Member News

The European Court of Justice Issues Two Important Decisions Clarifying the Scope of the Right to Be Forgotten and ISPs Liability

By: Angelo A. Stio III | Partner | Pepper Hamilton LLP and Laura Liguori |Partner | Portolano Cavallo  [1]

We routinely hear from United States citizens who want advice on how to remove photographs, newspaper articles, videos or personal information about themselves from the internet.  Whether these individuals are applying for a job or entrance into a secondary school, or they just want to maintain the privacy, people want to know how to erase their information from the web.  In absence of a violation of law or a website’s posting policies, in the United States the erasure or elimination of information from the internet is difficult to achieve.   In Europe it is much easier to have this information removed. 

In Europe, there is a fundamental right for European citizens in the GDPR known as the right to be forgotten, which is included in the fundamental right to the protection of individuals’ personal data as recognized by the European legislation.  This right can have several forms, and may consists of the right to request the cancellation of personal information posted on a website (right to erasure), as well as  the right to request the elimination of metadata and links to webpages containing personal information from search engines so that information about an individual’s past cannot be found though an internet search(right to de-referencing).

This article focuses on the right to de-referencing and the European Court of Justice’s recent decisions in Google, Inc. v. Commission Nationale De L’Informatique Et Des Libertés (CNIL) ECJ, September 24, 2019 and Glawischnig-Piescek v. Facebook Ireland, ECJ October 3, 2019,  which analyzed the geographic scope of the right to be forgotten, on the one hand, and of the Internet Service Providers (ISPs) obligation to take down unlawful content, on the other. 


The Right to De-referencing in Google, Inc. v. Commission Nationale De L’Informatique Et Des Libertés (CNIL)

As a preliminary matter, the right to de-referencing was judicially recognized in a decision by the European Court of Justice in 2014 entitled, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, May 13, 2014.  In this case, the Court ruled that Google and other search engines must consider requests from individuals (or data subjects) to remove links to web pages resulting from a search on their name. Grounds for removal include cases where the search results “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed.”

As the Court explained, with the 1995 Directive of the EU on personal data protection, the European Charter of Human Rights (Article 8, Right to privacy) and the Charter of Fundamental Rights of the European Union (Article 7, Right to privacy), personal data protection appears to be a fundamental right in the EU.  On this basis, the Court held that the “right to de-referencing” prevails over the economic interest of the search engine operator and the “right of the internet users to access information” unless the preservation of the information is justified by the overriding interest of the public, in particular because of the individual’s or data subject’s role in public life. 

It is worth noting that the decision recognized the right to de-referencing independently from the lawfulness of the personal data to be published in the webpages being referred to by the search engine. In other words, the right in question entitles the individual to obtain his/her personal data to be delisted from a search engine, even when the publication of his/her personal data on the referred webpages is lawful.

Following the 2014 Google decision, Google has handled many different requests in all EU jurisdictions, and, in some cases, cases have been brought before the national data protection authorities. For example, they have ordered Google to remove information about an individual’s eight year old criminal conviction, information that was defamatory to an individual and information about a surgeon’s suspension from the practice of medicine after the suspension was overturned.  In each case the authorities’ found that the information’s privacy rights trumped the right of the public to access the information. 

The impact of  the 2014 decision  has been so significant that the Article 29 Working Party (the EU body grouping all Members States’ Data Protection Authorities, replaced by the European Data Protection Board on 25 May, 2018) drew up guidelines containing criteria by which to guide the national data protection authorities of the EU Member States in their decision-making on issues relating to the exercise of this right. As to the territorial extension of the right to be forgotten, the Article 29 Working Party suggested – in its guidelines – that any de-listing order should have been implemented globally (on any domain of the search engine, .com included), i.e., beyond the EU borders.  

Finally, Article 17 of the General Data Protection Regulation (which superseded the 1995 Directive becoming effective in all EU Member States in 2018) recognizes this right as part of the right of erasure.

On September 24, 2019, the European Court of Justice found the right to de-referencing has its limits and finally took a position on the interpretative question that was posed right after the issuance of its 2014 decision concerning Google Spain. In particular, the question was whether the right to be forgotten found application within the territory of EU (i.e. on the local domains) or also at a global level (on any domain, including the .com and other corresponding to non-EU Member States).  In this regard, only the Article 29 Working Party took a position, but it is worth noting that the guidelines mentioned above were not binding on national authorities.

The case at hand started when, on May 21, 2015, the CNIL (the French Data Protection Authority) served a formal notice on Google that, when granting a request from a person for the links to web pages to be removed from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions.

Google refused to comply with that formal notice and claimed the removal of personal data would only be applied to links displaying searches from domain names and search engines in the Member State.  In response, the CNIL found that Google failed to comply with a formal notice and imposed a penalty of 100,000 EUR.

Google sought reversal of the adjudication in the Conseil d’Etat (Council of State, France).  It argued that the right to de-referencing does not necessarily require that the links at issue are to be removed from all its search engines without geographical limitation,

After considering that the arguments on appeal and the complex issues involving the interpretation of Directive 95/46 (which was subsequently superseded by the GDPR), the Conseil d’Etat stayed the proceeding and referred several questions to the European Court of Justice (ECJ) for a preliminary ruling.  The questions posed to the ECJ were whether the search engine operator is required to remove metadata and links for all the versions of its search engine or only in the versions corresponding to all the Member states or even only on the version corresponding to the Member State in which the request for de-referencing was made.

In answering the question, the ECJ stated that “the objective of [Directive 95/46] is to guarantee a high level of protection of personal data throughout the European Union. It is true that de-referencing carried out on all the versions of a search engine would meet that objective in full.”  However, the ECJ found that “numerous third States do not recognize the right to de-referencing or have a different approach about that.”  The Court added that the right to the protection of personal data is not an absolute right, but must be considered in relation to its functions in society.  The right, therefore, must be balanced with other fundamental rights, in accordance with the principle of proportionality.  The Court further found that “the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.”  The ECJ found that “it is no way apparent that the EU legislature would have chosen to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States.”

Based on these reasons, the Court – differently from the interpretation provided by the Article 29 Working Party – concluded that “currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject to carry out such a de-referencing on all the versions of its search engine.”  The Court, however, did find that “EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States.”  

In reaching this decision, the ECJ noted that there could be exceptions to this rule. It found that national authorities, “remain competent to weigh up, in light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand and the right to freedom of information, on the other hand, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.” Therefore, while the ECJ recognized that a search engine is not obliged to de-reference personal data from all versions of its domains, it also stated that there is nothing preventing national authorities to balance the right to personal data protection and the right to information and order the search engine to de-reference personal information on all the versions of the search engine, even beyond the EU borders.

This last part of the decision leaves some uncertainties on the practical application of this ruling by national protection authorities. On the one hand, the ECJ states that EU law does not recognize an obligation for search engine operators to remove the personal data from all versions of their websites.  On the other hand, it allows national data protection authorities to order the removal from all versions of the search engine, leaving unclear on which basis such an order could be issued.


The ISPs Liability in Eva Glawischnig-Piescek v. Facebook Ireland Limited

On October 3, 2019, the ECJ elaborated on the scope of eCommerce Directive2000/31 in Eva Glawischnig-Piescek v. Facebook Ireland Limited.  It is important to note that the two rulings do not cover the same topic: in the Google case, the ECJ ruled on the right of de-referencing based on EU data protection laws, while in the Facebook case, the Court ruled on the limits to the obligations of a hosting provider to remove unlawful contents posted by third parties which are harmful to an individual.

In this latter case, the Court examined whether a European Court could order Facebook to remove social media posts about an EU citizen that were deemed to be defamatory beyond the jurisdiction of the EU States.  The ECJ found that while Facebook is exempt from actively policing all of the content on its platform in Europe, the social network must remove not only user comments that European courts have deemed illegal, but also other comments that are identical to those found illegal and still available on the hosting provider’s website.  In this case, the ECJ found that a European Court could order Facebook to remove posts found to be defamatory in regions beyond its jurisdiction.  In other words, the ECJ found Facebook could be ordered to remove information or to block access to that information worldwide within the framework of the relevant international law.  The rationale for this decision was that European Courts could order the removal of user comments worldwide based on defamation laws and a finding that the comments in question were illegal.

In light of the Google and Facebook decisions, it is clear that under a simple request to de-reference, a search engine is only required to act within the borders of the European Union (although the national authorities could issue orders concerning all of the search engine domains).  In contrast, when a court has specifically found the publication of information is defamatory or otherwise illegal, the hosting provider must remove all of the information, even those outside the borders of the European Union.

While these decisions provide clarity in Europe, in the United States, the right of the public to access information on the internet and the boundaries of Internet service providers’ liabilities trumps any right to be forgotten, in the absence of illegal activity.  As states within the United States continue to enact stricter privacy laws, United States citizens may begin to see similar right to be forgotten laws enacted.   Until the enactment of such laws, however, a United States citizen’s ability to remove information from search engines is limited.  

[1] Angelo A. Stio III is a partner with Pepper Hamilton LLP and the vice chair of the firm’s Trial and Dispute Resolution Practice Group.  Laura Liguori is a partner with Portolano Cavallo and the chair of the firm’s Privacy & Cyber Security practice.

Compliments of Pepper Hamilton LLP and Portolano Cavallo, members of the EACCNY