French Data Protection Watchdog Rejects Google’s Search Delisting Appeal

France’s data protection watchdog has rejected Google’s appeal against an earlier enforcement notice in which the CNIL told the company to expand search delisting requests across all its domains, not just European sub-domains as Google currently is.

Google now faces the risk of enforcement action by the watchdog if it continues to avoid delisting across as well as

Quick backgrounder here: Search delisting in Europe — often dubbed the ‘right to be forgotten’ (rtbf) —  refers to a decision by Europe’s top court back in May 2014 ruling that search engines are data controllers and thus must comply with existing European data protection legislation.

Specifically the judgement means private citizens in Europe have the right to request from search engines that outdated, irrelevant or inaccurate information associated with a search for their name be delisted from that specific name search. So it requires search engines make difficult value judgements about individuals making requests — such as whether a person has any public role — as well as evaluating the specifics of their request (e.g. what constitutes ‘outdated’ information?).

Critics dub the ruling ‘censorship of information’. Yet it has also led to calls in the U.S. for greater pro-privacy protections for private individuals in an age of big data and instant access to information.

One other thing that’s worth noting here is despite Google releasing only partial data about how it’s been implementing search delisting in Europe, it’s become clearer over time that the vast majority of Europeans requesting delisting are indeed private individuals looking to have personal information removed from the web — rather than corrupt public figures seeking to whitewash their reputations (as critics of the rtbf often claim).

Returning to today’s French ruling, Google had appealed the earlier notice from the CNIL to expand delisting to but that’s now been slapped down by the data protection authority. The CNIL has been consistent in its position that Google should be applying delisting across all its domains. The argument being that not applying delisting universally leaves a trivial workaround which undermines the application of the law.

The CNIL makes this point again in rejecting Google’s appeal today, as well as reiterating the often misinterpreted fact that ruling does not require any source information be deleted from the Internet — ergo, that information is still discoverable. Point being this is about the prominence of information, and individuals’ data protection rights as regards their personal information.

The DP also refutes Google’s argument that delisting on constitutes an extraterritorial application of French law — saying it merely constitutes “full compliance of European law by non-European players offering their services in Europe”.

A spokesperson for Google declined to comment on whether the company would be complying with the CNIL’s order or not, instead reiterating a previous statement on the matter — in which Google states: “We’ve worked hard to implement the Right to be Forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so.  But as a matter of principle, we respectfully disagree with the idea that a single national Data Protection Authority should determine which webpages people in other countries can access via search engines.”

If Google does not comply it faces the risk of sanction actions by the CNIL. And it wouldn’t be the first time on that front. Last year, the CNIL fined Google €150,000 on another privacy matter, for merging multiple products’ privacy policies into one unified policy.

Such small-scale financial penalties are easily shrugged off by company which reported revenues of $17.7 billion at last count. However the European Union is in the process of updating the region’s data protection regulations — with larger financial penalties for breaches being negotiation — of potentially up to 5 per cent of a company’s global turnover. A fine that runs to a hundred million dollars would be a far more prominent price on privacy.