25 September 2019

The Judgment That Will Be Forgotten

How the ECJ Missed an Opportunity in Google vs CNIL (C-507/17)

On September 24 2019, the ECJ delivered its judgment in Google vs CNIL (C-507/17) which was expected to clarify the territorial scope of the ‘right to be forgotten’. In fact, the ECJ’s decision is disappointing in several respects. The Court does not only open the door to fragmentation in European data protection law but also fails to further develop the protection of individual rights in the digital age.

Berlin calling

At the end of May 2014, I was rushing to a conference in Berlin. One of Germany’s top IT-lawyers was moderating a panel to discuss the ‘right to be forgotten’ (RTBF) judgment with many high-profile discussants including a representative of Google. The Google Spain decision (C-131/12) came on May 13 2014, a little more than a year after I started my research on ‘The Right to be Forgotten as a Human Right’. It was surprising since the critical assessment of the original proposal for a RTBF in Article 17 paragraph 2 of the draft for a General Data Protection Regulation (GDPR) had resulted in its removal by EU parliament and council.

Unexpectedly in this situation, a Grand Chamber of the ECJ found in Google Spain that in a case in which irrelevant, yet controversial, personal data relating to the past is easily retrievable through the use of a search engine, this disproportionately affects the rights to privacy and data protection. Therefore, the respective individual was granted a right to ‘delist’ (‘déréférencement’, ‘Nicht-Indexierung’) the Uniform Resource Locator (URL) from the index of a search engine. Once applied, the information becomes invisible for the average user when carrying out a search query based on the person’s name, yet the original data remains available at the original source. While there are elements of the issue of personal data and how it evolves over time – which is the origin of discussion presented in the popular 2009 book ‘Delete’ – the interpretation of a RTBF in Google Spain was unexpected, and created considerable uncertainty in its application. The moderator of the panel told me: ‘The RTBF will soon be forgotten’.

Google vs CNIL (C-507/17)

Sometimes even the best lawyers money can buy are wrong. I do not state this to praise my own vision in choosing the RTBF as a topic of research, but to underline that it has been dismissed by many experts across the world. However, it is 2019 and we are still discussing. In its application Google Spain remained vague on three salient points:

On September 11 2018 hearings were held in Luxembourg in the most prominent case to date expected to clarifying the territorial scope. It was launched following a request for a preliminary ruling of the French Conseil d’État, resulting from a dispute between the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés; CNIL) and Google. In application of ‘Google Spain’ the SEO initially only delisted requests based on the URL tailored to the national version of the search engine, but refined its practice after concerns by CNIL that it was too easy to circumvent the implementation by using the US-American version of the search engine, for example. Still after this adoption, the French regulator decided that the implementation measures based on geographical filtering were insufficient, and fined Google in 2016 to pay 100.000 Euros. The resulting appeals procedures lead to the new Grand Chamber judgment decided on September 24 2019 (C-507/17).

Both sides bring strong arguments to the bench. On the one hand, it was rightfully emphasized that extraterritorial application of law is problematic in general, and that insistence of the EU on a global implementation of the RTBF might ultimately lead to more censorship in Europe and potentially other regions of the world. Additionally, fragmentation of the regulatory framework is a serious problem for corporate activities on the Internet. On the other hand, if there is an individual right to delist a URL from the index of a search engine, the individual can only benefit from it if it is effectively exercised. In this view and if it is impossible to implement an individual right effectively, it is non-existent as such.

On January 10 2019 Advocate General (AG) Maciej Szpunar presented his opinion in the case. Although he stated that the idea of global delisting appeals due to ‘its radicality, its clarity, its simplicity and efficiency’, he found such interpretation would only consider one side of the coin. Szpunar sees the danger that the authorities of the EU would be overwhelmed with controlling a worldwide application of the right. Additionally, the EU would be interfering with the right to information of people outside its territories. In essence, the AG did not see the legal basis for extraterritorial application. Furthermore, Szpunar interprets the law in a way that SEOs are required to take all measures at their disposal to make sure the entry cannot be found in the Union territory. He mentions and discusses ‘geo-blocking’ in this context, a technology that focuses on the Internet Protocol address and other digital traces allowing to infer the location of a user. This allows to limit access to content, but the AG remains vague on the concrete technological implementation. Overall, his opinion can be summarized as proposing to limit delisting to the territory of the EU. However, users within the EU should not be able to find delisted content by using even advanced technological methods. The style of his argumentation is mostly based on formal considerations.

Key points of the judgment

Unlike in Google Spain, the final judgment follows the opinion of the AG, and repeats its own known line of argumentation. This is clearly a missed chance neither satisfying the opponents nor the proponents of a RTBF. In light of the many unclear points outlined above, the ECJ should have used the opportunity to clarify the substantive dimension of a RTBF, yet it continues to be unclear how delisting is implemented in the GDPR in detail. The ECJ needed 54 paragraphs (out of 74) to finally add something substantive to the discourse by stating: ‘It is true that a de-referencing carried out on all the versions of a search engine would meet that objective in full.’ This is the only sentence in this paragraph.

Completely missing the point and denying its mandate in Article 19 paragraph 1 sentence 2 TEU as well as the existence of a fully harmonized data protection law in the EU in 2019, the ECJ does not even attempt to define what ‘necessity’ and ‘proportionality’ mean for the RTBF as entailed in the GDPR, recapping the (obvious) need for balancing. Again, it remains unclear how delisting is in detail enshrined in the GDPR, an issue I discussed in an earlier piece. The ECJ should have developed the dogmatic reasoning further in this judgment. One option for this would be to state that the RTBF is not about whether one believes in the importance of privacy OR freedom of expression, but rather to define where the power of informational self-determination of the individual ends in the digital domain, and how the important societal interest in individual expression and access to information can be guaranteed at the same time. A matrix with criteria should have been presented with validity for the EU, potentially building on other existing non-legally binding proposals.

Instead of making substantive progress, the ECJ states in paragraph 67 that ‘it should be pointed out that the interest of the public in accessing information may, even within the Union, vary from one Member State to another’. At this point it is hard to ignore the suspicion that the court has become afraid of its own power, or simply is lacking inspiration on how ‘to justifie the wayes of god to men’. Rather than providing guidance as required by its mandate, the judges argue that national data protection authorities should engage in dialogue and cooperation to resolve this issue (paragraphs 68, 69).

Discussing the territorial scope in detail, the ECJ had essentially three options to choose from: universal, ‘glocal’ with a focus on user location, or regional delisting. In this respect, the ECJ needs to navigate the waters between Scylla and Charybdis since Article 3 GDPR effects in extraterritorial application which provokes the expectation of universal applicability of individual rights, yet leaves open how this should be enforced outside the EU. The ECJ concludes that rights cannot be enforced by DPAs outside EU territory (paragraphs 64, 65). However, does that mean that the European legislator factually overburdened its institutions? What does that say about the enforcement of individual rights of data subjects, after almost a decade of promises that they are protected against the multinational giants GDPR was drafted to regulate?

Certainly, the ECJ adds that SEOs must take measures ‘seriously discouraging internet users’ (paragraph 70) not to leave their golden cage, but the judges do not develop criteria how this should technically work. This is a big problem since we have seen in the past that it leaves the enforcement of the RTBF effectively to SEOs, which lead to this case in the first place. Hence, the problematic aspects threatening the rule of law and democratic control of digital space are neither resolved, nor addressed by this judgment, which is worrying since the digital domain is already heavily influenced by the forces of ‘surveillance capitalism’.

However, the real disappointment about this judgment comes at the very end. Leaving aside that there is no direct reference to god in the European treaties, paragraph 72 is a sin against the spirit of European integration since it denies much which has been achieved in the harmonization of the EU data protection framework over the past decades. Rendering its own preceding elaborations practically meaningless, the ECJ states that national authorities might ‘in the light of national standards of protection of fundamental rights’ require SEOs to carry out universal delisting’ (!).

This is completely against the spirit of the GDPR, giving back the power of regulation to member states. In light of this statement one wonders how the judges would explain to data subjects across the EU that they might have a right to delist information universally in one country (e.g. France), ‘glocally’ in another (e.g. Germany), and only nationally in the third (e.g. the United Kingdom or what will be left of it). It is also unclear whether there will be the possibility for ‘forum shopping’ for European data subjects, picking and choosing the kind of delisting that they prefer themselves. With this looming threat of fragmentation, one might argue that even SEOs like Google cannot be content with the outcome of the proceedings.

A court abandoning its child

To clarify: I am not in favour of the extraterritorial application of law. Personally, I think that provisions on the territorial scope such as Article 3 GDPR are unhelpful. Rather, it seems useful to develop (more) common international standards and approaches to issues such as the RTBF which are of clear practical importance for many people across the world. This judgment lacks leadership in this regard and fails to pave the way for substantive progress. Instead it resorts to conservative formalistic considerations. If one believes in the need for European integration and harmonized data protection law one should also be able to expect substantive (legal) leadership of the highest court of the EU. In this judgment the ECJ is abandoning its own child.

This is unfortunate since the judges miss to see the broader picture: the RTBF is not a European concept. In South America both Argentina (Virgina da Cunha case) and Brazil (Daniela Cicarelli case) have significant developments in the area which partly precede the 2014 judgment of the ECJ to 2010 or earlier. At the time of writing, appearances of a RTBF in court judgments, statutes, or draft legislation are documented for Canada, Colombia, Chile, Israel, Peru, Mexico, Kenya, Russia, and Indonesia. Additionally, Japan has a vivid discussion on the nature and implementation of the right, and there is considerable jurisprudence on the topic in the country. Furthermore, a 2018 judgment of the European Court of Human Rights in Strasbourg invites speculations whether the concept of a RTBF is not only relevant for the member states of the EU, but the broader Europe with states such as Switzerland, or Turkey. Even before this judgment specifically relating to delisting the Strasbourg court produced a considerable amount of case law addressing this area. At the same time average citizens in the United States fight against the publication of ‘revenge porn’, or struggle with the removal of images from ‘mugshot’ sites, while the more privileged descendants of wealthy families pay to clean up their digital mess before applying to college. Finally, recent scholarship of colleagues at Cambridge University supports to approach this issue from a more universal perspective.

If one counts the number of states just mentioned in this incomplete list, it can be assumed that more than 25 percent of the nations on earth have already seen considerable legal developments in the area of a RTBF, including regulation and court judgments. In light of all of this it is a missed chance to develop individual rights in the digital age further, promoting human dignity in the digital age. The court has failed to recognize its own mission and mandate. However, coming back to the beginning of this piece, this is to be continued.


SUGGESTED CITATION  Gstrein, Oskar J.: The Judgment That Will Be Forgotten: How the ECJ Missed an Opportunity in Google vs CNIL (C-507/17), VerfBlog, 2019/9/25, https://verfassungsblog.de/the-judgment-that-will-be-forgotten/, DOI: 10.17176/20190925-232711-0.

3 Comments

  1. researcher Fr 27 Sep 2019 at 09:13 - Reply

    Thank you very much for this enlightening analysis!
    However, I can’t find any of the citations made in this article in the actual judgment of the ECJ – even copying citations and searching for them in the judgment is of no avail. Could you please counter-check your references made in the article? And especially the paragraphs of the judgment? I am sure there might have occured some erros? Or please correct me if I am wrong!
    Link to the ECJ Decision (CNIL v Google)
    http://curia.europa.eu/juris/document/document.jsf?text=&docid=218106&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1

    • researcher Fr 27 Sep 2019 at 09:21 - Reply

      Forget about this comment, I just realized that the version I posted is marked as „Provisional text“ by the ECJ and has another case number (C-136/17) – however refers to very same case CNIL v Google and was decided on 24th of Sept 2019.

      I am very much confused: could you please explain what is the difference between case C‑507/17 and C-136/17?? Anybody?

  2. Simon O. Fr 27 Sep 2019 at 18:03 - Reply

    Case C-507/17 and case C-136/17 are two completely different cases. Best to read the facts of both of them (at the beginning of each judgment, after the legal Framework). In short – C-136/17 is about the special situation of „sensitive data“ (relating to race, sexual orientation etc) where as C-507/17 is, as extremely well explained in the article about the reach of the obligation to de-list: on a national, EU or world-wide level. As the article explains, the ECJ, just as AG Szpunar back in January, went for the second option, albeit with a confused and at times flawed reasoning (the ECJ, not its AG, that is).

Leave A Comment

WRITE A COMMENT

1. We welcome your comments but you do so as our guest. Please note that we will exercise our property rights to make sure that Verfassungsblog remains a safe and attractive place for everyone. Your comment will not appear immediately but will be moderated by us. Just as with posts, we make a choice. That means not all submitted comments will be published.

2. We expect comments to be matter-of-fact, on-topic and free of sarcasm, innuendo and ad personam arguments.

3. Racist, sexist and otherwise discriminatory comments will not be published.

4. Comments under pseudonym are allowed but a valid email address is obligatory. The use of more than one pseudonym is not allowed.




Explore posts related to this:
European Integration, Right to be Forgotten, data protection


Other posts about this region:
Europa

Explore posts related to this:
European Integration, Right to be Forgotten, data protection


Other posts about this region:
Europa
3 comments Join the discussion