Right to Be Forgotten Doesn't Apply Outside EU, High Court Rules

Tech companies cheered Tuesday's ruling that the right to be forgotten by search engines doesn't apply outside the EU. The case involved a dispute between Google and French privacy authority CNIL (Commission nationale de l’informatique et des libertes) over whether a subject's request to have links to web pages containing personal data delisted must be honored worldwide. The CNIL said the European Court of Justice didn't buy its approach to that right, but it provided some clarity. One privacy lawyer predicted the ruling won't change much, but a reputation protection firm said it could affect job-seekers for many years.

CNIL notified Google in May 2015 that when it granted requests for delisting, it must apply the removal to all its search engine's domain name extensions, the high court said. Google refused to comply, instead removing the links in question only from results displayed in searches conducted by its search engines in EU states. CNIL fined Google 100,000 euros ($110,000), which Google appealed to the French Conseil d’Etat. That court asked the ECJ to clarify the territorial reach of the right to be forgotten (RTBF).

The ECJ said in a globalized world internet users' access, including outside the EU, to links referring to personal information is likely to have immediate and substantial impacts on the person involved, so requiring search engines to delist all links would meet the goal of protection required by EU law. Many non-EU countries, however, don't recognize the RTBF or take a different approach to it. In addition, the right to protection of personal data isn't absolute "but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality."

Google said it has worked hard since 2014 to implement the RTBF, and "it's good to see that the Court agreed with our arguments." The CNIL noted (in French) that only worldwide delisting would provide an effective right, but the ECJ didn't accept its approach. The high court did clarify, however, that although EU law doesn't require a mandatory RTBF outside the EU, it also doesn't prohibit national data protection authorities from imposing such an order after weighing the various interests to determine whether the right should have a broader reach.

The ruling's "unsurprising," emailed Brett Wilson (U.K.) attorney Iain Wilson, who handles privacy and online harassment cases. Had the court required mandatory global delisting, it would have put the EU in conflict with nonmember states that don't recognize an RTBF. That doesn't mean the ECJ has necessarily gotten it right or that this is the final word on the subject, he said: The general data protection regulation is intended to be extra-territorial for businesses with a global market such as Google, and "therefore it seems strange that data processing by search engines that occurs outside the EU can simply be ignored because this raises questions over the practicability or desirability of enforcement actions." The judgment won't change much, he added, as it reflects Google's existing practice.

Other considerations must be taken into account for the right to be forgotten, emailed Roz Sheldon, head of client services at reputation management company Igniyte. Many businesses are global and those doing employee checks will be able to see differing regional versions for individuals. Many minor offenses or negative stories reported in news articles can rank highly in Google search results and are often opinion-based. They can remain visible in search results for 10-20 years, potentially harming someone's reputation long-term, and the ability to find a job outside the EU.

The ruling is "an appropriate step to curb European overreach that jeopardized the future of the global internet," said Information Technology and Innovation Foundation Vice President Daniel Castro. The decision "recognizes industry's efforts to achieve this delicate balance" between the RTBF and non-Europeans' constitutional rights, said the Computer & Communications Industry Association. The Software & Information Industry Association opposes the RTBF because it makes it harder to provide accurate "know-your-customer" and anti-money laundering services, but the ruling at least limits the rule's reach, said Senior Vice President-Global Public Policy Carl Schonander.

The decision shows "the tremendous weight European law gives to privacy as a human right that is given the strongest consideration before it is limited," said Future of Privacy Forum CEO Jules Polonetsky. But Member of the European Parliament Patrick Breyer, of the Group of the Greens/European Free Alliance and Germany, said blocking search engine references to legal content has little to do with an effective RTBF, especially when geo-blocking is used to build borders in the global internet.