Top court says “right to be forgotten” doesn’t always apply outside EU – and orders search engines to manipulate results

One of the more controversial elements of EU data protection law is the so-called “right to be forgotten” (RTBF), which dates back to 2014. This allows EU citizens to request internet search engines such as Google to remove search results directly related to them. Despite its misleading name, they are not “forgotten”: the material that relates to them remains on the Internet. It is just that the direct route to finding it using a search engine is removed – it is a right to “de-referencing”. Indirect searches will still locate the material. The law within the EU was well established. But the question then arose: what about Google’s sites outside the EU? If they could be used to find material that had been de-referenced on Google’s sites in the EU, then RTBF was greatly reduced. This was such an important question that it ended up before the top EU court, the Court of Justice of the European Union (CJEU), which has now handed down its judgment. It concludes:

currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States

The reasoning behind the court’s decision is noteworthy:

the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. In addition, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.

That’s an important point. Since the laws regulating both privacy and freedom of speech differ considerably around the world, any attempt by the EU to impose its own particular views on other countries would cause problems. After all, if the EU claimed a right to extend its laws to other jurisdictions, the latter would be perfectly justified in doing the same, demanding that their laws should also apply in the EU. That would lead to an impossible set of incompatible rules on search engines and other online services. It would probably be the end of the Internet as we know it.

However, the new CJEU judgment is not without its problems. The judges went on to say that while global de-referencing is not obligatory, the data protection authorities in EU member states are nonetheless permitted under EU law to demand that Google and other search engines remove references to a person in all countries. No details are given of when that might be appropriate, but the possibility that EU countries will try to demand global application of the RTBF, even in isolated cases, remains a concern for the future.

Despite that uncertainty, this is a welcome judgment, because it explicitly recognises that the Internet is global, and subject to hundreds of different jurisdictions. It is not realistic to expect everyone to adopt the EU’s ideas on RTBF – although many countries are likely to be influenced by its thinking here, since it is clearly in the vanguard on this privacy issue. But the importance of that judgment should not completely overshadow a second ruling that came out from the CJEU at the same time on the topic of de-referencing. It’s about how search engines should handle categories of sensitive personal data – things like “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of data concerning health or sex life”. The ruling is mostly routine, but has a sting in its tail:

even if the operator of a search engine were to find that the data subject does not have a right to the de-referencing of such links because the inclusion of the link in question is strictly necessary for reconciling the data subject’s rights to privacy and protection of personal data with the freedom of information of potentially interested internet users, the operator is in any event required, at the latest on the occasion of the request for de-referencing, to adjust the list of results in such a way that the overall picture it gives the internet user reflects the current legal position, which means in particular that links to webpages containing information on that point must appear in first place on the list.

That is, even when the public’s right to freedom of information outweighs the privacy rights of an individual, and no de-referencing is necessary, there is now a further requirement. Internet companies must re-order the hits of a search to reflect “the current legal position” regarding that person. This seems to have come from nowhere, and is a complete surprise. Asking search engines to manipulate search results according to very unclear guidelines is a recipe for disaster, and not likely to strengthen privacy, even if that is the intention. In particular, it will set a terrible precedent for requiring search results to be changed manually according to vague rules involving complex legal issues. At the very least, it will lead to SEO companies trying to game the system in new ways. Expect more cases before the CJEU trying to work out what exactly this unfortunate new requirement means.

Featured image by Cédric Puisney.