The judgment of the Court of Justice in case C-507/17 Google v CNIL addresses the territorial scope of the ‘right to be forgotten’ (RTBF). In its earlier landmark ruling Google Spain, the Court held that search engine operators may be obliged to de-reference personal data, removing them from the results returned by the search engine. However, neither the Court in Google Spain nor the EU legislature when enacting the General Data Protection Regulation (GDPR) determined whether de-referencing should be carried out on a worldwide basis or exclusively within the EU.
In Google v CNIL, the Court reached three conclusions. First, EU law does not require de-referencing to take place on versions of the search engine in third countries. Second, search engine operators are ‘in principle’ required to carry out de-referencing on all national versions corresponding to EU Member States, although the judgment hints at possible exceptions to the uniform application of the RTBF even within the EU. Finally, search engine operators must take effective measures to prevent, or at least seriously discourage, access to the relevant links from users located in a Member State (such as through geoblocking).
The Court relied on four arguments against the need for global de-referencing: 1) the lack of global consensus on RTBF; 2) the necessary balancing exercise between the right to data protection and other fundamental rights; 3) the lack of guidance from the legislature; 4) the absence in the GDPR of cooperation mechanisms concerning de-referencing outside the EU.
The judgment has been hailed as a major victory by freedom of expression activists. However, the Court has not precluded the extraterritorial enforcement of the RTBF outright. First, it has implicitly rejected Google’s argument that worldwide de-referencing would be contrary to international law, holding that it is the EU legislature that would have the power to impose such an obligation. Second, it has also made clear that EU law does not prohibit Member States from requiring that the RTBF be enforced extraterritorially.
Overall, the judgment reads like a deferential exercise. Deference towards the EU legislature, whose intentions the Court refused to second-guess but which remains free to strengthen the extraterritorial reach of data protection rules if it so wishes. But deference also towards national supervisory and judicial authorities, bodies that are able to decide whether or not global de-referencing is required when balancing privacy rights and freedom of information ‘in the light of national standards’ of fundamental rights protection.
Given the prominence of privacy and data protection in recent Court case law and the widespread publicity the Google litigation has attracted, it is tempting to draw broader conclusions from this judgment on the extraterritorial reach (or lack thereof) of EU fundamental rights. One should be wary of such generalizations, as the Court’s reasoning is heavily dependent on the specificities of EU data protection legislation. However, the prudent approach followed in Google v CNIL suggests that the Court of Justice may also defer to national law on the extraterritorial effects of injunctions to host providers in the pending case C-18/18 Glawischnig-Piesczek.