Will the arm wrestling between Google and the EU data protection authorities regarding the implementation of the so-called “right to be forgotten” come to an end? Almost a year after the CNIL issued a cease and desist against Google, the search engine announced it will expand the right to be forgotten to all Google domains, based on geolocation, starting this week.
By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) & Caroline Chancé (Caroline.Chance@dlapiper.com).
On March 4, 2016, Google announced that it will use geolocation signals (like IP addresses) to restrict access to delisted URL on all Google search engine domains, including google.com, when accessed from the country of the person requesting the removal. This new approach will be applied prospectively but also “retrospectively”, to all previous delistings by Google under the ECJ’s decision in Costeja v. Google[1].
What does this change? Until now, Google delisted search results from all EU versions of the Google search engine, such as google.fr, google.co.uk or google.de, as well as from the Andorra, Icelandic, Liechtenstein, Norwegian and Swiss extensions, regardless of the country of origin of the request. This meant that delisted results were no longer accessible to Internet users using those extensions, but were still available on other versions of Google, such as google.com, google.ca or google.co.jp.
The EU data protection authorities did not consider Google’s approach to be compliant. In the view of the French data protection authority, the CNIL, the various geographic extensions are simple means of access to processing. Therefore, if a search engine agrees to delist a result, it must do it on all the extensions. The CNIL’s reasoning is that to do otherwise deprives the right to be forgotten of its effectiveness. In fact, the CNIL issued a cease and desist to Google, Inc. in May 2015, ordering it to de-index the entirety of Google’s indexing services and thus all extensions of the search engine. Google appealed to no avail (see previous posts here and here).
Google has now proposed, in addition to its existing practice, to delist results from all extensions, but only for persons searching in the specific country where the delisting request was made. This means that users in other EU countries will still be able to find those results and the search engine will still be processing the data of the person requesting the delisting, even though the negative consequences will obviously be mitigated as people in the same country won’t have access to the delisted links, whatever extension they use.
Will this new approach satisfy the EU data protection authorities? The CNIL has not yet issued its position. Nevertheless, filtering may be an acceptable (or possibly interim) compromise, particularly if applied to the entire EU, as opposed to limiting it to the country where the request was made. People in other EU countries presumably have a lesser interest in finding information regarding the person who made the delisting request. Moreover, if results are completely delisted in the country where the request was made, completely delisting in the EU should not be a problem, either technically or legally. As for the rest of the world, the right to be forgotten could still conflict with other jurisdictions’ laws.
It will therefore be interesting to see whether EU regulators will insist that links be completely delisted for anyone worldwide, as the CNIL first requested in its formal notice, essentially putting search engines in a situation where they would certainly be exposed to financial sanctions in the EU or violate other jurisdictions’ freedom of speech principles (see previous post here).
In any case, the right to be forgotten will not be forgotten, and in fact has been taken up outside the EU. For example, it has been reported[2] that a Japanese court recently ordered Google to delete from its search engine news reports of Japanese man convicted of a sex offense involving minors who invoked his right to be forgotten.
For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.