Mason Hayes and Curran looks at what’s next for the EU’s right to be forgotten law following a recent ruling by French data protection authority CNIL to remove results from Google’s .com domain.
In the wake of the Google Spain decision, debates have continued as to whether non-EU search domains can be subject to ‘right to be forgotten’ requests for content removal.
This issue previously arose with guidance issued by the Article 29 Working Party – the collective body of EU data protection authorities (DPAs) – in late 2014. While search engines had sought to limit the removed content to EU-only search results (such as on Google.ie), the Working Party’s guidance suggested that global results (such as Google.com) should also be covered.
In France, a recent appeal by Google to the French DPA – the CNIL – has seen the French regulator take the view that Google must take down content on Google.com, not just its EU websites.
The CNIL’s decision arose from an informal appeal by Google. Google lodged an appeal against the CNIL’s previous ruling that Google must apply the right to be forgotten globally. Google claimed that applying the right to be forgotten globally would inhibit the public’s right to information and would constitute censorship.
The CNIL rejected Google’s appeal. In stark language, the CNIL stated that once a right to be forgotten request satisfied the criteria set out by the Court of Justice of the European Union (CJEU) and the Working Party, the removal of the search results must be applied across all versions of the search engine.
The CNIL stated that a failure to apply the right to be forgotten in such a manner would allow search engines to undermine the CJEU’s ruling and the privacy rights of data subjects. According to the CNIL, Google’s various domain names merely offered different paths to the same processing operation; limiting the right to be forgotten to some domains only would make it easy to circumvent EU law.
Google argued that the CNIL was going beyond its jurisdiction, but this was rejected. The CNIL stated that it simply wants non-EU companies to respect EU laws when offering their services here.
If followed, the CNIL decision could result in Google removing thousands of search results from Google.com and other non-EU domains.
Should Google refuse or fail to comply with the CNIL’s ruling, it could be subject to stiff administrative sanction.
The finding by the CNIL that a US company is required to remove search results on its US targeted .com domain is likely to give rise to much debate. This is primarily due to the fact that it shows, in stark terms, the clash between EU privacy law and US law, particularly the First Amendment.
This conflict is also seen in the Schrems decision, and the ongoing debate over transfers of EU residents’ information to the US.
It remains to be seen how this issue will play out. However, for now it is clear that the ‘long arm’ of EU data-protection law is seeking to reach outside the EU’s bounds.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.