Hey, I have now hit double figures in the number of posts about the right to be forgotten! That might be a record around here. I’m too lazy to check. But a case from the past week has got me writing, so it must be important? Let’s find out!
So the case is from the European Court of Justice and it is Google LLC v. Commission nationale de l’informatique et des libertés (CNIL). It has Google in the name so really it must be important! The other party, the CNIL, errr, ou bien la CNIL ici on parle français, is the French national data protection authority. So it really must be important.
The facts such as they are, and the decision itself, are straightforward. We can dispose of this quickly and all go out for a drink. On me! Anyway, you know what the right to be forgotten (RTBF) is, I’ve written about it 9 times already. In 2015, la CNIL ordered Google:
when granting a request from a natural person for links to web pages to be removed from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions
I bolded that last part, because it’s the heart of the issue. Google replied to la CNIL”fuck off, we will only remove links from those search engines within Europe”. They may not have said the fuck off part like that. Google also said well we can just geo-block any European users from seeing those results. La CNIL was not impressed with these positions and fined Google €100,000. Google said “fuck that shit” (ok maybe not, but the sentiment is right) and went to court (well sort of, the procedures are a bit more complicated, but that’s enough to know). And here we are!
The Court sided with Google, said the search results should only be blocked in Europe. And we’re done here. See you at the bar!
Well I guess you need some explanation. I wish the Court had really given some, but they didn’t. They gave some background on the RTBF, which I am not explaining again because you’ve read my last 9 posts on the topic. The Court writes:
it is apparent … that the objective of that directive and that regulation is to guarantee a high level of protection of personal data throughout the European Union…
It is true that a de-referencing carried out on all the versions of a search engine would meet that objective in full
BUT BUT BUT, here is the important point:
That being said, it should be emphasised that numerous third States do not recognise the right to de-referencing or have a different approach to that right
Like Canada! Despite what the Privacy Commissioner says, we really don’t have a RTPF in Canada (that’s my opinion anyway). And certainly not the USA, where you really have no chance of stepping on their very precious essentially unlimited free speech rights. We can’t be blocking internet users’ rights to find information, as the Court points out:
the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world
And while the GDPR has struck that balance (see article 17(3)), the Court says that the EU “has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union” (my italics, duh). So to conclude:
a search engine operator cannot be required, under Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 and Article 17(1) of Regulation 2016/679, to carry out a de-referencing on all the versions of its search engine
And really we’re done!
Superterriffic Funtime Analysis Hour
I’d like to make two points here. First, as I mentioned on Twitter, there is a bit near the end of the judgment which is interesting:
it should be emphasised that, while, as noted in paragraph 64 above, EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice
So, like, “well we decided this now, but maybe in the future it may be different because the law says it’s possible”? I am really not sure, but that sentence is suspect.
Second, and this is kind of important. Very famously, Article 3 of the GDPR establishes that the GDPR, in certain circumstances, applies outside the EU. That is what we law-talking guys call “extra-territorial application”, and as Joe Biden once said, it’s a big fucking deal. This case would seem to have some sort of implication for that Article 3, yet that was not even mentioned by the Court. If the RTBF can’t apply outside the EU, what about the other data rights in the GDPR? Because of this case, is Article 3 reduced or eliminated only for the RTBF or other data rights for EU individuals? I have no idea, but it would seem the Court might have brought this up. Oh well. To be continued no doubt.
Thirdly (ok I lied I said I had only two points but another has come to me), should the EU decide what we see and don’t see here on the internet in Canada? I think the answer to that is kind of obvious (which is why I didn’t think of it when I said I had two points). Too bad our own Supreme Court doesn’t think the same thing.