On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) handed down its much anticipated follow-on judgment in connection with an individual’s right to have links removed from search results displayed following a search of that individual’s name on Google’s search engine.
Building on its recognition of a “right to de-referencing” in its landmark 2014 Google Spain judgment (establishing the so-called “right to be forgotten” or “RTBF”), the CJEU now further clarified the territorial scope of such right, and limited the de-referencing obligation to Google’s search engine websites corresponding to EU Member States, as opposed to all domain name extensions (e.g., the obligation applies to domain names with top-level domain (“TLDs”) corresponding to EU Member States, such as “google.fr” for France or “google.be” for Belgium). The Court added that Google may need to use, “where necessary”, measures effectively preventing or seriously discouraging an internet user from accessing (on other versions of the search engine, which are not subject to the de-referencing obligation) the links at issue from an EU Member State. As a consequence, Google has no obligation to remove the links at issue on all Google websites worldwide (such as on “google.com”), but may need to implement sufficiently effective measures to prevent Internet users from accessing the links from the EU.
However, the CJEU also held that, while there currently is no obligation under EU law for Member States to require a search engine to de-reference beyond Member State level, it does not follow that ordering such global de-referencing is prohibited either. Under certain specific circumstances, supervisory or judicial authorities may rule that global de-referencing is required after balancing the rights on both sides.
The CJEU also re-emphasized that the obligations under EU personal data protection legislation cannot be circumvented by having the physical processing operations elsewhere and reminded national data protection authorities of their duty to cooperate in light of diverging national laws.Background
In its 2014 Google Spain ruling, the CJEU had held that Google, when operating its search engine, processes personal data as a data controller, and recognized the right of individuals under certain circumstances to request the removal of links resulting from a search of their name thus establishing a “right to be forgotten”. Upon the individual’s request, search engine operators must delete links to websites containing personal data which is considered inaccurate, no longer relevant or not in the public interest, even if this information was initially published lawfully. Following that judgment, Google has been inundated with requests for such de-referencing and has set up an EU privacy removal request form online for individuals to request the de-referencing of the links in question.
Based on this, the French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (“CNIL”) served formal notice on Google after receiving complaints, in May 2015, the CNIL stating that de-referencing must be implemented globally, by removing the applicable links on all of its search engine’s websites, not just the ones corresponding to EU Member States. The CNIL also faulted the geo-blocking proposals made by Google to date. Google refused to implement a global de-referencing system and the CNIL imposed a €100,000 penalty. Google appealed to the French administrative supreme court (“Conseil d’Etat”) to have the fining decision vacated. The Conseil d’Etat referred questions to the CJEU for a preliminary ruling to determine whether search engine operators, when granting a request for de-referencing, must carry out such de-referencing on all websites or limit it to websites corresponding to EU Member States, or even solely to the Member State where the request is deemed to have been made. In addition, the Conseil d’Etat asked the CJEU to clarify to what extent an online search engine was required to remove the results at stake by using “geo-blocking” techniques.
In his opinion in January 2019, Advocate General Szpunar already concluded that search engine operators are not required to implement de-referencing globally as this would make it impossible for EU authorities to effectively and determinedly define the rights that will necessarily have to be weighed against one another in these cases, such as the right to data protection, privacy and the right to free access to information. The Advocate General did, however, suggest that where an obligation to de-reference is established, all measures must be adopted to effectively prevent EU users from accessing de-referenced links through non-EU websites, including by “geo-blocking”.
In its September 24, 2019 ruling, the CJEU followed the narrow view of de-referencing obligations which limits it to search engine websites corresponding to EU Member States.
As a first step, the CJEU established again that the EU data protection legal framework (both the previously applicable Directive 95/46 and the GDPR) were applicable to Google LLC in this case by application of the criteria set out in Google Spain under the prior regime of the directive and the GDPR, underlining a inextricable link between the activities of the search engine and the commercial and advertising activities of the French establishment; and considering the data processing at issue as a single act. As a result, the CJEU confirmed that the processing is carried out in the context of Google’s French establishment and EU law is applicable.
No Obligation under Current Law to De-Reference Globally
Although the judgment emphasizes that EU data protection legislation aims to provide a high level of protection for personal data, the CJEU reasserted that the right to personal data protection is not absolute and must be balanced against other fundamental rights in accordance with the principle of proportionality, in particular freedom of information. The CJEU recognized that, while EU legislation and case law have established certain standards in that regard, those would likely vary significantly from country to country outside the EU and giving an extraterritorial scope to article 14 of Directive 95/46 or article 17 of the GDPR cannot be inferred.
Therefore, the CJEU found that the current state of EU legislation does not impose an obligation of global de-referencing outside of the EU, nor does it provide for cooperation instruments or mechanisms with respect to de-referencing outside the EU.
However, the CJEU ruled that, in light of the stated objective of EU legislation to provide a high level of protection equally throughout the EU (as expressed in recital 10 of the GDPR), the right to be forgotten in the form of de-referencing has to be carried out on websites corresponding to all EU Member States. In this regard, the CJEU underlined that the EU legal framework provides sufficient cooperation and consistency mechanisms between authorities to reconcile the fundamental rights at stake throughout the EU territory.
In addition, the CJEU held that, “where necessary”, search engine operators may still need to take mitigating measures to “effectively prevent or at the very least, seriously discourage” an Internet user located in one Member States from accessing de-referenced links through a version of the search engine corresponding to a non-EU websites. To date, it is uncertain in which conditions search engine operators may be required to implement such measures. In the present case, it will be for the Conseil d’Etat to determine if the measures proposed or already taken by Google – which has already implemented certain geo-blocking techniques – are sufficient.
There is a “But”…
Following the opinion of the Advocate General, the CJEU did not close the door to global de-referencing after striking a balance between the data subject’s right to privacy and the right to freedom of information, in light of national standards of protection of fundamental rights.
This judgment is a major victory for Google and provides some much needed clarity on the scope of the right to be forgotten and EU personal data protection legislation. While the GDPR undoubtedly has substantial extra-territorial effects, it does not apply globally and must exist alongside values and legislations of non-EU countries.
In addition, the CJEU issued a rather balanced and multi-layered judgment by refusing to recognize a global de-referencing obligation as a matter of principle, nonetheless imposing mitigating measures and leaving the door open to national authorities ordering global de-referencing measures on a case by case basis. The CJEU also seems to hint at the potential for future cooperation mechanisms on an international level.
Although this decision clarifies the territorial scope of the search engine’s obligation to de-reference, certain questions remain unanswered. In particular, it is unclear under what circumstances search engine operators may be required to implement non-access measures and we can expect that the “where necessary” standard will be the object of another preliminary ruling by the CJEU. The types of measures that would be required in these cases also remain left to the assessment of supervisory authorities and courts in the various EU Member States. This may lead to a degree of fragmentation, despite the CJEU’s call to cooperation across Member States. Further guidance from the European Data Protection Board would be welcome in that regard.
 On the same day, the CJEU issued another judgment in Case C-136/17 relating to the obligation of search engine operators to de-reference content from search results when such content contains sensitive information or data relating to offences.
 See paragraph 72; the Court makes a reference to prior cases Akerberg Fransson (CJEU, February 26, 2013 – Case C-617/10) and Melloni (CJEU, February 26, 2013 – Case C-399/11).
 See paragraph 51; this principle reasserted by the Court in the decision had already been laid down in Google Spain and is now enshrined in article 3(1) of the EU General Data Protection Regulation (2016/679 dated April 14, 2016) (the “GDPR”).
 See paragraphs 67 through 69.
 Another “right to be forgotten” or “right to erasure” has since been enshrined in article 17 of the GDPR, although it is different from that created by the CJEU in the Google Spain case, as it is not limited to search engines and appears to be the logical consequence of other principles set out in the GDPR such as the fact that personal data should be erased when no longer necessary for the purpose for which it was originally collected or processed.
 Proceedings were initiated before the entry into application of the GDPR. Therefore, the reasoning of the Court is based on both the 95/46/EC directive and the GDPR to ensure that “its answers will be of use to the referring court in any event”.
 In Google Spain, the CJEU ruled that the EU data protection framework was applicable to the Google Inc. (now, Google LLC), operating the search engine because there is an inextricable link between the commercial and advertising activities of the EU entity and the activities of the search engine.
 Pursuant to its article 3(1), the GDPR applies to the processing of personal data in the context of the activities of an establishment in the EU, regardless of whether the processing takes places in the EU.
 See paragraph 61 of the judgment, in which the CJEU specifically makes a reference to article 17(3) of the GDPR.
 See paragraph 62 of the judgment.
 See paragraph 72 of the judgment.
 For instance, the French CNIL considered the geo-blocking measures proposed by Google insufficient and the question of their adequacy remains open.