Luxembourg, September 24, 2019 – The Court of Justice of the European Union sided with Google following a CJEU’s press release in which the search engine is not required to carry out a de-referencing globally.

Background and legal basis

In March 2016, France’s CNIL (Commission nationale de l’informatique et des libertés), imposed a €100,000 fine on Google Inc. due to the company’s refusal to apply de-referencing in all its search engine’s domain name extensions whenever a formal request was brought. Google limited to de-reference the links in question in all EU Member States and asked France’s Conseil d’État to annul the March 2016 adjudication.

The ruling is based on GDPR’s Article 17, which governs the “right of erasure”, also know as the “right to be forgotten”:

“A data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the grounds listed in that provision applies”

Ruling

Some of the most relevant CJEU’s ruling conclusions are:

“It follows that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.”

“…it is for the search engine operator to take, if necessary, sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Those measures must themselves meet all the legal requirements and have the effect of preventing or, at the very least, seriously discouraging internet users in the Member States from gaining access to the links in question using a search conducted on the basis of that data subject’s name…”

Recital 1 of the GDPR’s Preamble states that the protection of natural persons in relation to the processing of personal data is a fundamental right; however, it is not an absolute right, according to recital 4, since it must be weighed proportionally as opposed to other fundamental rights.

The Court decided to support Google’s argument since other third States have a different approach to the right to de-reference and the right of freedom of information. Furthermore:

“EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU”.

General concerns and repercussions

Some fear that rulings like these could serve the interests of totalitarian states to restrict the rights to access information or to erase the digital trail of criminals in countries where law enforcement is lax. It could also hinder Financial Institutions’ efforts when conducting appropriate online research on Politically Exposed Persons (PEP’s), sanctioned entities/persons for screening purposes and Anti Money Laundering/Anti Terrorist Financing activities.

The “right to be forgotten” also contradicts the very nature of technologies like blockchain, which keeps a permanent and secure record of the participants involved. The GDPR in its Article 65, states that:

“…a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed.”

Under this Article, where does blockchain stand if a legal action is brought?

In February 2018, a report from the Standing Committee on Access to Information, Privacy and Ethics from the House of Commons of Canada issued the following recommendation in light of the adoption of the GDPR in Europe:

“That the Government of Canada determine what, if any, changes to the Personal Information Protection and Electronic Documents Act will be required in order to maintain its adequacy status under the General Data Protection Regulation.”

“That, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the Government of Canada create mechanisms to allow for the seamless transfer of data between Canada and the European. »

Is Canada willing to give way to principles like the “right to be forgotten” in order to maintain an adequacy status under the GDPR or is it leaning towards favouring the protection of free speech and the right to access information?

According to a survey conducted by the Huffington Post, more than half of Canadians would like search engines to enable the option to remove harmful content from personal information. But there are also concerns about giving search engines the authority to deliberate on these issues based on internal policy’s criteria. They could also play the role of being judge and jury.

From a U.S. based standpoint, former Federal Trade Commissioner, Julie Brill (now corporate vice president and deputy general counsel for Privacy and Regulatory Affairs at Microsoft) spoke strongly in an interview about “obscurity” and “the right to be let alone” as a key component of consumer protections. For her, “the meaning of privacy includes an individual’s right to have some control over their online persona and destiny; Individuals want to be able to share with their friends and business associates on social media, shop online, and use connected devices, but they don’t necessarily want all of these activities monitored, tracked, collected, and used by entities they do not know or with whom they have no relationship”.

She also referred to the CJEU’s landmark decision in Google Spain v. AEPD, Mario Costeja González, which gave rise to the “right to be forgotten” in 2014[1] and argued that a right to be forgotten applied in the U.S. would raise serious questions under the First Amendment (freedom of speech).

Conclusions and open questions

CNIL’s intent to block the information on a global level was very ambitious, if not unrealistic. Removal of our personal in the Internet is not absolute, there will always be a digital trail. The “right to be forgotten” could be well rooted and enforced in the legal European culture, but not necessarily in Asian, African or Latin American countries, where its application would be a luxury.

An underlying question come to mind following this judgment:

Does Google (or any other search engine) have the responsibility/obligation to play a more proactive role in removing harmful content from users or should it hold a more reactive position (upon request from the concerned party)?

Could this be a new market for cybercriminals who in the near future will blackmail people and threaten them to restore data in the web if a ransom is not paid?

Finally, the judgement rendered by the CJEU partially addresses, in my opinion, a non-existent problem. A principle like this falls short in terms of forgetting or erasing a digital trail as the ruling does not provide for the original content or source document to be removed. This is perhaps a case in which the cure could be worse than the disease.

[1] The Google Spain case itself represents a paradox as the ruling intended to erase every single trace of Mr. Costeja. After the ruling, there are nearly 33,000 hits in Google Chrome about it due to its relevance and public interest.