The Territorial Scope of the European Union Right to Be Forgotten is Limited

France’s Council of State (Conseil d’État) held on March 27, 2020, that the right to be forgotten provided by European Union laws is not universal.

At issue in this case was the territorial scope of the right to be forgotten, called by the Conseil d’État “dereferencing right” (droit au déférencement).

A dereferencing request is a request, made by a natural person, to have links to webpages removed from the results of a search on this person’s name. This “right to be forgotten” was first recognized by the European Court of Justice in its 2014 Google Spain and Google judgment and is now provided by Article 17 of Regulation 2016/676, the General Data Protection Regulation (GDPR).

Under Article 17 of the GDPR, the data subject has the right to request the controller to erase personal data without undue delay, if:

  • The personal data is no longer necessary for the purpose for which it has been collected;
  • The data subject withdraws his/her consent to have the data processed;
  • The data subject objects to the processing the personal data has been unlawfully processed;
  • The personal data must be erased to comply with a legal obligation;
  • The personal data is that of a minor.

Google removes only the links from the results of searches conducted from the domain names corresponding to its search engine in the European Union Member States. Therefore, for instance, if a search is conducted using the <google.fr> domain name, only results displayed in all the European Union domain names are removed, not results appearing in the <google.ca> domain name.

In 2016, the French Data Protection Authority, the CNIL, fined Google 100,000 Euros for refusing to apply a dereferencing request to all the domain name extensions of Google’s search engine, not only to the European Union extensions.

Google lodged a request for annulment of this decision with France’s Council of State (Conseil d’État), which decided to stay the proceeding and ask the Court of Justice of the European Union for a preliminary ruling about the interpretation of several provisions of Directive 95/46, which was at the time the European Union personal data protection law, but has since been repealed and replaced by the GDPR.

The Court of Justice of the European Union held in September 2019, that a search engine operator cannot be required to carry out a dereferencing request on all the versions of the search engine, only “on the versions of that search engine corresponding to all Member States.

The Conseil d’État thus annulled the 2016 CNIL decision.

Take away:

A “right-to-be-forgotten” request does not have to be universally granted and its geographical scope will be limited to the place of residence of the data subject. If the data subject resides in one the Member States of the European Union, the request will be granted for all the European Union versions of a particular search engine, but not those outside the E.U.

Facebooktwitterredditpinterestlinkedinmailby feather