On the ECJ's ruling that the GDPR Right to Erasure doesn't apply outside the EU
Today's ruling by the ECJ on the Google v CNIL case seems to limit the territorial scope of the GDPR.
But that misses the main point of the ruling. First, the analysis is specific to the Right to Erasure. Second, it's more about the territorial scope of EU data protection authorities: they have no direct right to mandate changes to non-EU activity unless the authority first balances data subject rights against the freedom of information to show that such changes are necessary and proportional.
Media coverage
Summary of the judgement
In today's preliminary ruling (ECLI:EU:C:2019:772) on Google v CNIL (C-507/17), the ECJ limits the territorial scope of data subject rights. In essence, it hinges on the technicality that the law doesn’t explicitly say that the effects of the right to erasure should be global so that blocking search results only in the EU can be OK. While the judgment is mainly based on the pre-GDPR directive, it also considers the GDPR.
The right to erasure was developed into a right to de-referencing in the Google Spain case (C-131/12): data subjects may have a right to have certain information no longer be linked to their name in search results.
The judgment considers three questions:
-
Must the “right to de-referencing” be interpreted as meaning that a search engine operator is required to remove links from all search results, even when the searches are made from outside the EU?
-
If not, is the de-referencing only scoped to a single member state or all member states?
-
If the effect of de-referencing is restricted to some territory, must that be determined by the IP address of the searcher (geo-blocking), regardless of the Google domain used by the searcher?
The court arrived at the following results:
-
EU law (incl GDPR) does not currently have an extra-territorial scope for the right to de-referencing and supervisory authorities don’t have a direct power to require global de-referencing. However, it would be possible for EU-law to require global scope.
-
De-referencing should generally be EU-wide, but the EDPB should agree on a consistent approach.
-
Geo-blocking is for the lower court to decide. The blocking measures must “effectively prevent or, at the very least, seriously discourage” access to the de-referenced information.
Notes from the judgment:
-
De-referencing from search results is required even when the information is still present on third party websites.
-
The data subject rights to de-referencing “override, as a rule,” the public interest to get that information and the economic interests of the search engine operator. There are exceptions to the rule. The court also recognizes freedom of information for other internet users.
-
Google search may be performed in third countries but Google’s search and advertising activities are inextricably linked. Google has French branches to sell advertising, so that the search engine processes personal data under an EU establishment (and so that search falls under CNIL's authority).
-
In a globalized world, access by searchers from third countries to information about an EU data subject can have substantial effects on that EU data subject. Therefore, EU legislature would have the competency to require global de-referencing.
-
61: Data subject rights are not absolute but must be balanced and proportional. With GDPR Art 17(3)(a) accounting for freedom of expression and information the EU has struck a balance as far as the EU is concerned, but not for outside the EU.
-
62: “In particular, it is in no way apparent […] that the EU legislature would […] have chosen to confer a scope on [the right to erasure] which would go beyond the territory of the Member States”
-
63–65: Supervisory or judicial authorities of a member state cannot require a search engine operator to carry out de-referencing outside of the EU.
-
66-68: Because there’s now the GDPR which has EU-wide scope, de-referencing should also be EU-wide. However, member states have different situations regarding freedom of information because of derogations for journalistic purposes. Supervisory authorities should cooperate to balance those concerns and find an EU-wide approach.
-
72: It would be possible to require global de-referencing if the various rights are properly balanced. This could also be done by a member state supervisory authority.
Opinion/Analysis
At first it seems like the ECJ has smoked too much crack. Why on earth shouldn't erasure have effects outside the EU? That seems like a dangerous precedent!
But they are actually very concerned about properly balancing the various involved rights, in particular the right to erasure versus the freedom of information. This is already difficult enough within the EU, and no such balance exists for outside the EU.
In this sense, the judgment is less about the territorial scope of the GDPR, and more about procedural matters for the CNIL (the French data protection authority). Currently they may only regulate Google search with regard to its effects in the EU. If the protection of EU data subjects makes worldwide changes to Google search appropriate, that must first be shown through a balancing test.
- next post: gcovr 4.2
- previous post: MongoDB no longer seeks OSI approval for SSPL