Canada: The (Extra) Territorial Scope Of The GDPR: The Right To Be Forgotten
Privacy and Cybersecurity Bulletin

A recent decision of the Court of Justice of the European Union (the "CJUE") has provided several key lessons regarding de-referencing and Internet search engines. ¹

This matter arose out of a March 10, 2016 decision of the French Data Protection Authority (Commission nationale de l'informatique et des libertés - the "CNIL") which imposed a penalty of €100 000 on Google Inc. because of the company's refusal to apply the de-referencing to all of its search engine's domain name extensions.

Google Inc. requested the Conseil d'État (the highest administrative court in France, the Council of State) to annul the CNIL decision, on the basis that the right to de-referencing does not necessarily require links to be removed on a global basis, from all its search engine's domain names worldwide.

In this context, the Conseil d'État referred questions to the CJUE, in particular regarding the extra territorial scope of the right to be forgotten.

Lesson 1: The de-referencing right is based on the right to be forgotten (Article 17 of the GDPR)

The de-referencing right was first articulated in [DF1] 2014.² It is the right to ask the operator of a search engine to delete all the results of a search made using a person's name. Only the individual concerned may exercise this right and not a third party. This right does not require the deletion of the online content that is the subject of the search, rather the right only applies to the search engine and the results of a search.

It is important to note that although the GDPR refers to the right to the right to erasure (subtitled the "right to be forgotten") it does not refer to a right of de-referencing.  However, the Court nonetheless determined that:

Therefore,

This de-referencing right enables data subjects to assert their right to de-referencing against the operator of a search engine who has one or more establishments in the territory of the European Union, regardless of whether or not that processing of the individual's personal data takes place in the Union.³

In other words, the operator of a search engine must remove from the list of results displayed, following a search made on the basis of a person's name, links to web pages that are published by third parties and which contain information relating to that person ⁴.

Lesson 2: The "inextricably linked" test is still applicable

A second lesson from the Court's decision is the clarification of the "inextricably linked" test. As a reminder, the "inextricably linked" test is used to determine whether the GDPR applies to the processing of personal data.  As set out at article 3(1):

The Article 29 Working Party has clarified that, when applying this article to an organization that has operations outside of the European Union, it does not matter whether the level of activity of the establishment in the territory of a Member State is significant. It is sufficient that the level of activity be "minimal"⁵ even if the institution in question does not itself take part in the processing of personal data⁶ . It is therefore necessary to proceed on a case-by-case basis.

The Court noted that Google Inc.'s establishment in France carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned. Moreover, that search engine must, in view of the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of activities of Google Inc.'s French Establishment⁷.

Such a situation therefore falls within the scope of the EU legislation on the protection of personal data.

Lesson 3: The right to the protection of personal information is not an absolute right

The Court stated that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality:

The balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary around the world. Moreover, the Court stated that numerous third States do not recognize the right to de-referencing or have a different approach.

Lesson 4: The territorial scope of the right to be forgotten stops at the European Union borders

The Court concluded that the right to be forgotten stops at the EU borders. There is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

The de-referencing right stops at the EU borders because (i) the purpose of the GDPR is the enforce the individuals' rights within the European Union and (ii) the GDPR does not provide with instruments and mechanisms of cooperation between data protection authorities as regards to the scope of the de-referencing right outside the European Union.

The CJEU requires safeguards from the operator of a search engine: sufficiently effective measures should be taken to ensure the effective protection of the data subject's fundamental rights. Thus, a de-referencing must be accompanied by measures which effectively prevent or seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject's name from gaining access to the links which are the subject of the request for de-referencing through a version of that search engine outside the EU. It will be for the national court to ascertain whether the measures put in place by Google Inc. meet those requirements.

Lastly, the Court leaves a door open. It points out that, while EU law does not currently require a de-referencing to be carried out on all versions of the search engine, it also does not prohibit such a practice.

To conclude, if a Canadian company, having establishments in the European Union or targeting the European Union markets, is required to carry out a de-referencing, it would only need to be carried out on the European extensions of its websites. Canadian companies would be well advised to segment their European activities to avoid, as much as possible, the application of the GDPR .

Footnotes

1 CJUE, 24 September 2019, C-507/17, Google LLC v. Commission nationale de l'informatique et des libertés (CNIL). Press release available at the following address : https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-09/cp190112en.pdf

2 CJEU, 13 May 2014, C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González.

3 CJUE, 24 September 2019, C-507/17, Google LLC v. Commission nationale de l'informatique et des libertés (CNIL), rec. 48.

4 CJEU, 13 May 2014, C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González.

5 CJEU, 1 October 2015, Case C-230/14, Weltimmo v Nemzeti Adatvédelmi és Információszabadság Hatóság, pts. 31 and 41.

6 Article 29 Working Party, 16 Dec. 2015, WP 179 update, p. 4.

7 CJUE, 24 September 2019, C-507/17, Google LLC v. Commission nationale de l'informatique et des libertés (CNIL), rec. 50.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.