On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here). The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search results displayed on all the search engine’s versions. According to the court, it suffices for search results to be deleted from the search engine’s EU versions (i.e., EU domain name extensions, such as .eu, .fr or .de). For more information on the Advocate General’s opinion, see our prior blog post here.
In March 21, 2016, the French Supervisory Authority (“CNIL”) imposed a fine of € 100,000 on Google for not de-referencing a website from its search results on all Google search engine versions. The search engine appealed the decision before the French courts, which led to a referral to the CJEU.
The CJEU decided that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine”. According to the CJEU, “it is in no way apparent” that the EU lawmaker would have wanted data subject rights, such as the right to erasure, to apply beyond the EU, “and that it would have intended to impose on an operator which, like Google, falls within the scope of that directive or that regulation a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States”.
The court pointed out that the search engine should use measures which “effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request”. In this way, the CJEU addresses the concern that non-EU versions of the search engine may still be accessible in the EU through, for example, a VPN connection or other technologies that disguise the location of the search engine user. Search engines must make reasonable efforts to prevent access to de-referenced results, but are not held to the impossible. However, distinct from Advocate General Szpunar’s opinion, the court does not specifically comment on whether the use of techniques such as ‘geo-blocking’ are sufficient, but instead the court provides that “it is for the referring court to ascertain whether…the measures adopted or proposed by Google meet those requirements”.
The CJEU also highlighted that a Supervisory Authority’s decision to have links de-referenced from search results across the EU necessarily requires that Supervisory Authority to follow the cooperation procedure laid down in the GDPR. Since the right to erasure must be weighed against other rights (e.g., freedom of information), it potentially leads to different outcomes in different Member States. To avoid this outcome, however, the court provides that Supervisory Authorities should follow the cooperation procedure under the GDPR “to adopt, where appropriate, a de-referencing decision which covers all searches conducted from the territory of the Union on the basis of that data subject’s name”. In other words, the CNIL should not on its own require de-referencing of search results across all the search engine’s EU versions.
Finally, the CJEU also clarified that EU law does not prohibit a Member State’s Supervisory Authority or courts to order a search engine to de-reference search results from all its versions worldwide. “[A] supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights […] a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and […] to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.” The CNIL could thus still decide that the relevant search results must be de-referenced on all versions of the search engine on the basis of French fundamental rights standards, but not on the basis of the GDPR.