Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

EU court advised to limit scope of 'right to be forgotten'

Search engines should not be forced to alter their search results for users outside of the EU when complying with 'right to be forgotten' requests made under EU data protection laws, a senior adviser to the EU's highest court has said.11 Jan 2019

The Court of Justice of the EU (CJEU) has previously clarified that, under EU data protection laws, a search engine has a qualified duty to delist a webpage, or URL, from its search results when requested to do so by an individual if the webpage in question contains information about that individual and the information in question is "inadequate, irrelevant, no longer relevant or excessive". Not all 'right to be forgotten' requests have to complied with, however, as the search engine is obliged to carry out a balancing act to determine whether other rights, such as in relation to freedom of expression, trump the privacy rights at issue and justify the continued availability of the information in question.

However, there has been a debate over the scope of delisting that search engines must implement when adhering to right to be forgotten requests.

France's Council of State has asked the CJEU to clarify the matter after the country's data protection authority earlier declared that delisting should be applied on a global scale, and not just in relation to search results displayed in the EU. Google challenged that determination by the Commission Nationale de l’information et des Liberties (CNIL).

According to a statement issued by the CJEU on Thursday morning, advocate general Maciej Szpunar said "search requests made outside the EU should not be affected by the de-referencing of the search results".

Szpunar came to this conclusion after acknowledging that previous EU data protection laws relevant to the case referred from France, which have since been replaced by the General Data Protection Regulation (GDPR), "do not expressly govern the issue of the territorial scope of de-referencing", and then concluding that it was right to make "a distinction … depending on the location from which the search is performed".

Szpunar said he was "not in favour of giving the provisions of EU law such a broad interpretation that they would have effects beyond the borders of the 28 member states", according to the CJEU statement.

He said that while EU law can have extraterritorial effects "in certain, clearly defined, cases affecting the internal market, such as in competition law or trade mark law", it was not possible to compare those cases to cases that would affect the internet as a whole.

"The [CJEU] should hold that the search engine operator is not required, when acceding to a request for de-referencing, to carry out that de-referencing on all the domain names of its search engine in such a way that the links in question no longer appear, irrespective of the location from which the search on the basis of the requesting party’s name is performed," Szpunar said, according to the CJEU statement.

"However … once a right to de-referencing within the EU has been established, the search engine operator must take every measure available to it to ensure full and effective de-referencing within the EU, including by use of the ‘geo-blocking’ technique, in respect of an IP address deemed to be located in one of the member states, irrespective of the domain name used by the internet user who performs the search," he said.

The decision can be contrasted with a recent Canadian case in which Google was ordered by a court in Canada to remove links to websites selling certain counterfeit goods from all of the search results it displayed globally. However, a court in California subsequently ruled that Google did not have to apply that ruling in the US.

In a separate case, also referred to the CJEU by the Council of State in France, advocate general Szpunar provided guidance in relation to when search engines must comply with 'right to be forgotten' requests that concern the removal of sensitive personal data. Like the first case, this second case concerns EU data protection laws that have been replaced by the GDPR.

The advocate general said that EU data protection laws place a general prohibition on the processing of sensitive personal data. Strict conditions must be met for the processing to be lawful.

Szpunar said, though, that search engines are not involved in placing sensitive personal data online and only reference the data that is published by others. As such "the prohibitions and restrictions" on sensitive personal data processing laid out in EU data protection laws only apply to search engines in respect of their presentation of search results.

Further clarity on the advocate general's views on the case are only likely to be obtained when the English-language version of his opinion is published.

While the requirements on search engines to remove personal data from their search results has been framed by the CJEU in the context of previous EU data protection laws, the 'right to be forgotten' has since been codified in the new General Data Protection Regulation (GDPR).