating within their jurisdiction?
The Court was asked to interpret these questions in light of the principles of data privacy, freedom of expression, and the territorial application of EU law.
Judgment of the CJEU
On 24 September 2019, the CJEU’s Grand Chamber delivered its ruling, balancing the right to data protection with freedom of access to information.
1. Global De-referencing Not Required
The Court held that EU law does not impose an obligation on search engine operators to de-reference links on versions of its search engine accessible outside the EU. This ruling was based on the view that the GDPR and its predecessor, Directive 95/46/EC, apply only within the territorial scope of the EU. The Court acknowledged that other jurisdictions might not recognize the right to be forgotten and that the EU cannot unilaterally impose its data protection regime on the rest of the world.
The CJEU stated that while data protection within the EU must be safeguarded, such protection must be balanced against freedom of access to information in non-EU jurisdictions. The judgment reaffirmed the principle of territoriality under international law, whereby EU rules apply within its borders but not beyond unless explicitly stated.
2. EU-Wide De-referencing Required
Although global de-referencing is not required, the Court affirmed that de-referencing must be applied on all versions of the search engine accessible within the EU. This means that Google must ensure that a user in the EU, regardless of which domain they access (e.g., google.com), cannot see de-referenced content.
To achieve this, search engines are required to “seriously discourage” or “effectively prevent” EU users from accessing the de-referenced content. The Court indicated that geo-blocking technologies or similar measures can be used to ensure compliance.
3. Member States May Impose Stricter Obligations
The CJEU acknowledged that EU Member States can impose stricter obligations at the national level, provided they comply with fundamental principles of EU law. This leaves open the possibility that some EU data protection authorities (like CNIL) may still push for broader application of the right to be forgotten. However, these measures would need to respect proportionality, fundamental rights, and the Charter of Fundamental Rights of the EU.
Legal Analysis
The judgment reflects a careful balance between privacy rights, extraterritorial enforcement, and freedom of information. The Court’s approach signals that while the EU takes data protection seriously, it recognizes that other jurisdictions have different legal frameworks.
- Protection Within EU Borders: The ruling underscores that the GDPR and Directive 95/46/EC are inherently territorial in scope. Imposing global de-referencing would have raised issues of extraterritorial enforcement of EU law. The CJEU’s restraint in this regard reflects a respect for the sovereignty of non-EU jurisdictions, while still protecting EU users’ rights.
- Technical Compliance: The decision introduces practical obligations for search engines, especially concerning geolocation-based blocking. Companies like Google must use technical measures to prevent access to de-referenced content in the EU, even if the search engine is accessed through a non-EU domain. This approach has significant implications for the way search engines must structure access and display content.
- Impact on National Authorities: While the CJEU limited the scope of EU-wide obligations, it gave Member States discretion to impose stricter measures at the national level. This creates regulatory fragmentation within the EU, as individual Member States may introduce different interpretations of de-referencing obligations. Companies operating in multiple EU jurisdictions must now keep pace with diverging national rules, especially in light of potential enforcement action from national data protection authorities like the CNIL.
Implications for Legal Practitioners
The CJEU’s ruling has broad implications for lawyers, compliance officers, and privacy professionals. Key takeaways include:
- Global Reach of GDPR: The GDPR does not require companies to remove data from non-EU search engines, but it does apply to content accessible in the EU, even on non-EU domains.
- Compliance Burden on Search Engines: Companies must implement geo-blocking measures to prevent EU users from accessing de-referenced links. This requirement demands sophisticated technological solutions.
- National Divergence: Companies operating in multiple Member States must monitor local implementation of de-referencing rules, as stricter national obligations may apply.
This ruling reflects a cautious, balanced approach to the extraterritorial application of EU law. While protecting data privacy within the EU, the judgment respects the autonomy of third countries and avoids the EU acting as a global privacy regulator.
Conclusion
The judgment in CJEU Case C-507/17, Google LLC v. CNIL confirms the territorial scope of the right to be forgotten under the GDPR and Directive 95/46/EC. It establishes that global de-referencing is not required, but operators of search engines must ensure that de-referenced links are inaccessible to users within the EU. This judgment strikes a balance between privacy rights, the sovereignty of non-EU states, and the technical feasibility of compliance.
Companies operating within the EU must take steps to comply with this ruling, especially by implementing geo-blocking mechanisms. At the same time, they should be prepared for stricter obligations at the national level, especially in countries like France where data protection authorities have historically taken a hardline stance on privacy rights.
For further information, the official judgment can be accessed on the CJEU’s website here