Google’s lawyers are in Europe’s top court today arguing against applying the region’s so-called ‘right to be forgotten’ ruling globally domains, rather only geo-limiting delistings to European sub-domains (as it does now).
The original rtbf ruling was also a European Court of Justice (ECJ) decision.
Back in 2014 the court ruled search engines must respect Europeans’ privacy rights, and — on request — remove erroneous, irrelevant and/or outdated information about a private citizen.
Google was not at all happy with the judgement, and kicked off a major lobbying effort against it — enlisting help from free speech champions like Wikipedia’s Jimmy Wales.
But it also complied with the ruling, after a fashion (after all, it is EU law) — applying delistings on local domains but not across Google.com. Which means there’s a trivial workaround for circumventing EU law.
That has displeased European data protection agencies — who say Google is flouting the law and EU citizens fundamental rights are not being respected. France’s data protection agency challenged Google’s approach. In May 2016 it ordered the company to make delistings global, and fined it €100,000 for non-compliance.
Google appealed and last year the French court decided to refer questions to the ECJ for a ruling on the scope of the delisting — saying it “poses a serious difficulty in interpreting the Law of the European Union”.
And so now we’re back in Europe’s top court with Google’s lawyers arguing against making delistings global — contending it would damage free speech, and enable authoritarian regimes to get stuff they don’t like scrubbed off the Internet.
“We — and a wide range of human rights and media organizations, and others, like Wikimedia — believe that this runs contrary to the basic principles of international law: No one country should be able to impose its rules on the citizens of another country, especially when it comes to linking to lawful content,” wrote Google’s Kent Walker, in 2015. “Adopting such a rule would encourage other countries, including less democratic regimes, to try to impose their values on citizens in the rest of the world.”
The extraterritoriality problem was also chewed over by Google’s self-appointed ‘advisory council’ on the rtbf issue at that time.
And while the majority of this Google-appointed body aligned with Google’s view that there should not be global delistings, there was one dissenting voice: German MP, Sabine Leutheusser-Schnarrenberger, who wrote then: “The internet is global, the protection of the user’s rights must also be global. Any circumvention of these rights must be prevented.”
Google and CNIL declined to comment on today’s hearing.
A second (separate) rtbf case also being heard by the ECJ today concerns whether search engines should have to remove reference to any sensitive personal information about individuals. Which would represent a significant expansion if granted.
However the case is not supported by EU data protection agencies. The individuals bringing the case had their application rejected by CNIL, leading them to pursue a legal appeal.
The key point on this case is that the current right to delist is not absolute; the rtbf only applies to private individuals, not to public figures (e.g. politicians and journalists); and also only applies where the information in question is outdated or irrelevant. So it is bounded and balanced, and absolutely does not apply to every individual and every piece of sensitive personal data.
The current implementation of the rtbf also means Google must review requests, to balance the public right to know against individual privacy rights.
The company actually denies the majority of requests — i.e. when it does not believe a request falls under the scope of the law (Google publishes a Transparency Report on delisting, showing it has, to-date, agreed to delist less than half of requests).
Individuals denied delisting can appeal to a national data protection agency, and indeed challenge a DPA decision in court — as in this case.
But Google’s lawyers said today that only a tiny fraction of rtbf request decisions are every appealed, and further claimed its decisions largely align with DPAs…
There’s no fixed timeline for the ECJ to hand down a ruling on the two cases but a spokeswoman for the court told us that on average the opinion of the Advocate General comes 2 to 4 months after the hearing, and the Court’s judgment around 3 to 6 months after that. So a court verdict does not look likely before 2019.
Since the 2014 judgement, the EU has doubled down on the rtbf — extending the principle by baking it into its recently updated data protection framework, the GDPR, which gives EU citizens rights to ask data controllers to rectify or delete their personal information, for example.