January 28, 2020

Reflecting on the Google LLC v CNIL (Case C-507/17) ECJ Judgment: A UK and Australian Perspective

In a landmark decision on 24 September 2019 [1], the Court of Justice of the European Union ("ECJ") ruled that the 'right to be forgotten' has limited territorial application. In particular, when exercised against a controller with multinational or global operations, the right to be forgotten only applies to those operations being undertaken within Member States of the European Union ("EU").

The case was referred to the ECJ by the French Council of State following Google's refusal to pay a €100,000 fine imposed in 2016 by the French data protection regulator, the Commission nationale de l'informatique et des libertés ("CNIL").  The fine was imposed because Google refused to de-reference (remove) links to search listings, containing personal data which was detrimental to an individual, from Google domains outside of the EU.  Google refused despite receiving a formal notice from the CNIL to remove the relevant personal data from all versions of its search engines worldwide.  Finding in favour of Google, the ECJ held that Google and other search engines are required to delist search results from domains within the EU, but not globally.

In reaching its decision, the ECJ examined Article 17 of the General Data Protection Regulation[2] ("GDPR"), Articles 12 and 14 of the Data Protection Directive,[3] and the seminal 2014 Google Spain[4] judgment, which first recognised the 'right to erasure' under existing EU law.  The ECJ emphasised that the right to protection of personal data was not absolute and must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.[5] The ECJ acknowledged that this balancing exercise may result in variations between countries, depending on the weight afforded to each applicable right, including the right to privacy and the right to freedom of expression.[6]

While the decision arguably represents a triumph for 'big tech', it is also a pragmatic approach to the extra-territorial application of the GDPR and an acknowledgement of the technical limitations of enforcing the right to be forgotten across jurisdictions.  Had the scope of the CNIL's formal notice against Google been upheld by the ECJ, Google, and other search engines, would have been required to delist sensitive information from search domains worldwide following a successful delisting request.  The ECJ appeared to recognise Google's concern that this would have had "serious chilling effects on the web"[7] and also appeared mindful of the potential for overbreadth of EU law, noting that "numerous third States do not recognise the right to de-referencing or have a different approach to that right."[8]

Before examining the implications of the decision, we set out some context on the right to be forgotten and the way in which it is applied in the EU and Australia.

What is the 'right to be forgotten'?

The ECJ first recognised the 'right to erasure' or 'right to be forgotten' in Google Spain.[9] In this case, a Spanish citizen argued that Google should remove search results relating to the repossession of his home many years earlier, on the basis that the results were no longer relevant.  In ruling against Google Spain, the ECJ held that, amongst other things, individuals have the right, under certain circumstances, to have data removed where the data are inaccurate, inadequate or irrelevant, or exceed the purpose for which the data were processed.[10] However, the ECJ noted that the right to erasure must be balanced against other fundamental rights, including freedom of information and matters of public interest.[11]

Article 17 of the GDPR has since enshrined the right to be forgotten, providing data subjects with a right to erasure of their information in a number of defined circumstances; for example, where the personal data are no longer necessary in relation to the purposes for which they were collected or processed, or where a data subject withdraws consent.[12] Furthermore, although draft guidelines[13] recently published by the European Data Protection Board appear to raise doubts as to the potential applicability of Article 17(3) exceptions to the right to be forgotten, in the context of delisting requests, Article 17(3) nevertheless has developed the balancing test adopted in Google Spain, recognising that the right to be forgotten is not an absolute right.[14]

Although this article focuses on the decision in Google LLC v CNIL, notably, another decision concerning the right to be forgotten was handed down by the ECJ on the same day.  In GC and Others v CNIL,[15] the ECJ ruled that, in relation to search results relating to criminal proceedings, search engine operators must ensure search results are amended as necessary to ensure "the overall picture it gives the internet user reflects the current legal position" of an individual. [16] The case was brought before the ECJ by unnamed individuals following the CNIL's refusal to issue formal notices on Google to de-reference various links to web pages containing sensitive data about those individuals.  The ECJ concluded that the prohibition on processing certain categories of sensitive personal data applied to search engine operators, but noted that a balance must be struck between the fundamental rights of the person requesting the de-referencing and persons potentially interested in that information. [17]

To demonstrate the different ways in which countries have struck the balance between the right to be forgotten and other rights and considerations, we now examine Australian law as a counterpoint.

A comparable 'right to be forgotten' in Australia?

The Australian Privacy Principles ("APP") enshrined in the Privacy Act 1988 (Cth) ("Privacy Act") set out the core privacy obligations imposed upon Australian organisations.  Unlike the GDPR, the Privacy Act has a significantly narrower scope of application.  For example, generally speaking, the Privacy Act only applies to organisations with an annual turnover exceeding AUD3 million, subject to some narrow exceptions.  Further, it is worth noting that Australian individuals are not empowered with any positive right to privacy, such as a statutory tort of privacy.

Unlike the EU, the Privacy Act does not enshrine an explicit right to be forgotten.  Although the Privacy Act is not as comprehensive as the GDPR in this respect, there are some similarities.  For example, APP 11.2 requires an organisation to destroy or de-identify information that is no longer necessary for the purpose for which it was collected, mirroring Article 17(1)(a) of the GDPR.

Additionally, separate to the Privacy Act, the Enhancing Online Safety Act 2015 (Cth) establishes a scheme for removing cyberbullying material, targeting an Australian child, from social media services.  Under the scheme, the eSafety Commissioner may issue a removal notice to a person who has posted cyberbullying material or to the social media service provider itself.[18]

It is worth noting that in 2014 the Australian Law Reform Commission ("ALRC") called for feedback on a proposal to expand the purview of the right to be forgotten in Australia.  The ALRC proposed the introduction of a new APP enabling individuals to request destruction or de-identification of personal information that was provided to the entity by the individual.[19]

Following submissions, including notably by the Office of the Australian Information Commissioner ("OAIC"), this proposal was rejected.  The OAIC opposed the introduction of this right on the basis that it would significantly disrupt business operations of entities that were otherwise permitted to handle the information pursuant to the Privacy Act.[20]

One can draw parallels between the balancing exercise conducted by the ECJ in Google LLC v CNIL, and the OAIC in its submission.  Like the ECJ, the OAIC appears to be seeking to strike an appropriate and proportionate balance of rights.

However, as noted above, the Privacy Act does not apply to a large majority of Australian organisations turning over less than AUD3 million annually.  This begs the question whether the balance is right, with privacy advocates arguing that big businesses should be able to cope with the administrative demands associated with the handling of personal information.

Nevertheless, the development of Australia's privacy landscape is beginning to see calls for greater erasure powers and measures which will afford individuals greater control over their personal information.  For example, Recommendation 16(d) of the Digital Platforms Inquiry attempts to address the bargaining power imbalance between consumers and digital platforms by enabling the erasure of a consumer's personal information without delay where there are no overriding reasons for the APP entity to retain the information.[21]

The Australian Competition & Consumer Commission ("ACCC") notes that any erasure request will be counterbalanced by competing public interest reasons, including "freedom of speech, freedom of the media, public health and safety, and national security".[22] Similarly, the 'Consumer Data Right', which is currently being rolled out in the banking sector, contains provisions which allow individuals to elect for the deletion of redundant data.[23] As such, while Australia currently lacks a clearly actionable right to be forgotten, a trend appears to be emerging where deletion rights are being created in response to power imbalances which exist in specific industries.

As similarly contemplated by the ECJ in Google LLC v CNIL, the balancing exercise conducted by the OAIC provides a poignant example of the way in which regulators across countries may weigh competing rights differently.  However, these disparities have caused commentators to question whether global privacy laws should be reformed to create greater equivalency between jurisdictions.  At present, there is a patchwork of regional and global privacy frameworks affording individuals differing levels of protection and imposing differing levels of compliance.

What is the significance of the Google LLC v CNIL judgment?

The decision represents a significant victory for multinational 'big tech' companies, at a time when their use and protection of personal data has become increasingly scrutinised.  The decision recognises the importance of balancing individuals' privacy rights against other fundamental freedoms, and notably takes heed of Google's concern that adopting the CNIL's stance on global delisting could result in a "race to the bottom", where "the Internet would only be as free as the world’s least free place."[24]

In light of the growing focus on data protection regulation globally, and the increasing number of cases being referred to local regulators and the ECJ, the decision provides welcome clarity around the territorial scope of EU data protection laws in this context.  That said, the ECJ left open, "where appropriate", the possibility of a Member State determining that de-referencing on all versions of a search engine is required.[25]  Importantly, this acknowledges that Member States remain competent to balance individuals' privacy rights against other fundamental rights, in light of varying national standards.  It is yet to be seen whether national data protection regulators will be emboldened by the ECJ's comments.

Likewise, the inevitable frustration of both EU citizens attempting to access information which has not been delisted outside the EU and individuals striving for a right to be forgotten globally, may lead to more frequent challenges to the weight afforded to privacy rights by individual Member States.

Finally, it is important to consider the practical challenges of enforcing this limited right to be forgotten.  It remains to be seen whether Google's geo-blocking measures will be easily circumvented (for example, through the use of Virtual Private Networks), or whether smaller search engines and intermediaries will have the ability to properly action and enforce territorially limited delisting.  If not, this may prove to be an instance where the law is out of sync with modern technological realities.

For now, the judgment will at least provide a tangible gauge of how Member States differently afford weight to privacy rights and other fundamental freedoms.

[1] C‑507/17 Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) [2019]

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016]

[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] (repealed by the GDPR)

[4] C‑131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014]

[5] Google LLC v CNIL (n 1), para 60

[6] ibid

[7] Peter Fleischer, Google Global Privacy Counsel, 'Implementing a European, not global, right to be forgotten' (Google Europe Blog, 30 July 2015)

[8] Google LLC v CNIL (n 1), para 59

[9] Google Spain SL and Google Inc. (n 4)

[10] ibid, para 92

[11] ibid, paras 68, 91, 81, 97

[12] GDPR (n 2), Art. 17(1)

[13] European Data Protection Board, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) – Adopted on 2 December 2019 (2019) 10

[14] GDPR (n 2), Art. 17(3)

[15] C-136/17 GC and Others v Commission nationale de l'informatique et des libertés (CNIL) [2019]

[16] ibid, para 78

[17] ibid, para 66.  Also see Court of Justice of the European Union, 'The prohibition on processing certain categories of sensitive personal data applies also to operators of search engines' (Press Release No 113/19, 24 September 2019)

[18] Enhancing Online Safety Act 2015 (Cth)

[19] Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, Discussion Paper 80 (2014) 223-226

[20] Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, Report 123 (2014) 319-321

[21] Australian Competition & Consumer Commission, Digital Platforms Inquiry, Final Report (2019) 470-473

[22] ibid, 472

[23] Australian Competition & Consumer Commission, Explanatory Statement – Proposed Competition and Consumer (Consumer Data Right) Rules 2019 – August 2019 (2019) 10

[24] Fleischer (n 7)

[25] Google LLC v CNIL (n 1), para 72