CNIL vs. Google: A Case Study on the Right to be Forgotten

Marshall McLuhan’s vision of a global village—represented today by the Internet and global communications—bridges the distance between countries and people. On the one hand, it’s a good thing because it extends the reach of information and expands opportunities for all. On the other hand, it makes certain information too accessible to those who don’t need to know them. That was the issue raised by the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s primary privacy regulator, when it demanded that Google delist certain pages globally.

THE CASE

In 2015, the CNIL asked Google to take down all listings from search results of pages that contain false or damaging information about an individual.  The Commission claimed that the Right to be Forgotten rule applying to European citizens should not be limited to European websites only. ; It insisted that the privacy rule must be applied to the search engine version worldwide to prevent such pages from coming up on search results in Google.com. It also slapped Google a fine of 100,000 Euros for failure to implement the standard globally.

Google challenged the decision and appealed to the European Court of Justice (ECJ), the highest court of the European Union, asking to identify the geographic limits of the privacy standard. It also said that to delist these pages on a worldwide scope would be tantamount to censorship for users outside of the EU. Several companies and organizations supported Google, including the Wikimedia Foundation, Microsoft, and the Reporters Committee for Freedom of the Press.

THE RULES

Lawyer writing on a bookThe EU’s Right to be Forgotten Law—also called Right to Erasure—grants European citizens the right to request companies and organizations to delete sensitive or damaging data about them. The law applies to any information found irrelevant, inadequate, or excessive that could potentially affect the individual’s life or reputation.

Google has honoured this right, delisting approximately 1.4 million web addresses from more than 800,000 requests. It also introduced a geoblock feature on its European websites that prevents Europe-based users from seeing the delisted pages. Google also restricted access to those pages in Google.com if the origin of the search is within Europe.

The approval of EU’s General Data Protection Regulation (GDPR) in 2018, however, has created renewed interest in the issue of searchability because of provisions like this:

“1) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 2) That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility. 3) In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

Some argue that anyone outside of the EU, or Europeans searching from other countries, can still have access to the delisted pages. Also, the restriction on the global website does not guarantee that the pages will not be visible if one goes through a virtual private network for the search.

THE DECISION

In 2019, the ECJ ruled in favour of Google, stating that the CNIL did not have express authority to require a global injunction under the European data privacy act and did not consider countervailing factors sufficiently. It added that though a global delisting can fulfil the objective of personal data protection for European citizens, the “right to the protection of personal data is not an absolute right.” The request for privacy must be balanced with the person’s function in society and the fundamental rights of other users all over the world.

This site notes a second decision, which has not garnered as much attention as the first. The ECJ, though it declared CNIL’s demand for global delisting problematic, did not categorically state that a worldwide delisting request is problematic. It implied that such a move is encouraged “where appropriate,” if privacy against freedom of information has been weighed thoroughly.

THE ARGUMENT

Both the CNIL’s demand and the decision raises a lot of questions that solicitors handling the right to be forgotten cases must research on more.

  • First is the VPN argument. What measures have Google implemented to address the visibility of delisted pages through a VPN?
  • Second, does this mean that Europeans seeking work opportunities abroad are at risk of having their past data viewed by potential employers?
  • Third, if a European citizen was involved in a crime in another country (i.e., was charged but not convicted) and that piece of information is viewable worldwide, can the individual—now back in Europe—request for its delisting? What if the country where it happened finds this information too valuable to delist, such as if it will help prevent a similar future occurrence? Can the individual push for extraterritorial delisting on the grounds of the right to be forgotten within Europe? After all, someone outside of the EU can always send the link to the page to a person within.

These are questions that may find answers only when someone files a request or a case similar to the CNIL’s. But these are questions worth exploring. The borderless nature of the global village has made certain legal borders useless, but in defending both, freedom and the quality of life must always come into focus.

Share to:

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on tumblr
Scroll to Top