https://policyreview.info/articles/analysis/not-just-one-many-rights-be-forgotten – gavc law

25/09/201913/01/2021

Court of Justice in Google v CNIL sees no objection in principle to EU ‘Right to be forgotten’ leading to worldwide delisting orders. Holds that as EU law stands, however, it is limited to EU-wide application, leaves the door open to national authorities holding otherwise.

Many commentators were wrong-footed on reading Advocate-General Szpunar’s Opinion in C-505/17 Google Inc v Commission nationale de l’informatique et des libertés (CNIL), concerning the territorial limits to right to have search results delisted, more popularly referred to as ‘the right to erasure’ or the ‘right to be forgotten’ (‘RTBF’ – a product of the CJEU in Google Spain). Far from ruling out ‘extraterritorial’ or worldwide force of the right, the AG saw no objection to it in principle, even if he suggested non-application to the case at issue (he did so again in his Opinion in C-18/18 Eva Glawischnig-Piesczek v Facebook, which I review here and on which judgment is forthcoming next week; central to that case is private law, in contrast to current case which at its core is a public law issue of enforcement).

The Court yesterday held (the Twitter storm it created was later somewhat drowned by the UK Supreme Court’s decision in the prorogation case) and overall confirmed the AG’s views. As with the AG’s Opinion, it is important to read the Judgment for what it actually says, not just how the headlines saw it. For immediate analysis, readers may also want to read Daphne Keller’s and Michèle Finck’s threads and Dan Svantesson’s impromptu assessment.

It is again important to point out that the French data protection authority’s (CNIL) decision at issue, 2016/054 is a general CNIL instruction to Google to carry out global delisting in instances where natural persons request removal; not a case-specific one.

I have a case-note on the case and on C-137/17 (judgment also yesterday) forthcoming with Yuliya Miadzvetskaya, but here are my initial thoughts on what I think is of particular note.

1. The Court of Justice (in Grand Chamber) first of all, unusually, examines the questions in the light of both Directive 95/46, applicable to the facts at issue, and the GDPR Regulation ‘in order to ensure that its answers will be of use to the referring court in any event’ (at 41).

2. Next, at 52, the Court dismisses a fanciful distributive approach towards the computing reality of data processing:

Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of personal data processing. The referring court considers that (and the CJEU clearly agrees, GAVC), in those circumstances, that act of processing is carried out within the framework of Google’s establishment in French territory.

3. At 55, the Court points out that de-referencing carried out on all the versions of a search engine would meet the objective of data protection in full, particularly (at 56) given the fact that ‘(t)he internet is a global network without borders and search engines render the information and links contained in a list of results displayed following a search conducted on the basis of an individual’s name ubiquitous (the Court restating here its finding in both Google Spain and Bolagsupplysningen).

At 58 the Court employs that finding of ubiquitousness to ‘justify the existence of a competence on the part of the EU legislature to lay down the obligation, for a search engine operator, to carry out, when granting a request for de-referencing made by such a person, a de-referencing on all the versions of its search engine.’ No grand statements on public international law’s views on adjudicative extraterritoriality /universality. Just a simple observation.

The Court subsequently however (at 59-60) notes other States’ absence of a right to de-referencing and their different views on the balancing act between privacy and freedom of speech in particular. At 61-62 it then notes

While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679, struck a balance between that right and that freedom so far as the Union is concerned (see, to that effect, today’s judgment, GC and Others (De-referencing of sensitive data), C‑136/17, paragraph 59), it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.

In particular, it is in no way apparent from the wording of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 or Article 17 of Regulation 2016/679 that the EU legislature would, for the purposes of ensuring that the objective referred to in paragraph 54 above is met, have chosen to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States and that it would have intended to impose on an operator which, like Google, falls within the scope of that directive or that regulation a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States.

In other words the Court has adopted the same approach as the United States Supreme Court has done in Morrison v. National Australia Bank; and Kiobel: there is a presumption against extraterritoriality, however it is not excluded. In the absence of indications of the legislator wish to extend the right to delisting extraterritorially it does not so exist in the current state of the law.

4. At 63 the Court hints at what might be required as part of such future potential extraterritorial extension: EU law does not currently provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the Union – in contrast with the regime it has intra-EU. This also hints at the CJEU taking a more multilateral approach to the issue than its SCOTUS counterpart.

5. At 69 the Court then adds that intra-EU, a delisting order covering all of the search engine’s EU extensions is both possible and may be appropriate: co-operation between authorities may lead to ‘where appropriate, a de-referencing decision which covers all searches conducted from the territory of the Union on the basis of that data subject’s name.’

6. A final twist then follows at 72:

Lastly, it should be emphasised that, while, as noted in paragraph 64 above, EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice. Accordingly, a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights (references to CJEU authority omitted, GAVC), a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.

Here I do not follow the Court: one could argue that the harmonised EU’s approach is currently not to extend the right to delisting extraterritorially. The Court on the other hand seems to be suggesting that the extraterritoriality issue was not discussed in the Directive or Regulation, that EU law does not occupy (‘pre-empt’) that regulatory space and consequently leaves it up to the Member States to regulate that right. (Update 27 September 2019: Other interpretations are collated here).

I shall need more detailed reading of the GDPR’s preparatory works to form a view as to whether the extraterritorial element was considered, and rejected, or simply not discussed. However I also want to already point out that if the decision is left to the Member States, the case-law and theory of pre-emption clarifies that such national action has to be taken in full compatibility with EU law. including free movement of services, say, which Google may rightfully invoke should there be a disproportionate impact on the Internal Market.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

11/02/201907/06/2019

Eva Glawischnig-Piesczek v Facebook. Hate speech at the CJEU.

In Case C-18/18, Eva Glawischnig-Piesczek v Facebook, the Austrian Supreme Court has referred a ‘hate speech’ case to Luxembourg – hearing will be tomorrow, 12 February. The Case revolves around Article 15 of the E-Commerce Directive: one sentence Twitter summary comes courtesy of Tito Rendas: does Article 15 prohibit the imposition on a hosting provider (Facebook, in this case) of an obligation to remove not only notified illegal content, but also identical and similar content, at a national or worldwide level?

Mirko Brüß has more extensive analysis here. I used the case in my class with American University (my students will be at the hearing tomorrow), to illustrate the relationship between secondary and primary law, but also the art in reading EU secondary law (here: A15 which limits what can be imposed upon a provider; and the recitals of the Directive which seem to leave more leeway to the Member States; particularly in the light of the scant harmonisation of tort law in the EU). To readers of the blog the case is probably more relevant in light of the questions on territorial scope: if a duty to remove may be imposed, how wide may the order reach? It is in this respect that the case is reminiscent of the Google etc. cases.

Yet another one to look out for.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

15/01/201917/01/2020

Forget what you have read. Szpunar AG does not restrict EU ‘Right to be forgotten’ /data protection laws to European territory in ‘Google’ case.

I have previously reported extensively on various national and European developments re the right to have search results delisted, more popularly referred to as the ‘right to be forgotten’ (‘RTBF’ – a product of the CJEU in Google Spain) and its territorial limits. (Search string ‘Google’ or ‘rtbf’ ought to assist the reader). Szpunar AG opined mercifully succinctly last Thursday in C-505/17 Google Inc v Commission nationale de l’informatique et des libertés (CNIL).

Possibly because of the English-language press release (‘Advocate General Szpunar proposes that the Court should limit the scope of the de-referencing that search engine operators are required to carry out to the EU‘) and because of the actual text of the Opinion hitherto being available in French only, general reporting has been almost unequivocally (note Michèle Finck’s 10th Tweet in an early thread on the Opinion as a cautious exception), that the AG suggests that the RTBF is limited to EU soil only.

Except, he does not. Update June 2019 and confirms as much in his Opinion in Eva Glawischnig-Piesczek v Facebook which I review here.

The Conseil d’Etat has referred one or two specific Qs but also, just to be sure, has also asked the Court of Justice for general insight into how data protection laws apply to the internet.

The AG of course departs from the core objective of the data protection Directive and now the GDPR, and Google Spain, and points out that the CJEU has put the protection of the fundamental rights of the data subject at the centre. At 46 he summarises his view before justifying it:

‘in my opinion one should distinguish according to the place in which the search is carried out. Searches carried out outside the EU ought not to be made subject to delisting’. (My translation from the French).

Geo-blocking can be ordered and ensures that within the EU territory, no Google extension may be used to access the information at issue (at 64 ff) after duly having balanced the right of freedom of information against the right to be forgotten.

Turning to his arguments, the AG points out at 47 ff first of all – briefly: see e.g. Belgian case-law on Facebook for more extensive discussion – that public international law defines the borders of the EU and its Member States. The AG sees no reason (48-49) exceptionally to extend the scope of application beyond that border in the case of the Directive or the GDPR.

(51-52) Other examples of ‘extraterritoriality’ do not sway him, such as the Trademark Directive or EU competition law. He argues that in these cases the Internal Market is impacted and EU law applies to these situations ex-EU only because the Internal Market is a finite, territorial unit. The internet is not (at 53: Le marché intérieur est un territoire clairement délimité par les traités. En revanche, l’internet est, par nature, mondial et, d’une certaine manière, est présent partout. Il est donc difficile de faire des analogies et des comparaisons).

Note that references to other instances of ‘extraterritoriality’ (or not) could have been made: such as the cases surrounding animal welfare (Zuchtvieh), cosmetics, or the EU’s emissions trading scheme.

The AG also briefly discusses ‘extraterritorial’ protection of rights under the ECHR, but distinguishes the EU Charter from same. (On the topic of the ‘extraterritorial’ impact of the EU’s human rights obligations, see excellently Lorand Bartels here).

At 60-61 the AG argues (paras which have been more or less literally translated in the Press release) that if worldwide de-referencing were permitted, the EU authorities would not be able to define and determine a right to receive information, let alone balance it against the other fundamental rights to data protection and to privacy. This, the AG argues, is all the more so since ‘the right of the public to access such information’ (un tel intérêt du public à accéder à une information; this word string bizarrely translated in the press release as ‘such a publication’) will necessarily vary from one third State to another depending on its geographic location. There would be a risk, the AG suggests, that if worldwide de-referencing were possible, persons in third States would be prevented from accessing information and, in turn, that third States would prevent persons in the EU Member States from accessing information. This might in turn lead to a race to the bottom in the right to access of information.

This is an important point, because it essentially encapsulates a core argument made by Google: that particularly in the US, the constitutional right to free speech and the corollary of the freedom to receive information, gazumps a right to be forgotten – putting Google in the event of worldwide delisting orders between SCOTUS’ rock and CJEU’s hard place.

Crucially however at 62 the AG then in my view perhaps not quite torpedoes but certainly seriously softens his overall general analysis by suggesting that his views on territoriality are the default position only, which may be varied should specific instances of the balancing act of fundamental rights, so require: it’s just that the specific circumstances of the case do not.

Les enjeux en cause n’exigent donc pas que les dispositions de la directive 95/46 soient d’application au-delà du territoire de l’Union. Cela ne signifie pas pour autant que le droit de l’Union ne saurait jamais imposer à un exploitant de moteur de recherche tel que Google qu’il entreprenne des actions au niveau mondial. Je n’exclus pas qu’il puisse y avoir des situations dans lesquelles l’intérêt de l’Union exige une application des dispositions de la directive 95/46 au-delà du territoire de l’Union. Mais dans une situation telle que celle de la présente affaire, il n’y a pas de raison d’appliquer les dispositions de la directive 95/46 d’une telle manière.

The circumstances of the case do not justify worldwide blocking. Yet other circumstances might. This is a crucial section for the French data protection authority’s (CNIL) decision at issue, 2016/054 [thank you again to the Dutch Ministry of Foreign Affairs for providing the factual background to the case; also note that in the French decision Google’s name, amusingly, is anonymised] is a general CNIL instruction to Google to carry out global delisting in instances where natural persons request removal; not a case-specific one. In other words the ‘circumstances of the case’ concern a generic, not a factual balancing.

In yet other words: there could be many instances where national data protection authorities might find worldwide delisting to be the only proper means to balance the various fundamental rights at stake. The AG Opinion offers little to no support that such worldwide delisting in concrete cases were to infringe the Directive /the GDPR. Such balancing act would be akin to X v Google LLC at the Tribunal de grande instance de Paris on which I reported last week.

Note that in his Opinion of the same day in C-136/17, the AG Opines that the default response of search engine providers must be to honour requests for delisting, and to only exceptionally not do so.

Some issues for the Grand Chamber to chew on. And then some more.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2, Heading 2.2.8.2.5.

07/01/201907/01/2019

Territoriality and delisting. Google score (cautious) French points ahead of Thursday’s AG Opinion in CJEU case.

On Thursday the Advocate-General will opine in C-136/17 G.C. e.a. and C-507/17 Google (FR) – on which I reported ia here. The issue is, in the main, the territorial scope of EU data protection laws.

X v Google LLC at the Tribunal de grande instance de Paris on 14 November 2018 is a good warm-up, forwarded to me (for which many thanks) by Jef Ausloos (I have copy for those interested). The case concerns an article in Le Monde linking a French resident, active in international hotel management, to a Moroccan enquiry into pedophilia. The court’s review of the facts suggests an unsubstantiated link between X and the case – yet the damage to claimant’s reputation evidently is done nevertheless. Claimant requests delinking not just for searches performed in France on all Google extensions, but rather for all searches performed globally.

The court first of all observes that for searches performed in France, delisting of many of the identified urls has already happened – and orders on the basis of French law (which it applies, it suggests, per the GDPR) Google LLC to carry out delisting for the others in as far as searches are carried out from French territory. X’s privacy is given priority over freedom of expression and Google LLC’s US domicile is not mentioned as being relevant (no verbatim discussion of same is recorded in the judgment. X’s French nationality and domicile however, are, hence presumably it is the infamous Article 14 Code Civil which is at play here). Google’s argument that the as listed urls link to articles in languages other than French and relating to facts taking place outside of France is dismissed as irrelevant.

Claimant however had requested global delisting, regardless of the user’s geographical location. That, the court holds, is a request it cannot grant. Its refusal is justified in one sentence only: a global delisting order would be disproportionate in the case of a French national and resident, simply because his employment record is international:

‘une telle mesure apparaît ici disproportionnée, s’agissant d’un résident français, le seul caractère international de ces démarches d’emploi ne pouvant justifier d’une telle restriction, qui conduirait in fine à soumettre le réseau internet à une injonction de portée globale.’

The judgment therefore does not tackle the conceptual issues surrounding jurisdiction (which the Belgian courts, for instance, have been tempted into in the Facebook case), neither does it rule out global injunctions in cases which have more than just a fleeting international element.

Happy 2019.

Geert.

30/11/201830/11/2018

EDPB guidelines on the territorial reach of the GDPR: Some clear conflicts overlap.

GDPR (General Data Protection Regulation) aficionados will have already seen the draft guidelines published by the EDPB – the European data protection board – on the territorial scope of the Regulation.

Of particular interest to conflicts lawyers is the Heading on the application of the ‘targeting’ criterion of GDPR’s Article 3(2). There are clear overlaps here between Brussels I, Rome I, and the GDPR and indeed the EDPB refers to relevant case-law in the ‘directed at’ criterion in Brussels and Rome.

Geert.

(Handbook of) EU Private International Law, 2nd ed. 2016, Chapter 2, Heading 2.2.8.2.3, Heading 2.2.8.2.5.

24/11/201826/11/2018

Facebook appeal against UK fine puts territoriality of data protection in the spotlight.

I have an ever-updated post on Google’s efforts to pinpoint the exact territorial dimension of the EU’s data protection regime, GDPR etc. Now, Facebook are reportedly (see also here) appealing a fine imposed by the UK’s data protection authority in the wake of the Cambridge Analytica scandal. Facebook’s point at least as reported is that the breach did not impact UK users.

The issue I am sure exposes Facebook in the immediate term to PR challenges. However in the longer term it highlights the need to clarify the proper territorial reach of both data protection laws and their enforcement.

One to look out for.

Geert.

19/05/201707/01/2019

‘Right to be forgotten’ /data protection laws and the internet referred to CJEU.

Update 19 November 2018 Michèle Finck has excellent reporting on the hearing before the CJEU here.

Update May 2018 our paper on global case-law re RTBF is here.

Update 23 May 2017 the Case is C-136/17 and the relevant dossier (partially in Dutch) is here, on the unparalleled website of the Dutch foreign ministry. A related case is C-505/17. Update 1 February 2018 for a recent English case see [2018] EWHC 137 (QB) ABC v Google. Order to block access was denied for no permisison to serve out of jurisdiction had been sought (Google being incorporated in Delaware).

Many thanks to KU Leuven law student Dzsenifer Orosz (she is writing a paper on the issues for one of my conflict of laws courses) for alerting me to the French Conseil D’Etat having referred ‘right to be forgotten’ issues to the European Court of Justice. I have of course on occasion reported the application of data protection laws /privacy issues on this blog (try ‘Google’ as a search on the blog’s search function). I also have a paper out on the case against applying the right to be forgotten to the .com domain, and with co-authors, one where we catalogue the application of RTBF until December 2016. See also my post on the Koln courts refusing application to .com.

The Conseil d’Etat has referred one or two specific Qs but also, just to be sure, has also asked the Court of Justice for general insight into how data protection laws apply to the internet. The Court is unlikely to offer such tutorial (not that it would not be useful). However any Advocate General’s opinion of course will offer 360 insight.

One to look forward to.

Geert.

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: