While the U.S. government remains unable to enact comprehensive privacy legislation in response to new technologies and growing privacy concerns, numerous states across the country, including New York, have adopted privacy laws and regulations seeking to address specific issues or that are applicable to specified entities. Some of these new rules affect a broad swath of businesses. Notably, the California Consumer Privacy Act (CCPA), which will take effect on January 1, governs companies that possess personal data of California residents, regardless of where the businesses are located or how the goods or services are provided.

Perhaps no privacy law, however, has yet had the impact of the General Data Protection Regulation (GDPR), which was enacted by the European Union (EU) and which took effect almost one-and-one-half years ago, on May 25, 2018. The GDPR addresses everything from the processing of individuals' personal data to when and how informed consent must be obtained from the data subject to the security processes and practices that businesses must undertake to protect that data. The GDPR's requirements have affected websites and businesses based in Europe, as well as vast numbers of entities headquartered in the United States whose business practices, nevertheless, are considered by the European Data Protection Board to place them within the scope of the GDPR. (For further background, see, e.g., Shari Claire Lewis, "New Guidance Helps Determine GDPR's Application to New York Businesses," NYLJ (Dec. 18, 2018).)

One of the GDPR's most significant aspects is its establishment of an individual's fundamental "right to be forgotten," which allows individuals to demand that links to certain information about them be removed from the Internet via a process known as "de-referencing." The right to be forgotten is intended to give individuals the ability to limit the information that others can find and read about them online. Although the GDPR has led in the establishment of such a right, the right to be forgotten is increasingly being recognized by U.S. state privacy laws. Unfortunately, an individual's right to be forgotten often presents technical, business, and legal challenges to companies.

The EU's highest court, the Court of Justice of the European Union (CJEU), in Google v. Commission nationale de l'informatique et des libertés, C 507/17 (CJEU Sept. 24, 2019), recently issued a decision limiting this "de-referencing" obligation and declaring that the right to be forgotten is not "absolute." After briefly discussing the right to be forgotten and the de-referencing obligation, this column will review the CJEU's ruling and explore its implications.

Background

The coherent goal of the GDPR is to assure that control of personal data is primarily with the individual subject of that data, rather than the commercial entity that collects or processes it.

Accordingly, the GDPR provides that "[t]he protection of natural persons in relation to the processing of personal data" is a "fundamental right" and that "everyone has the right to the protection of personal data concerning him or her."

The GDPR also recognizes that the right to the protection of personal data "is not an absolute right" but that it must be considered "in relation to its function in society" and must be "balanced against other fundamental rights." Toward that end, the GDPR specifically provides that a "data subject" (that is, a natural person who is identified or identifiable based on certain personal information or data about that person that is available online) has a "right to be forgotten" where the retention of such data infringes the laws of the GDPR, the EU, or the EU country to which the controller of the personal data is subject.

Article 17 of the GDPR describes in detail the right to be forgotten. In general, Article 17 provides that:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based …;

(c) the data subject objects to the processing …;

(d) the personal data have been unlawfully processed; [or]

(e) the personal data have to be erased for compliance with an obligation under the law in the EU or the EU country to which the controller is subject.

Notably, the GDPR also provides that the retention of personal data "should be lawful where it is necessary, for exercising the right of freedom of expression and information."

The Google Dispute

The case involving Google arose in May 2015, when the Commission nationale de l'informatique et des libertés (CNIL), France's data protection authority, served formal notice on Google that, when granting a request from a natural person for links to web pages to be removed from the list of results displayed following a search conducted on the basis of that person's name, Google had to apply that removal to all of its search engine's domain name extensions—including those outside the person's home country.

Google refused to comply, indicating that it would remove links only from results displayed following searches conducted from the domain names corresponding to the versions of its search engine in the person's home country and elsewhere in the EU.

In March 2016, the CNIL determined that Google had failed to comply with its formal notice within the prescribed period, and it imposed a penalty on Google of 100,000 euros.

Google appealed, and the dispute reached the CJEU. There, the CJEU had to decide, among other things, whether the "right to de-referencing" meant that a search engine operator was required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appeared, irrespective of the place from where the search initiated on the basis of the requester's name was conducted and even if it was conducted from a place outside the GDPR's territory.

The CJEU's Decision

The CJEU ruled that a search engine operator could not be required to carry out a de-referencing on all the versions of its search engine worldwide, but only could be required to do so for those versions of its search engine available in EU countries. In doing so, the CJEU added, the operator should use, where necessary, measures that, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an Internet user conducting a search from one of those countries on the basis of a data subject's name from gaining access, via the list of results displayed following that search, to links that are the subject of that request.

In other words, the CJEU ruled that the GDPR's right to be forgotten could be effectuated by de-referencing citations on domains that were typically associated with the EU (<.fr>, <.it>, etc.) only and that search engine operators could do so by taking "sufficiently effective measures" to protect the data subject's rights that prevent or "seriously discourage" Internet users in the EU countries from accessing the links based on a search on the data subject's name.

If the CJEU had ended its decision at this point, its ruling would have been quite clear. However, the CJEU threw a bit of confusion into the mix when it added that although EU law does not currently require that de-referencing concern all versions of an operator's search engine, it also "does not prohibit such a practice." Because the GDPR includes compliance with national standards of each EU nation, the CJEU declared, a supervisory or judicial authority of an EU country could decide, in light of those national standards, that an individual's right to privacy and the protection of his or her personal data outweighed the right to freedom of information and required de-referencing on all versions of the operator's search engine.

Impact of the CJEU Decision

The CJEU decision amounted to a big win for Google, and for other search engine operators, as it limits an operator's de-referencing obligation and appears to balance the right to be forgotten with freedom of expression as well as the public's right to know and right to obtain and retain information.

Yet the CJEU ruling cannot be understood in a vacuum. A few days after that decision, the CJEU ruled that Facebook can be required to remove content worldwide where a court in an EU country decides that the content is defamatory. The decision, Glawischnig-Piesczek v. Facebook Ireland Limited, Case C‑18/18 (CJEU Oct. 3, 2019), appears to increase the strain on Internet companies that only days earlier had been lessened by the Google ruling.

The case involved Eva Glawischnig-Piesczek, chair of Austria's Green Party, who asked Facebook to remove a comment to an article posted on a Facebook user's page that she asserted was defamatory.

Facebook did not withdraw the comment and Glawischnig-Piesczek sued the company in an Austrian court. The court ordered Facebook to remove the content, and the dispute reached the CJEU.

In its decision, the CJEU ruled that the court could require that Facebook remove "illegal" content. It ruled that, in those circumstances, it was "legitimate for the court having jurisdiction to be able to require" that Facebook "block access to the information."

Although Facebook could not be held liable for the allegedly defamatory content, the CJEU decided that it had to follow the Austrian court's decision to remove the content worldwide. Importantly, the narrow ruling in the Facebook case left many issues unresolved, given that it declared that courts had to weigh the benefits and drawbacks of ordering the global removal of defamatory content but did not specifically explore or discuss how they should do so.

It can be inferred that the different outcome in the cases resulted from the distinct nature of the data that the subject sought to be "forgotten." The Google case concerned the general, albeit fundamental, right to be forgotten, regardless of the nature of data, without regard to its accuracy, inflammatory nature, or legality. However, in the Facebook case, the comment at issue had previously been determined to be illegal and defamatory. Accordingly, its removal was not limited to the subject's "right to be forgotten," but also served the goals of the GDPR, which, as stated in Article 5(1)(a)-(f), include the data subject's right to have inaccurate data rectified or erased "without unreasonable delay."

It would be a mistake to consider the decisions by the CJEU in these cases to be limited to Google or search engine operators. To the contrary, the decisions and how they are applied in the future could be of significance for any business whose data practices bring it within the scope of the GDPR.

Shari Claire Lewis, a partner in the Long Island office of Rivkin Radler, can be reached at [email protected].