ESTHER MARIA PONCE DE LEON — On Tuesday, September 24, 2019, the European Court of Justice (ECJ), the European Union’s highest court, declined to extend privacy laws beyond EU member states. In Google v. Commission Nationale de I’informatique et des Libertés (CNIL), the ECJ held that “[t]he operator of a search engine is not required to carry out a de-referencing on all versions of its search engine.”
The case began when the CNIL, a French data protection agency, penalized Google for not taking information off all of its domain names when it requested that Google remove links to the information, or “de-reference” it. Google only took the links off domains within the EU.
In making its decision, the ECJ acknowledged the international aspect of the Internet. The court recognized that searches from outside an EU country have the same impact as those made within that country. Thus, the court had jurisdiction over the case because it affected all member states in the EU, not just France.
However, the court did not extend its protection to countries outside the EU, stating that, “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights.” The court further stated that some countries have a different approach than the EU and do not recognize de-referencing as a right. Therefore, the ECJ ruled that Google did not have to apply Europe’s “right to be forgotten” law outside of EU member states.
Europe adopted its “right to be forgotten” law in 1995 with Directive 95/46/EC, the Data Protection Directive. The Directive’s goal was to regulate personal data in EU Member States by allowing citizens to request that links be taken down if they do not want to be associated with those links. More than a decade later, the ECJ ruled in Google Spain v. Agencia Española de Protección de Datos y Mario Costeja González that the Directive had teeth, and it required Google Spain to remove links per requests where the websites are “inadequate, irrelevant or no longer relevant, or excessive.” The court reasoned that since Google is the door to much of the Internet’s information, it has an obligation to remove links to third party websites when a person makes a request. Google has a web form that people in the EU can fill out to request that Google remove the links. If Google decides not to remove the web link, people can appeal to their country’s data protection agency (like the CNIL in France).
Google v. CNIL does not limit the ECJ’s original ruling; to the contrary, it supports its earlier decision. It still upheld that Europeans in the EU have a right to be forgotten on the Internet—upon a Google web request, a person can get Google to remove links to websites that the person does not want to be associated with. However, the ECJ limited the scope to just EU member states. Thus, the information will not be linked to the person in the EU, but the same search outside of the member states will show those links.
Since the EU passed its law, Google has de-referenced 45% of URL takedown requests, most of which were made by private individuals. Along with publishing the percentage of requests granted versus not, Google also publishes each request made in each EU country and the reason why the request either was or was not granted. For instance, Google chose not to de-reference URLs to a former government official’s trial and convictions for murder because of the person’s political background and the extremity of the crimes. It did, however, grant a de-referencing request for a conviction of sexual abuse after the individual provided proof of acquittal in the case. However, failing to de-reference to obsolete webpages proved costly earlier this year when the Data Protection Authority in Belgium (“APD”) fined Google over €600,000 for negligence in not implementing “right to be forgotten” laws correctly. Google is appealing the fine.
Currently, the United States does not have comparable laws to protect its citizens from websites associated with their names, although 88% of Americans support such a law. In 2017, the New York Assembly introduced a bill that would act similarly to the EU’s Directive. However, it has been pending since 2018. Although no U.S. law requires Google to take down web pages linked to a person, Google has forms for removing web links in the U.S. for containing personal information, illegal content, or an outdated link. Google also publishes some of the de-referencing data, but not the extent it does for the EU. It remains to be seen if the U.S. will enact any federal legislation to allow its citizens to appeal Google’s decisions the same way that the EU did.