France Orders Google to Implement Right to Forget Link Removals Worldwide

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell

June 12 --Google Inc. has 15 days to remove search listings for legitimate right to be forgotten requests for all of its search engine versions--not just those used in the European Union with EU member state domain name suffixes but ones operating elsewhere such as in the U.S.--or possibly face sanctions, the French data protection authority (CNIL) said June 12.

The Paris-based authority's formal notice, dated May 21 but made public June 12, brings to a head arguments by EU data protection authorities that the European Court of Justice's May 2014 right to forget decision applies worldwide, not just in Europe.

The ECJ held that EU data subjects have the right to compel Google and other Internet search engines to remove results linking to websites containing personal information about them if their fundamental right to individual privacy outweighs the public's right to know . The court deemed Google a data controller and thus subject to EU data protection laws.

Going a big step further, the French DPA said that “in accordance with the ECJ judgment, the CNIL considers that in order to be effective, delisting must be carried out on all extensions of the search engine and that the service provided by Google search constitutes a single processing.”

In a statement provided to Bloomberg BNA June 12, Google said it believes it is complying with the ECJ ruling. “We have tried to find a good balance in applying the ECJ's ruling by working closely with data protection authorities,” the company said. “The ruling targeted services aimed at European users, which is the approach that we have taken to comply with it.”

Contacted by Bloomberg BNA June 12, several attorneys declined to comment about CNIL's announcement, citing its controversial nature.

Opinions Clash.

In February, an advisory council convened by Google argued that the right to be forgotten should apply only to EU domains .

That opinion clashed with that of the Article 29 Working Party of representatives of the 28 EU data protection authorities, which in November 2014 issued guidance stating that delisting of links should apply globally, including to .com domains .

CNIL President Isabelle Falque-Pierrotin also chairs the Article 29 Working Party.

CNIL noted that, in response to the ECJ ruling, Google has set up a process to consider requests for delistings, or removals, of disputed links.

In its latest annual report, the authority said Google responded favorably to about half of the some 170,000 delisting requests--regarding some 800,000 separate urls--that it received across Europe in 2014, of which 40,000 requests came from France .

When the search engine refuses a delisting request, the individual can file a complaint with a member state's DPA or competent judicial authority. CNIL said it has received hundreds of such complaints.

For several complaints, CNIL said it expressly “requested” that Google delist links, for its entire search engine, “irrespective of the extension used (.fr; .uk; .com ).” However, it said, “although the company has granted some of the requests, delisting was only carried out on European extensions of the search engine and not when searches are made from or other non-European extensions.”

'Applies to Other Internet Companies.'

“In this context, the president of the CNIL has put Google on notice to proceed, within a period of fifteen (15) days, to the requested delisting on the whole data processing and thus on all extensions of the search engine,” the DPA said.

CNIL said it made its notice to Google public to “draw the attention of search engine providers and Internet content publishers to the scope of the right to object and to obtain the erasure of personal data.”

It said the injunction isn't a sanction, but if Google fails to comply with it the company could be deemed in violation of France's 1978 Law on Information Technology and Liberties (78-17 of 1978, updated in 2014).

The law allows CNIL to levy a maximum 150,000 euros ($169,000) fine, which rises to 300,000 euros ($338,100) in criminal cases.

Google has faced CNIL's displeasure before. CNIL's enforcement committee ruled Jan. 8, 2014, that Google's unified privacy policy for multiple Google services violated the 1978 law, and it fined Google 150,000 euros ($169,000), the authority's highest-ever fine .

Request Bloomberg Law: Privacy & Data Security