CJEU rules that the right to be forgotten does not extend beyond the EU’s borders

The Court of Justice of the European Union (CJEU) has ruled that there is no obligation for a search engine operator to, in case of a request, de-reference personal information of individuals on all of its search engine’s domain name extensions beyond the territory of EU Member States in order to be in compliance with the right to be forgotten.

In this important decision made on 24 September 2019, the CJEU held that the right to be forgotten (provided under Article 17 of Regulation 2016/679) does not extend beyond Member States. A data controller could therefore comply with its obligations under that Regulation by: i) de-referencing personal information only from domain names having extensions associated with Member States; and ii) taking sufficient measures to prevent EU based data subjects from having access to such de-referenced personal information.

This approach is not entirely consistent with the previous position of the CNIL which considered that a de-referencing in all domain names extensions worldwide was required.

The key takeaways are as follows:

• The decision followed the refusal from Google’s French subsidiary to comply with a formal notice from the French data protection authority (CNIL) requiring global de-referencing of links concerning data subjects who decided to exercise their right to be forgotten.
• The CJEU noted that global de-referencing would meet the objectives of Regulation 2016/679 in full. However, numerous third states either do not recognise the right to be forgotten or have a differing conception of such a right.
• It is “in no way apparent” from EU legislation that the EU legislature had chosen to confer a scope on the right to be forgotten that would go beyond the territory of Member States.
• In order to ensure the protection of data subjects’ fundamental rights, search engine operators are obliged to take sufficient measures that have the effect of preventing or, at the very least, seriously discouraging internet users within the EU, from accessing content by using a search with the data subject’s name which is subject to the request for de-referencing. It is for the national referring court to ascertain whether the recent modifications made to Google’s search engine are sufficient.
• The court concluded its ruling by emphasising that EU law neither requires global de-referencing, nor prohibits it. It therefore remains within supervisory authorities’ competence to (i) balance a data subject’s right to privacy and to the protection to its personal data against the right to freedom of information, in the context of national standards of protection of fundamental rights; and (ii) to order global de-referencing if appropriate.

On the same day, the court also rendered another decision giving important clarifications as to the conditions under which individuals may de-reference a link in a search result where the page, to which the link refers to, contains sensitive information (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and health or sex life). It also provides useful insights into the public's interest in having access to information that has become incomplete or out of date due to the lapse of time.

Authors: Laurie-Anne Ancenys, Edward Hirst, Paul Vandecrux, Navid Renard