Google v CNIL: Defining the Territorial Scope of European Data Protection Law

On 11 September 2018, the European Court of Justice (‘ECJ’) heard arguments in Google, Inc. v CNIL, a case that concerns the territorial scope of European data protection law. Among the questions that the ECJ has been called to examine is that of the extraterritorial application of the right to be forgotten (‘RTBF’).

European Union law recognizes that data subjects have a qualified right to request the erasure of personal data that relates to them. This right is spelled out in Article 17 GDPR and was also previously recognized under the case law of the ECJ and, in a softer version, Article 12(b) of the 1995 Data Protection Directive.

In its seminal 2014 Google Spain judgment, the ECJ determined that Google is a data controller in relation to the processing of personal data carried out in the context of its search activity. Indeed, the Court found that as a search engine operator Google determines the purposes and means of indexing (even though it does not exercise control over the personal data that is published on the web pages of third parties). As a consequence, Google was found liable to comply with requests for erasure under EU data protection law. However, the precise contours of this obligation have become subject to controversy in recent years.

Background

Following Google Spain, the tech giant established internal procedures that enable it to assess requests for erasure. Since 2014, it has received around 723,000 requests, 44% of which it considered to be founded and accordingly delisted corresponding search results. It is worth noting that this only happens where a search is operated in relation to the data subject’s name. As a consequence, the relevant information can still be accessed directly through the link, or when searched for with alternative keywords as it remains available on the original website unless a separate request for erasure is successfully directed at that separate data controller. This highlights that that the right to erasure is not only a qualified but also a limited right.

When Google proceeded to delist results, it only did so in relation to EU domains, such as Google.de or Google.fr, not domains outside of the EU such as Google.com. For the Commission Nationale de l’Informatique et des Libertés (‘CNIL’), the French data protection authority, this wasn’t enough. CNIL requested that Google delist search results subject to a successful request for erasure from all domains worldwide. Only this drastic solution, it argued, could ensure the effective protection of data subjects’ rights. Indeed, where results are merely delisted from EU domains, the information can still be accessed through other domains or by using circumvention methods such as a virtual private network (VPN).

Google appealed the decision, arguing that European authorities shouldn’t extend their own privacy rules across the globe. Indeed, if tech companies had to apply EU law extraterritorially, this would compel them to contravene law in other jurisdictions. To illustrate, there is a risk that when Google applies the RTBF in the US, it might infringe upon the local protection of free speech.

The ECJ decision on the RTBF’s territorial scope is eagerly awaited. It will have pronounced implications in the field of Internet regulation but also more broadly such as in relation to blockchains. It is also worth noting that there are other uncertainties concerning the RTBF, including the precise meaning of ‘erasure’, which is not defined in EU data protection law.

Google as a Regulation Intermediary

The ECJ must now decide whether the RTBF should apply globally. Whereas the CNIL claims that global enforcement is the only way data subject rights can be upheld, Google counters that this would put it at danger of breaching laws in other jurisdictions and set a dangerous precedent, also allowing other jurisdictions to extent the application of their own rules abroad.

These facts underline that Google’s actions determine the reach of EU fundamental rights. This is so as tech firms processing personal data have essentially become regulatory intermediaries. It is Google (not a public authority) that evaluates requests for erasure and essentially takes over the traditional state function of enforcing fundamental rights. Appeals to public authorities are possible, but rare.

As an enforcer of EU law, Google’s application of the RTBF to domains outside the EU would turn it into an exporter of EU law abroad. This, in turn, would further export EU data ethics to the wider world, a phenomenon described as ‘data imperialism’ that increases Europe’s soft power in the wider world.

While it is easy to think of this as a positive evolution as the EU creates higher standards of rights protection than many other parts of the globe, it is also worth reflecting on whether this same dynamic is still as welcome if a global tech company were to impose restrictions to the freedom of expression as they exist in other parts of the world to the EU. These possibilities highlight the tension between territorial jurisdiction and the global internet.

The Mismatch Between Territorial Jurisdiction and Global Data Flows

Google v CNIL essentially highlights the incompatibility between principles of territorial jurisdiction and global data flows. Both parties have a point. The CNIL rightly insists that the RTBF can only be effectively enforced if information is genuinely ‘deleted’ not just on EU domains.  

At the same time, Google rightly pinpoints that an obligation to apply the RTBF extraterritorially may compel firms to breach law elsewhere. The ECJ’s obligation to choose the winning argument is no easy feat, especially since both positions are based on distinct perspectives. Whereas the CNIL focuses on individual rights protection, Google insists on the broader economic and societal implications.

The application of principles of territorial jurisdiction to global data flows is both challenging and controversial. Indeed, online information has become increasingly regulated over time, as highlighted by the ongoing upload filter debate in the EU, the Great Chinese Firewall and German legislation on hate speech and fake news. Besides these controversial examples of (attempts of) regulating the flow of data online, Google v CNIL underlines the practical difficulties in doing so. Indeed, one may wonder, what is the point of applying EU data protection norms online if these are not enforced globally.

As regulators across the globe are changing their approach towards online regulation from a stance of non-interference to increasing constraints, the question of how the internet can remain a world wide web of information looms large. Yet, in the absence of global consensus regarding the treatment of online information, states are left with a choice of no regulation, or regulation that may be hard to enforce. Naturally, the regulation of online information raises a range of societal and moral questions. It also has a huge economic impact. In the age of the data-driven economy digital barriers also risk stifling trade and innovation.

Historical evidence amply confirms that when technology changes, law changes too. Yet, the change required to accommodate the above dynamics would be a partial reconsideration of the very principle of territorial sovereignty in the form of international regulation. This of course has long existed in the form of trade treaties and so forth, but reaching consensus on how to treat personal and non-personal data internationally appears futile at this moment in time.

The Court’s Decision  

In Google v CNIL, the ECJ is faced with a very specific facet of that broader dynamic. The French Conseil d’Etat (that adjudicates the dispute at the national level in France) referred four questions for preliminary ruling to Luxembourg.

First, whether the de-referencing following a successful request for erasure must be deployed in relation to all domain names irrespective of the location from where the search based on the requester’s name is initiated, even if that occurs outside of the EU.

Second, if the first question is answered negatively, whether the RTBF must only be implemented in relation to the domain name of the Member State from which the search is deemed to have been operated or, third, whether this must be done in relation to the domain names corresponding to all Member States.

Fourth, whether the RTBF implies an obligation for search engine operators to use geo-blocking where a user based in (i) the Member State from which the request for erasure emanated or (ii) the territory of the EU searchers non-EU domains.

It would be surprising if the Court concluded in relation to questions two and three that delisting does not extend to the entire territory of the EU. Indeed, the ECJ has continuously insisted that data subjects must benefit from a high degree of protection, and the creation of digital divides within the EU seems to conflict with free movement and common legal space rationales.

The answer to question four depends on the strength of protection the ECJ wants to afford. Indeed, using geo-blocking would be a technical measure to enforce protection as users could not circumvent delisting on, say, Google.be by using Google.com. The RTBF is not, however, an absolute right. The text under the GDPR makes this clear and even where a request is granted, delisting only applies where a search is made in relation to the name of the data subject concerned. That is to say that the information doesn’t disappear from Google search and can still be found where alternative keywords are used. In hearings, Google appears to have stated that it already employs geo-blocking but only where the search is operated in the state the request for erasure emanates from, and that where it does, it is 99,94% accurate in determining people’s location.

Question one is by far the most controversial and hardest to resolve. Whereas geo-blocking would block EU residents’ access to information on international domains, but leave information on these domains in place, this option would require an outright delisting of search results on these domain names even when they are accessed from outside the EU. This would properly result in the extraterritorial application of the GDPR. How the Court will decide this matter remains to be seen. But it is worth noting that the European Commission, known for its expansive approach towards the GDPR’s  territorial application, has warned against such a broad interpretation as this would stretch EU data protection law beyond its intended scope. Indeed, it is widely recognised that exercising the RTBF in relation to one data controller does often not entail an absolute unavailability of the relevant data (as underlined by the facts of Google Spain). On the other hand, the ECJ seems to have created a new principle of ‘effective and complete protection’ under the GDPR, which it first mentioned in Google Spain and subsequently affirmed in Wirtschaftsakademie Schleswig Holstein to justify a broad interpretation of the notion of the data controller under the GDPR. The Court could rely on the same principle to justify a broad interpretation of the RTBF’s jurisdictional scope. 

The answer to these questions will have significant legal and geo-political implications. An Advocate General opinion is expected on 11 December and a judgment should follow in 2019.

Michèle Finck is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition and a Lecturer in EU Law at Keble College, University of Oxford.