Archive for category EU law – General
Forget what you have read. Szpunar AG does not restrict EU ‘Right to be forgotten’ /data protection laws to European territory.
I have previously reported extensively on various national and European developments re the right to have search results delisted, more popularly referred to as the ‘right to be forgotten’ (‘RTBF’ – a product of the CJEU in Google Spain) and its territorial limits. (Search string ‘Google’ or ‘rtbf’ ought to assist the reader). Szpunar AG opined mercifully succinctly last Thursday in C-505/17.
Possibly because of the English-language press release (‘Advocate General Szpunar proposes that the Court should limit the scope of the de-referencing that search engine operators are required to carry out to the EU‘) and because of the actual text of the Opinion hitherto being available in French only, general reporting has been almost unequivocally (note Michèle Finck’s 10th Tweet in an early thread on the Opinion as a cautious exception), that the AG suggests that the RTBF is limited to EU soil only.
Except, he does not.
The Conseil d’Etat has referred one or two specific Qs but also, just to be sure, has also asked the Court of Justice for general insight into how data protection laws apply to the internet.
The AG of course departs from the core objective of the data protection Directive and now the GDPR, and Google Spain, and points out that the CJEU has put the protection of the fundamental rights of the data subject at the centre. At 46 he summarises his view before justifying it:
‘in my opinion one should distinguish according to the place in which the search is carried out. Searches carried out outside the EU ought not to be made subject to delisting’. (My translation from the French).
Geo-blocking can be ordered and ensures that within the EU territory, no Google extension may be used to access the information at issue (at 64 ff) after duly having balanced the right of freedom of information against the right to be forgotten.
Turning to his arguments, the AG points out at 47 ff first of all – briefly: see e.g. Belgian case-law on Facebook for more extensive discussion – that public international law defines the borders of the EU and its Member States. The AG sees no reason (48-49) exceptionally to extend the scope of application beyond that border in the case of the Directive or the GDPR.
(51-52) Other examples of ‘extraterritoriality’ do not sway him, such as the Trademark Directive or EU competition law. He argues that in these cases the Internal Market is impacted and EU law applies to these situations ex-EU only because the Internal Market is a finite, territorial unit. The internet is not (at 53: Le marché intérieur est un territoire clairement délimité par les traités. En revanche, l’internet est, par nature, mondial et, d’une certaine manière, est présent partout. Il est donc difficile de faire des analogies et des comparaisons).
Note that references to other instances of ‘extraterritoriality’ (or not) could have been made: such as the cases surrounding animal welfare (Zuchtvieh), cosmetics, or the EU’s emissions trading scheme.
The AG also briefly discusses ‘extraterritorial’ protection of rights under the ECHR, but distinguishes the EU Charter from same. (On the topic of the ‘extraterritorial’ impact of the EU’s human rights obligations, see excellently Lorand Bartels here).
At 60-61 the AG argues (paras which have been more or less literally translated in the Press release) that if worldwide de-referencing were permitted, the EU authorities would not be able to define and determine a right to receive information, let alone balance it against the other fundamental rights to data protection and to privacy. This, the AG argues, is all the more so since ‘the right of the public to access such information’ (un tel intérêt du public à accéder à une information; this word string bizarrely translated in the press release as ‘such a publication’) will necessarily vary from one third State to another depending on its geographic location. There would be a risk, the AG suggests, that if worldwide de-referencing were possible, persons in third States would be prevented from accessing information and, in turn, that third States would prevent persons in the EU Member States from accessing information. This might in turn lead to a race to the bottom in the right to access of information.
This is an important point, because it essentially encapsulates a core argument made by Google: that particularly in the US, the constitutional right to free speech and the corollary of the freedom to receive information, gazumps a right to be forgotten – putting Google in the event of worldwide delisting orders between SCOTUS’ rock and CJEU’s hard place.
Crucially however at 62 the AG then in my view perhaps not quite torpedoes but certainly seriously softens his overall general analysis by suggesting that his views on territoriality are the default position only, which may be varied should specific instances of the balancing act of fundamental rights, so require: it’s just that the specific circumstances of the case do not.
Les enjeux en cause n’exigent donc pas que les dispositions de la directive 95/46 soient d’application au-delà du territoire de l’Union. Cela ne signifie pas pour autant que le droit de l’Union ne saurait jamais imposer à un exploitant de moteur de recherche tel que Google qu’il entreprenne des actions au niveau mondial. Je n’exclus pas qu’il puisse y avoir des situations dans lesquelles l’intérêt de l’Union exige une application des dispositions de la directive 95/46 au-delà du territoire de l’Union. Mais dans une situation telle que celle de la présente affaire, il n’y a pas de raison d’appliquer les dispositions de la directive 95/46 d’une telle manière.
The circumstances of the case do not justify worldwide blocking. Yet other circumstances might. This is a crucial section for the French data protection authority’s (CNIL) decision at issue, 2016/054 [thank you again to the Dutch Ministry of Foreign Affairs for providing the factual background to the case; also note that in the French decision Google’s name, amusingly, is anonymised] is a general CNIL instruction to Google to carry out global delisting in instances where natural persons request removal; not a case-specific one. In other words the ‘circumstances of the case’ concern a generic, not a factual balancing.
In yet other words: there could be many instances where national data protection authorities might find worldwide delisting to be the only proper means to balance the various fundamental rights at stake. The AG Opinion offers little to no support that such worldwide delisting in concrete cases were to infringe the Directive /the GDPR. Such balancing act would be akin to X v Google LLC at the Tribunal de grande instance de Paris on which I reported last week.
Note that in his Opinion of the same day in C-136/17, the AG Opines that the default response of search engine providers must be to honour requests for delisting, and to only exceptionally not do so.
Some issues for the Grand Chamber to chew on. And then some more.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 22.214.171.124, Heading 126.96.36.199.5.
Update 16 January 2019 the first such trigger was quickly followed by a second: the EU have requested consultations with Ukraine over the country’s ban on the export of unprocessed woods.
This is a short posting for completeness and filing purposes. The EU have requested consultations with South Korea under the Trade and Sustainable Development chapter of the EU-Korea FTA. Labour rights are at the heart of the request. The request is a first trigger of the ‘Trade and’ consultations chapters under recent EU FTAs. I am not in a position to say more at this stage.
Territoriality and delisting. Google score (cautious) French points ahead of Thursday’s AG Opinion in CJEU case.
X v Google LLC at the Tribunal de grande instance de Paris on 14 November 2018 is a good warm-up, forwarded to me (for which many thanks) by Jef Ausloos (I have copy for those interested). The case concerns an article in Le Monde linking a French resident, active in international hotel management, to a Moroccan enquiry into pedophilia. The court’s review of the facts suggests an unsubstantiated link between X and the case – yet the damage to claimant’s reputation evidently is done nevertheless. Claimant requests delinking not just for searches performed in France on all Google extensions, but rather for all searches performed globally.
The court first of all observes that for searches performed in France, delisting of many of the identified urls has already happened – and orders on the basis of French law (which it applies, it suggests, per the GDPR) Google LLC to carry out delisting for the others in as far as searches are carried out from French territory. X’s privacy is given priority over freedom of expression and Google LLC’s US domicile is not mentioned as being relevant (no verbatim discussion of same is recorded in the judgment. X’s French nationality and domicile however, are, hence presumably it is the infamous Article 14 Code Civil which is at play here). Google’s argument that the as listed urls link to articles in languages other than French and relating to facts taking place outside of France is dismissed as irrelevant.
Claimant however had requested global delisting, regardless of the user’s geographical location. That, the court holds, is a request it cannot grant. Its refusal is justified in one sentence only: a global delisting order would be disproportionate in the case of a French national and resident, simply because his employment record is international:
‘une telle mesure apparaît ici disproportionnée, s’agissant d’un résident français, le seul caractère international de ces démarches d’emploi ne pouvant justifier d’une telle restriction, qui conduirait in fine à soumettre le réseau internet à une injonction de portée globale.’
The judgment therefore does not tackle the conceptual issues surrounding jurisdiction (which the Belgian courts, for instance, have been tempted into in the Facebook case), neither does it rule out global injunctions in cases which have more than just a fleeting international element.
An ethics-related posting seems apprioprate as last before ‘the’ season.
The relevant European expert group seeks feedback on draft ethics guidelines for trustworthy artificial intelligence.
Chapter I deals with ensuring AI’s ethical purpose, by setting out the fundamental rights, principles and values that it should comply with.
From those principles, Chapter II derives guidance on the realisation of Trustworthy AI, tackling both ethical purpose and technical robustness. This is done by listing the requirements for Trustworthy AI and offering an overview of technical and non-technical methods that can be used for its implementation.
Chapter III subsequently operationalises the requirements by providing a concrete but nonexhaustive assessment list for Trustworthy AI. This list is then adapted to specific use cases.
Of particular note at p.12-13 are the implications for the long term use of AI, on which the expert group did not reach consensus. Given that autonomous AI systems in particular have raised popular concern, most of which predicted in the longer term, it is clear that this section could prove particularly sticky as well as interesting.
For me the draft is a neat warm-up for when the group’s co-ordinator, Nathalie Smuha, returns to Leuven in spring to focus on her PhD research with me on the very topic.
GDPR (General Data Protection Regulation) aficionados will have already seen the draft guidelines published by the EDPB – the European data protection board – on the territorial scope of the Regulation.
Of particular interest to conflicts lawyers is the Heading on the application of the ‘targeting’ criterion of GDPR’s Article 3(2). There are clear overlaps here between Brussels I, Rome I, and the GDPR and indeed the EDPB refers to relevant case-law in the ‘directed at’ criterion in Brussels and Rome.
(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 188.8.131.52.3, Heading 184.108.40.206.5.
I have an ever-updated post on Google’s efforts to pinpoint the exact territorial dimension of the EU’s data protection regime, GDPR etc. Now, Facebook are reportedly (see also here) appealing a fine imposed by the UK’s data protection authority in the wake of the Cambridge Analytica scandal. Facebook’s point at least as reported is that the breach did not impact UK users.
The issue I am sure exposes Facebook in the immediate term to PR challenges. However in the longer term it highlights the need to clarify the proper territorial reach of both data protection laws and their enforcement.
One to look out for.
A short update on the Court of Justice’s ruling in C-151/17 Swedish Match, in which yesterday it upheld the legality of Directive 2014/40’s ban on ‘snus’ and generally on tobacco products for oral consumption. (Sweden is exempt: Article 15(1) of the 1994 Act of Accession).
The Court reaffirms the bite of the precautionary principle; emphasises the ‘gateway effect’ of snus for the young, including intern alia because consumption of snus can be done very discreetly and hence enforcement of an age ban (a suggested alternative) not effective; and the importance of giving precedence to public health over economic profit.
It also, yet again, shows that measures like these do not fall out of thin air because, as proponents of the precautionary principle would suggest, anti-innovation zealots dream up restrictive measures to kill enterprise. Rather, following extensive scientific advice, the ban is a sensible and proportionate measure to take.
EU Environmental Law, with Dr Leonie Reins, 2017, Chapter 2, Heading IV.