On Tuesday 24 September, Google has won what everyone is calling a “landmark case” against CNIL, the French data protection authority.
At the heart of the matter is how far the ‘right to be forgotten’ rules extend.
In 2014, the European Court of Justice ordered Google to remove links to “outdated or irrelevant” information about a Spanish national. The information — in his case, a notice about an old mortgage foreclosure — was accurate, and the newspaper site publishing it was not required to take action, but the judges clearly see search engines as the gatekeepers of the internet, and ruled that links to the information should not appear in search results for the man’s name. In other words, it must be “de-referenced” and the so-called right to be forgotten (R2BF) was enshrined in public consciousness.
Since then, Google has de-referenced 1.3 million URLs, about 45% of the requests it has received.
However the French regulator fined Google €100,000 for refusing apply RTBF requests worldwide. The search giant, took the view that CNIL only had the power to order de-listing on the Google.fr domain. And on Tuesday, Europe’s top court agreed with the tech behemoth.
The court ruled that the RTBF applies only in EU member states. Google, or any other search engine, is not required to carry out de-referencing on all its versions globally. However once a right to de-referencing within the EU has been established, the search engine operator must take measures, such as IP geo-blocking, to “effectively prevent or, at the very least, seriously discourage” internet users conducting a search from within the EU by using versions outside the bloc.
In a statement, Peter Fleischer, Senior Privacy Counsel at Google, said: “It’s good to see that the court agreed with our arguments, and we’re grateful to the independent human rights organisations, media associations and many others around the world who also presented their views to the court.”
In making its judgement, the court accepted that, “in a globalised world, internet users’ access — including those outside the EU — to the referencing of a link referring to information regarding a person is likely to have immediate and substantial effects on that person within the EU itself.”
But it noted that “numerous third states do not recognise the right to de- referencing or have a different approach to that right.” The court added that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
German MEP Patrick Breyer however is skeptical about the effectiveness and ethical probity of geo-blocking: “Blocking search engine references to legal content has little to do with an effective right to be forgotten — all the more so when geo-blocking is used to build borders in the global internet. Instead of ineffective blocking policies, illegal content should be deleted where it is stored. Internet users should avoid using Google anyway because it is spying on them in order to manipulate and exploit them commercially. I recommend using search engines that respect our privacy, like Metager, Qwant, Startpage or searx.”
Information Technology and Innovation Foundation (ITIF), a body that lobbies heavily against Europe’s data protection rules welcomed the ruling: “The ruling is an appropriate step to curb European overreach that jeopardised the future of the global internet. The EU should not be allowed to impose its own rules on other countries and the rest of the internet. Further, the R2BF prioritises the right to privacy over all other goals, such as free speech and innovation. The EU should seek to strike a better balance as it crafts other laws and regulations affecting the internet,” said ITIF Vice President, Daniel Castro.
The Computer & Communications Industry Association’s (CCIA) senior manager, Alexandre Roure, thought the ruling was suitably balanced: “Today’s ruling honors EU residents’ right to be forgotten without compromising the constitutional rights of citizens outside of the EU. We are pleased to see that the decision recognises industry’s efforts to achieve this delicate balance.”
In a related ruling, the court said that a prohibition on processing certain categories of sensitive personal data — such as political opinions, religious or philosophical beliefs, racial or ethnic origin, trade-union membership, health and sex life — applies to search engines.
But it added, a balance must be struck between the fundamental rights of the person requesting the de-referencing and those of Internet users potentially interested in that information
This second case also involves CNIL. Four individuals brought proceedings against the French Data Protection Authority for refusing to order Google to de-reference various links appearing under their names in search results. The links include a satirical photomontage of a female politician, articles mentioning one of the individuals as a public relations officer for the Church of Scientology, the judicial investigation of a male politician and the sentencing of another individual for sexual assaults on minors.
The court said that search engines are responsible under the law, not because the personal data referred to appears on a web page published by a third party, but because of the referencing of that page and the display of the link to that web page in the list of results.
Judges said that when it comes to links to criminal proceedings: “The operator of the search engine must take into consideration all the circumstances of the case, such as, in particular, the nature and seriousness of the offence in question, the progress and the outcome of the proceedings, the time elapsed, the part played by that person in public life and his or her past conduct, the public’s interest at the time of the request, the content and form of the publication and the consequences of publication for that person.” That’s a lot of responsibility for a tech company!