In a highly influential opinion, the Advocate General Maciej Szpunar of the Court of Justice of the European Union, in Google v. French National Commission (“CNIL”), considering the geographical limits of the EU’s “right to be de-referenced,” now codified in the GDPR and commonly known as “the right to be forgotten,” rejected the original positions of each party and essentially adopted a compromise proposal put forward by Google.
The President of the French Commission Nationale de l’Informatique et des Libertés (National Commission for Information Technology and Civil Liberties; the “CNIL”) had served formal notice on Google that, when acceding to a request from a natural person for the removal of links to web pages from the list of results displayed following a search performed on the basis of that person’s name, it must apply that “de-referencing” globally to all of its search engine’s domain name extensions – such as google.com, google.uk and google.fr. While the information would remain online and available at its source, the links to that material would be removed from search results provided by the search engine operator to a user regardless of their location.
Google refused, and took the position that merely removing the links in question from only the results displayed following a search performed on the domain names corresponding to the versions of its search engine in the Member States of the EU was enough.
By adjudication of 10 March 2016, the CNIL, after finding that Google had failed to comply with that formal notice by the prescribed time limit, imposed a penalty of €100 000.
Google subsequently suggested, after the time limit in the CNIL’s formal notice had past, to apply “geo-blocking,” whereby Internet users would be prevented from accessing the results in question, from IP addresses located in the place of residence of the person concerned, no matter which version of the search engine they used.
The CNIL considered that suggestion insufficient and the matter proceeded to the Advocate General of the Court of Justice of the European Union for his consideration and suggestion to the Court of Justice itself.
The Advocate General has taken a view similar to that of Google’s compromise. In his view, the search engine operator is not required, as the CNIL would propose, when acceding to a request for de-referencing, to carry out that de-referencing on all the domain names of its search engine in such a way that the links in question no longer appear, irrespective of the location from which the search on the basis of the requesting party’s name is performed. In his view, the search engine operations may not simply, as Google had proposed, limit restrictions to just its domain names corresponding to the versions of its search engine in the Member States of the EU (e.g., google.fr).
Instead, the Advocate General suggested that “once a right to de-referencing within the EU has been established, the search engine operator must take every measure available to it to ensure full and effective de-referencing within the EU, including by use of the ‘geo- blocking’ technique, in respect of an IP address deemed to be located in one of the Member States, irrespective of the domain name used by the internet user who performs the search.” And, the Advocate General held open the possibility that in a different matter, a global de- referencing could be justified.
In some respects, the opinion seems to recognize that the EU must limit the territorial scope of its orders – lest another nation impose its orders upon it. However, by requiring Google to impose restrictions globally on all servers when accessed from the EU, the determination explicitly considers that if there is an EU impact, the EU as the right to issue an order.
For those outside the EU considering the impact of the GDPR upon their business, this opinion is a stark reminder that the no matter how large you are or where you are located, the EU will treat the rights afforded EU residents seriously and do whatever it takes to protect them.