by Alessandra Silveira, Editor
 and Tiago Cabral, Master's student in EU Law at UMinho

▪

Google v. CNIL: Is a new landmark judgment for personal data protection on the horizon?

1. In the 2014 landmark Judgment Google Spain (C-131/12), the Court of Justice of the European Union (hereinafter, “ECJ”) was called upon to answer the question of whether data subjects had the right to request that some (or all) search results referring to them are suppressed from a search engine’s results. In its decision, the ECJ clarified that search engines engage in data processing activities and recognised the data subject’s right to have certain results suppressed from the results (even if maintained on the original webpage).

2. This right encountered its legal basis on Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, “Directive 95/46”) jointly with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union (hereinafter, “Charter”). In accordance with the Court’s decision, it can be exercised against search engines acting as data controllers (Google, Bing, Ask, amongst others) and does not depend on effective harm having befallen the data subject due to the inclusion of personal data in the search engine’s results. Data subject’s rights should override the economic rights of the data controller and the public’s interest in having access to the abovementioned information unless a pressing public interest in having access to the information is present.

3. Google Spain offered some clarity on a number of extremely relevant aspects such as: i) the [existence of] processing of personal data by search engines; ii) their status as data controllers under EU law; iii) the applicability of the EU’s data protection rules even if the undertaking is not headquartered in the Union; iv) the obligation of a search engine to suppress certain results containing personal data at the request of the data subject; v) the extension, range and (material) limits to the data subjects’ rights. The natural conclusion to arrive is that Google Spain granted European citizens the right to no longer be linked by name to a list of results displayed following a search made on the basis of said name.

4. What the judgment did not clarify, however, is the territorial scope of the right (i.e. where in the world does the connection have to be suppressed?). Is it a global obligation? European-wide? Only within the territory of a specific Member State? In 2018, the European Data Protection Board (hereinafter, “EDPB”) issued Guidelines on the territorial scope of the GDPR, but their focus is Article 3 of the legal instrument and therefore they offer no clarity on this issue (even if they did, they would not bind the ECJ).

5. Absent a clear interpretation of EU law, the French Conseil d’État issued a request for a preliminary ruling from the ECJ, in a dispute opposing Google and the Commission nationale de l’informatique et des libertés (hereinafter, “CNIL” – the French Data Protection Supervisor). In this judgment, the ECJ has the opportunity to provide clarity on whether the obligation to suppress personal data from search engine results is applicable to all domain names and locations or, at least, to every domain name and location within the EU. The first scenario would mean that if the data subject requested suppression in the EU, no one in the world would be able to find the information using the same search query.

6. In the opinion issued on 10 January 2019, the Advocate General Maciej Szpunar argued that hyperlinks should be suppressed within the EU (as opposed to globally). According to the Advocate General, the search engine is required to take all steps available to him to ensure effective and complete “de-referencing”[i] . That includes, in particular, the technique known as ‘geo-blocking’, from an IP address deemed to be located in one of the Member States, regardless of the domain name used by the internet user conducting the search. This step should be taken to avoid that a user can find the initial results just by going to a different domain name localised outside of the EU (e.g. Google.ca).

7. Still, we must take note that ECJ is not bound by the Advocate General’s conclusions. In fact, in Google Spain, the ECJ’s conclusions diverged from the Advocate General’s Niilo Jääskinen. The Advocate General adopted a more restrictive position according to which search engines would not act as data controllers.

8. Without a unanimous position from the European Data Protection Supervisory Authorities regarding the scope and limitations of their powers to impose obligations beyond national borders and, adding to this issue, the lack of clarity on the territorial scope of the obligation to delist the only solution appears to be an intervention by the ECJ. It is no surprise that the first request for a preliminary ruling on this issue came from France, since CNIL adopted a particularly strong position on the matter and is heavily pressuring Google to recognise global effect to its decisions.

9. With the submitted questions for preliminary ruling by the ECJ, the Conseil d’État wishes to see clarified the following matters: i) if the “right to de-referencing”, as established by the ECJ in its judgment in Google Spain on the basis of the provisions of Articles 12(b) and 14(a) of Directive 95/46, should be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted, and even if it is conducted from a place outside the territorial scope of Directive 95/46?; ii) In the event that question i) is answered in the negative, must the “right to de-referencing” be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, only to remove the links at issue from the results displayed following a search conducted on the basis of the requester’s name on the domain name corresponding to the State in which the request is deemed to have been made or, more generally, on the domain names distinguished by the national extensions used by that search engine for all of the Member States of the European Union and; iii) in addition to the obligation mentioned in question iii), must the “right to de-referencing” be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to remove the results at issue, by using the “geo-blocking” technique, from searches conducted on the basis of the requester’s name from an IP address deemed to be located in the State of residence of the person benefiting from the “right to de-referencing”, or even, more generally, from an IP address deemed to be located in one of the Member States subject to Directive 95/46, regardless of the domain name used by the internet user conducting the search?

10. As pointed out by the Advocate General in his conclusions, the questions for a preliminary ruling should be answered under Directive 95/46 and not under the GDPR, as the former was still applicable on the day on which a contested decision was adopted. However, it is our belief that the ECJ, understanding the relevance of providing an answer both under Directive 95/46 and under the GDPR, clarifying the applicable rules and avoiding future preliminary rulings with the same scope, but under the new legal framework.

11. The reluctance of the Advocate General in admitting that “right to de-referencing” has a universal scope is grounded, mainly, on the risk of the EU restricting access to information relating to its citizens from a third country. According to the Advocate General, “if an authority within the European Union could order de-referencing on a worldwide scale, an inevitable signal would be sent to third countries, which could also order de-referencing under their own laws”. Authoritarian regimes could impose similar measures on their own legal frameworks and demand that they be enforced worldwide (including in the EU itself). Worst case scenario, a race to the bottom on a worldwide scale could start, with freedom of expression being the main victim.

12. The Advocate General’s worries should not be dismissed at all, especially in light of the growing power of populist and authoritarian regimes across the world. However, taking into account the case-law of the ECJ on this matter, the new level of protection required by the GDPR (and the European attempts to make it a “de facto” world standard on data protection), and the consequences of recognizing that personal data protection and privacy are fundamental rights enshrined in the Charter – thus having a global scope of application –, it would not be surprising for the ECJ to recognize a universal “right to de-referencing”.

13. The ECJ finds itself (again) facing a very difficult choice that can shape personal data protection around the world for the foreseeable future, cause billions in costs for search engines and potentially a reaction from third countries. Whatever the decision, it will certainly be a landmark one.

[1] The Advocate General opts for this expression when describing the nature of the right and, for simplicity’s sake, we will stick to it in this essay. However, we must note that a different notion, such as targeted delisting may be more appropriated.

Pictures credits: Eraser… by meinersterampe.