Data Protection Report - Norton Rose Fulbright

In a recent blog post, reflecting on Google’s ongoing dispute with France’s CNIL about the scope of the “right to be forgotten,” Peter Fleisher, Google’s Global Privacy Counsel, announced that Google will maintain its position that that company would not comply with the CNIL’s formal notice dated May 21, 2015 to implement individuals’ requests to exercise their “right to be forgotten” on the company’s sites worldwide.

Google explained that the company has responded to many such requests (commonly referred to as “delisting”), but implemented delistings only on its European search engine domain extensions. Google did not remove links from and other non-European domains. Google takes the position that users usually access search engines via their national domains and not generally via the “.com” extension, in line with its comments to the WP29 in July 2014.

Fleisher explained that Google considers that it has worked hard to strike the right balance in the implementation of the European Court of Justice “right to be forgotten” decision, and will keep doing so. He argued that implementing delistings globally would lead to imposing on Google the responsibility of limiting the freedom of speech, whilst no “country should have the authority to control what content someone in a second country can access.”

Fleisher’s post – expressing Google’s frustrations with the European regulatory environment, particularly in France – is a logical next step in the shaping of the European “right to be forgotten.”

The “right to be forgotten” originates from the May 13, 2014 European Court of Justice (ECJ) decision which recognized that individuals have the right to request a search engine to remove links to webpages that infringe their right to privacy from the results of a search made on the basis of their name (i.e., to “delist” the links) (Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González.)

One year after the ruling, the CNIL has observed – following numerous complaints from individuals – that while Google has responded to many requests for delisting, Google carried out delistings only on the European domain extensions of the search engine. Links have not been removed from “” and other non-European domain extensions.  Agreeing with the position set out in the Article 29 Working Party’s (WP29) Guidelines of November 26, 2014, the CNIL then challenged Google’s practice in a letter sent to the search engine on April 9, 2015. This letter explained that the right to be forgotten can only be effectively exercised if delisting is implemented worldwide. It asked Google to extend delisting to all its domain extensions within fifteen days.  Google had already refused to comply for the same reasons as those that Fleisher explained in his post.

As a result, in a decision dated May 21, 2015, the CNIL held that Google’s position was in breach of articles 38 and 40 of the French Data Protection Act that implement the European rights for an individual to oppose the processing of the individual’s personal data and to have his/her personal data rectified or erased, and put Google on formal notice to implement, within a period of fifteen days (later extended for an additional 30-day period), the delisting right on all domain extensions of the search engine. The CNIL made this formal notice public, “considering the necessity to draw the attention of search engine providers and internet content publishers to the scope of the right to object and to obtain the erasure of personal data.

Google’s appeal of CNIL’s formal notice should be decided within two months.

Our take

Clearly, the scope of application of the “right to be forgotten” is of huge importance to the future of the Internet, and the ultimate Google decision will undoubtedly not be the last step in defining the scope of the right.  More important, with the Data Protection Regulation around the corner, any decision that the “right to be forgotten” is indeed global will need to be viewed in conjunction with the expanded jurisdiction European regulators will have under the Regulation – having the ability to reach businesses that not only have presence in Europe or use equipment there (as is the case now), but those that sell products and services into Europe or monitor European residents’ behavior.  We will continue to monitor the CNIL’s decision making process as it develops and provide relevant updates on our blog.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.