It is now just over two years since the Court of Justice of the European Union first ruled that Google was a data controller and that the principles of EU Directive 95/46/EC (‘the Data Protection Directive’), and the various national legislation that implement them, applied to its search results.
The specific right to have search results which are in breach of data protection principles removed or ‘de-listed’ was coined the ‘right to be forgotten’ (see the judgment and our blog piece from May 2014).
From June 2014, Google implemented a system whereby people, or their legal representatives, could make requests for removal of specified results retrieved on searches of their name, and Google would consider whether the search results complained of were, in its view, likely to be compliant with the data protection principles.
Where they acceded to a request, the search results would be delisted from searches made for that person on Google’s European domains e.g. Google.co.uk, Google.fr, Google.de etc.
In November 2014, an EU Working Party set up under Article 29 of Directive 95/46/EC published guidelines which suggested this approach by Google was insufficient as it did not ‘guarantee the effective and complete protection of [data protection] rights’ and that the law could be ‘easily circumvented’ by the use of non-EU domains, including, most significantly, Google.com. Google nevertheless declined to widen the scope of its delisting.
At the same time, various individuals across the EU lodged complaints about Google with their respective data regulators. Such complainants included people whose requests had been acceded to by Google, but whom were unhappy that the scope of the filtering did not extend to non-EU domains.
On 21 May 2015, the French regulator, Commission Nationale de l’Informatique et des Libertés (‘CNIL‘), issued an enforcement notice against Google requiring it to extend delisting to all its domains within 15 days. Google requested time to consider its position, and, having unsuccessfully sought to have the notice rescinded, ultimately failed to comply. CNIL therefore issued proceedings against Google, and a hearing was listed before its Restricted Committee. In October 2015, the UK regulator, the Information Commissioner’s Office (‘ICO’) followed suit, amending an existing enforcement notice against Google to include a request that search results be delisted from all versions of Google directly accessible from within the UK (note this demand was worded more narrowly than that made by CNIL). Google appealed against the enforcement notice, and therefore the matter was listed for a hearing before the Information Tribunal.
In January 2016, Google proposed a solution, which it implemented a couple of months later (see Google’s press notice here). The position following that policy change is that, in addition to automatic delisting on all its European domains, Google will use geolocation signals such as IP addresses to try and determine where the search is being conducted from. If they consider that the search is being conducted from the country of the relevant individual, they will exclude the results.
So, in theory, a UK resident who has had results delisted, can be confident that the results will not be presented to anyone searching for them in the UK (including on Google.com and other non-EU domains). Google clearly believed this was compromise enough. That appears to have been so as far as the ICO were concerned – although we are not aware of any announcement on the issue, the Information Tribunals website shows the matter to have been settled by Consent Order, with the ICO presumably being satisfied that Google’s new policy was sufficient to meet its demand.
Not so, however, said CNIL. Its case against Google went ahead in January 2016, with judgment handed down on 10 March 2016. Google had argued that (i) CNIL’s enforcement notice was invalid as it was ‘based on an imprecise and unpredictable legal rule, and not on specific complaints‘ (ii) that CNIL was ‘exceeding its powers by imposing a measure with extraterritorial scope‘, and (iii) that ‘global delisting would represent a disproportionate attack on freedom of expression and information‘.
These arguments were rejected, with the Restricted Committee finding that (i) the notice was not based on an unpredictable rule, and whilst it was in fact founded upon some eight complaints, CNIL’s powers were not subject to the existence of a specific complaint, (ii) Google’s search engine is a single processing system, of which the local extensions are simply different technical paths adapted to the language of each country and that France’s Data Protection Act therefore applied to all its processing insofar as it might relate to French residents, and (iii) (a) delisting only applies to searches of an individual’s name, and does not remove content from the Internet or deindex it from search results more broadly, and (b) in any event, the decision to delist is only taken if the person concerned can demonstrate that the appropriate conditions are met.
Thus delisting amount to ‘a proportional check designed to retain the tight balance between respect for the rights to privacy and personal data protection of individuals and the benefit to the public of accessing information‘. So far as Google’s widening of its policy to include those searching from within the relevant country was concerned, the Committee found that this was ‘an improvement‘, but still unsatisfactory, because: –
1. ‘The delisted information remains available to all Internet users outside the territory affected by the filter measure‘; and
2. The ‘measure can still be circumvented‘.
Specifically, it identified that French residents could still access delisted content in other EU countries, or outside the EU, or even within France, by adopting technical measures such as the use of a Virtual Private Network (‘VPN’). Non-French residents would still be able to access the content, either by using Non-EU domains within the EU, or any domain outside of it.
The Committee considered that
‘the protection of a fundamental right cannot vary depending on the data recipient… only a measure that applies to all processing by the search engine, with no distinction between the extensions used and the geographical location of the Internet user making a search is legally adequate to meet the requirement for protection as ruled by the CJEU’.
It fined Google €100,000.
Google immediately indicated that it intended to appeal the decision to France’s administrative Court, the Conseil d’Etat. Last week, on Thursday, 19 May 2016, it published an opinion statement (or ‘Op-ed’) in France’s Le Monde newspaper, indicating that it had done just that. A copy of the statement is available in English here.
In short, Google’s primary argument (at least insofar as the court of public opinion is concerned) is that France is seeking to ‘impose its rules on the citizens of other countries‘. It points out that in Thailand it is illegal to insult the king, and that Brazil outlaws negative campaigning in political elections. It suggests that if France’s interpretation of the law is correct, other, ‘perhaps less open and democratic‘ countries might begin to demand that their laws have global reach, leading to a ‘global race to the bottom‘.
As Anya Proops QC writing for 11KBW’s Panopticon blog pointed out, there are interesting parallels between the issues in Google’s case against CNIL, and the recent UK Supreme Court case of PJS v Newsgroup Newspapers Ltd  UKSC 26, which, although concerned with altogether different facts, also involved consideration of how privacy rights can – and the extent to which they should – be policed in this modern, ‘global’, world.
For EU residents faced with prejudicial search engine results, the position of CNIL is encouraging, but it is likely that the Conseil d’Etat will take significant time to review Google’s appeal. In the meantime, it remains to be seen what position other national regulators will take, and a decision of the French courts will not bind the other EU states. It is nevertheless likely to be hugely influential in how widely the EU seeks to impose its data protection rules in the future.
This post originally appeared on the Brett Wilson blog and is reproduced with permission and thanks