Introduction
Most people will be aware of the Google Spain CJEU case (Case C 131/12), described as the case that was “heard around the world.” This was the case which announced the so called ‘right to be forgotten’ (RtbF) or more prosaically the delisting and takedown of information from search engine results.
There is now a second Google RtbF case at CJEU level: Google France (Case C-507/17), this time involving the French data protection supervisory authority CNIL.
The Advocat General (AG) issued a preliminary Opinion in the case on 10 January 2019. The full decision of the court is still awaited.
The Issues Raised
The full AG Opinion has already been summarised in Computers & Law earlier this year. This article instead concentrates on some of the interesting issues raised by the case and the AG’s Opinion.
In particular, it looks at whether:
a) the court will agree with the AG;
b) the apparent contradictions in the AG’s approach (that tries to limit delisting to the EU) provides an adequate remedy for the individual in question, or individuals generally; and
c) whether these cases are a minority and should not skew the development of the law.
The Questions referred to the CJEU
The questions referred from the French court (following on from the CNIL decision) to the CJEU are:
“1. Must the right to de-referencing’, as established by the Court of Justice of the European Union in its [Google Spain judgment] on the basis of the provisions of Articles 12(b) and 14(a) of [the Data Protection Directive 95/46/EC (DPD 95)], be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted, and even if it is conducted from a place outside the territorial scope of [DPD 95]?
2. In the event that Question 1 is answered in the negative, must the ‘right to de-referencing’, as established by the Court of Justice of the European Union in the judgment cited above, be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, only to remove the links at issue from the results displayed following a search conducted on the basis of the requester’s name on the domain name corresponding to the State in which the request is deemed to have been made or, more generally, on the domain names distinguished by the national extensions used by that search engine for all of the Member States of the European Union?
3. Moreover, in addition to the obligation mentioned in Question 2, must the ‘right to de-referencing’, as established by the Court of Justice of the European Union in its judgment cited above, be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to remove the results at issue, by using the ‘geo-blocking’ technique, from searches conducted on the basis of the requester’s name from an IP address deemed to be located in the State of residence of the person benefiting from the ‘right to de-referencing’, or even, more generally, from an IP address deemed to be located in one of the Member States subject to [DPD 95], regardless of the domain name used by the internet user conducting the search?”
It is important to note a couple of things before tackling the questions set out above.
1. This action is not under GDPR
It is important to note that the AG’s Opinion is based on the earlier 1995 Data Protection Directive and not the GDPR which now applies to most RtbF(s) applications. Therefore, the AG’s Opinion and the ultimate decision of the court will not shed light directly on the GDPR.
2. Right to be Forgotten not Contested
It is also important to note that the Google France case is not seeking to overturn, undermine or directly curtail the Google Spain decision nor the RtbF per se. The RtbF is therefore acknowledged and accepted.
Will the CJEU agree with the AG?
The first question is whether the court will agree that the delisting needs to be on all URLs and domains or merely EU domains. Some might suggest that such a restriction (such as to EU domains only) would in fact act as an indirect delimitation, chipping away at the Google Spain decision.
However, the AG’s Opinion recommends that in this single individual case, the takedown should be limited to EU URLs or domains on a fully EU-wide basis and that where this approach may leave gaps, other techniques such as geoblocking must be implemented. This approach will be somewhat welcomed by the internet company, and possibly in other quarters. On the other side of the fence victim interest groups can also welcome this problem solving approach to takedown (i.e .takedown plus geo blocking plus additional required measures).
It should also be recalled that the legislation is balanced already (insofar as various interests were already considered and balanced in the core legislation itself), so it is not the case that the same legislative balancing needs to be considered in each and every case.
As always, the devil is in the detail. Interim Opinion recommendations are not always followed by the court and may not be in this instance. The AG expressly indicates that his recommendations are limited to the facts of this case and, as such, cannot be over-generalised. It would have been useful, therefore, for this caveat to have been carried through to the final paragraph of the Opinion. The AG also states, that despite recommending that extended takedown be limited to the EU (and be EU-wide), “this does not mean, however, that EU law can never require a search engine operator … to undertake global action” (see para 62).
It may be that the court is more sensitive to the issues set out below which raise a risk of creating a scenario where problem content is left without an effective remedy for individual data subjects, especially where damage, risks and threats are happening in real time and where the problem content remains easily accessible in and from the EU because it is subject only to a limited takedown. The recommendation also poses a risk to the vast majority of RtbF notices which remain non-contentious (see, for example, the figures available from the search engines (where available), including those referred to in the Google France case).
Apparent Problems and Contradictions with AG Approach
Given that online abuse (OA) and the publication of other problem content can originate from almost anywhere but effect an individual in the EU, be accessible in the EU from elsewhere, or be further distributed outside of the EU, it would seem logical that at least in some instances that takedown must be global in order to be effective.
A revenge porn victim, a victim of a filmed rape, or someone being blackmailed would not have an effective remedy if they could only have problem content removed from EU specific URLs or domains (such as .co.uk, .ie, .fr, .de) leaving the problem content in full easy view elsewhere, including from inside the EU. Local domain blocking and geoblocking are not effective in all circumstances, or at least can be easily circumvented, and a decision suggesting that they solve the problem creates numerous risks. It risks creating an assumption for all RtbF notices (even uncontentious ones) that they can remedied through a combination of limited erasure, forgetting and takedown and limited geoblocking.
One of the problems with the recommendations set out in AG’s Opinion is that it does not make clear if he contemplated the possibility that EU-only takedown would be an ineffective remedy for the individual victim nor how the DPD 95/46 (and the GDPR) could be rendered ineffective, if not meaningless, in this regard. Legislation is generally not understood by courts to be toothless in design.
By way of further background, many data protection supervisory authorities agree that at least some erasure, forgetting and takedown must be implemented more globally to be effective. For example, the CNIL data protection supervisory authority in this instance ordered more effective erasure, forgetting and takedown than afforded by limited and restricted local URL takedown .
The Canadian Supreme Court has also come to the same conclusion (Google v Equustek Solutions 2017 SCC, [2017] 1 SCR 824 (28 June 2017)). The AG does not make clear if the Canadian decision was discussed or considered.
Another difficulty with the Opinion is that it does not engage with the issue that geoblocking is not always effective as it relatively easy to bypass. Expert evidence presented in the Irish High Court emphasised that point. If geoblocking is ineffective (which might then be considered generally and in the subset of problem cases), it emphasises that erasure, forgetting and takedown needs to be wider than a limited set of EU URLs or domains. The AG recommendation would seem to suggest that geoblocking was only considered in the context of filling in gaps within the EU but it is also very relevant to how it works alongside erasure and takedown.
Another interesting aspect of the AG recommendation is that it mentions that the service provider must and “is required to take any measure at [its] disposal to ensure an efficient and complete dereferencing.” This means other solutions in addition to geoblocking could be used such as ContentID (ironically this avenue is only available to corporate rightholders but appears denied to individual victims of online abuse), Photo DNA, and similar technical solutions.
A Minority of Cases Should Not Skew the Development of the Law and Rights
After Google Spain, most companies affected by the outcome in that case have set in place procedures to comply with RtbF notices from individuals. In the vast majority of instances there is little or no controversy and the problem materials in question are taken down. Only a small number of RtbF notices are controversial: most are uncontentious (as appears confirmed from certain documentation and comments from the search engines, and also data protection supervisory authorities).
This context is important but appears not to have been considered by the AG, raising the danger of setting something in place which may be relevant to a subset of the subset of RtbF notices, but which if applied generally to all RtbF notices could result in mischief and unintended consequences, unintentionally undermining a significant part of the RtbF and the original intent of the legislation (both DPD 95 and GDPR)
While in the broad majority of the uncontroversial cases one would think there should not be any issue with a wide takedown, the issues surrounding a small subset of notices may be much more nuanced. One concern is to ensure that the small disputes do not unintentionally adversely impact the uncontroversial cases, nor remove or limit an important remedy.
Conclusion
To reiterate the issue is not whether takedown should occur or not, but rather whether the delisting and takedown must occur inside and outside of Europe or merely inside Europe. The RtbF is here to stay and over time it may expand further as problem issues or urgency become more pronounced. However, while disputed cases such as this one and Google Spain are of interest, they should not be mistaken (nor be misrepresented) as being representative of the vast majority of RtbF notices which by all accounts uncontroversial.
Finally, the decision itself is awaited. In the vast majority of instances there may be no issue, but there will no doubt continue to be contention and litigation in a small but important minority categories of cases. Over time data protection supervisory authorities will need to assess whether there are more initial refusals by search engines in these categories than should be the case; and whether these refusal categories are being represented or misrepresented to be relevant to the whole universe of RtbF notices. Interesting and important as these contentious cases are, perhaps legal opinions and decisions should make clear that they are dealing with these more niche issues (in a subset category of cases) for the sake of avoiding unintended wider consequences or unintentionally reducing or constraining the statute right which is a valuable protection for individuals, especially victims of online abuse.
Dr Paul Lambert, Author of The Right to be Forgotten (Bloomsbury Professional, 2019) expert, academic, consultant. Paul is the author of over 15 books on technology, internet, law and policy; currently researching mind data, neurodata and data protection. Visiting Research Fellow, Institute of Advanced Legal Studies, University of London.