Explore

Reading Mode

Territorial Scope of Right to be Forgotten

Reading Mode

On September 24, 2019, two decisions regarding the right to be forgotten released on the website of the Court of Justice of the European Union (‘CJUE’). On one of these decisions[1], CJUE sets a geographical limit to the right to be forgotten and emphasizes that de-referencing which only applies for European territory is sufficient to pursue the effective protection of individuals’ rights. In this article, the background of right to be forgotten will be presented and the summary of the Case C‑507/17 of CJUE will be examined.

Basics of right to be forgotten

As any information is needed as to an ordinary individual or a public figure, internet research engines are number one option to find answers. Since almost every aspect of our lives are accessible on the internet and probably will stay there forever, in some cases being able to ask for oblivion is mandatory for some people to move on and live without negative effects of their pasts.

Right to be forgotten is a right that enables data subjects to request the information which is relating to him or her personally should, at that point in time, no longer be linked to their names by a list of results displayed following a search made on the basis of their names. Therefore, right to be forgotten is one of the vital fundamental rights of growing technological world. Such right enables people to request the deletion or oblivion of the information about themselves that creates or may create bad impression that affects their lives.

Background of de-listing

The milestone case on de-listing is the judgment on Case C-131/12 dated 13 May 2014, where a lawyer who had a dated entry of him regarding a real-estate auction connected to his social security debts desired to remove such information from the internet, since that information may cause prejudicial to him. Even though, he requested such information to be either removed or altered by the newspaper which had published it, he also requested Google to be required to remove or conceal the personal data relating to him.

In its judgment of Case C-131/12 on such matter, CJUE  stated that pursuant to Article 2(b) of Directive 95/46, the activity of a search engine as a provider of content which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ when that information contains personal data. Therefore, search engines, most popular one Google, are data controllers in regard of activities which a search engine conducts upon a search request.

Such processing has its own legal grounds other than legal grounds of third party for publishing a personal data on the internet in the first place. CJUE stated that the processing made by search engines cannot be justified by merely the economic interest which the operator of such an engine has in that processing. Considering the convenience which provided by search engines on finding needed data, there is a legitimate interest of internet users from this processing and removal of all dated personal data from the list of results could have effects upon the legitimate interest of internet users potentially interested in having access to that information.

Finally, CJUE recognized that every data subject have right to “…request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results…” and such right override “not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.”.[2]

Background of territorial scope 

Article 29 Data Protection Working Party (WP29) published a list of merits to be considered while handling de-listing requests in its Guideline adopted on November 26, 2014[3], indicating that right to be forgotten is not an absolute right, therefore the consideration for de-listing requests should be made on case by case basis.

Most importantly, WP29 emphasized that limiting de-listing to European Union domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient mean to satisfactorily guarantee the rights of data subjects and, in any case, de-listing should also be effective on all relevant domains, including .com.

Updating territorial scope of right to be forgotten

In the judgment of Case C‑507/17 dated September 24, 2019, the parties were Google LLC (‘Google’) and French Data Protection Authority (‘CNIL’). The dispute was on the territorial scope of the de-referencing regarding a penalty imposed by CNIL on Google due to Google’s refusal, when granting a de-referencing request, to apply de-referencing to all its search engine’s domain name extensions.

Google refused to impose such de-listing indicating that it has provided a new layout that enables internet users to be directed automatically to the national versions of Google’s search engines irrespective of the domain name entered by the internet users. Therefore, the search results to be shown can be filtered according to the place from where the search is made by virtue of a geo-location process based on the internet user’s IP address. However, CNIL regarded Google’s ‘geo-blocking’ proposal insufficient, made after expiry of the time limit laid down in the formal notice.

CJUE stated that a search engine operator cannot be required, under Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 and Article 17(1) of Regulation 2016/679, to carry out a de-referencing on all the versions of its search engine. Therefore, Google is not required to employ such de-listing in its national versions that do not correspond to the Member States.

CJUE indicated that the right to request de-listing is one of the essential of right to privacy in European Union, yet, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world. Therefore, numerous third states do not recognize the right to de-listing.

A possibility to globally effective de-listing

It is underlined that, even though worldwide de-listing is not required by law, it is not prohibited. In cases where such specific de-listing request requires global kind of protection, search operators can grant a de-listing request for all versions of their search engines. 

 Author: Aslı Naz Ünlü

[1] Judgment of the Court of Justice of the European Union in Case C‑136/17

[2] Judgment of 13 May 2014, Google Spain and Google, C 131/12, EU:C:2014:317 Para. 99

[3] Guidelines On The Implementation Of The Court Of Justice Of The European Union Judgment On “Google Spain And Inc V. Agencia Española De Proteccıón De Datos (AEPD) And Marıo Costeja González” C-131/12

Recent Articles

Territorial Scope of Right to be Forgotten

08 October 2019 7 Minutes

An Up to Date Challenge for Companies: Digital Crises from Turkish Leg...

03 October 2019 7 Minutes

A Guide for Share Transfers in Joint Stock and Limited Liability Compa...

01 October 2019 6 Minutes

Legal Update: Recent Sanctions on Iranian Entities

10 September 2019 3 Minutes

Delegation and Division of Representation and Management in Joint Stoc...

03 September 2019 6 Minutes

Notification of M&A Transactions to Turkish Competition Board

03 September 2019 6 Minutes
Podcast
Close
Close