In March 2016, Peter Fleischer, Google Inc.'s Global Privacy Counsel, announced
Fleischer said that this concession was the result of intense discussions between the Mountain View, Calif. company and European Union data protection authorities. Right to be forgotten issues have been particularly intense in France See previous story, 04/13/16, 15 PVLR 827, 4/18/16, 71 Privacy Law Watch, 4/13/16, 16 WDPR 04, 4/28/16, where the data protection authority, CNIL, issued a cease and desist order against Google in May 2015, and four months later rejected Google’s appeal of the order.
It has been reported
CNIL’s announcement on March 10, 2016 that it was ordering a 100,000 euro ($113,200) fine against Google indicates that the French authority has for the moment taken a different view.
The fine was ordered for violation of data subjects’ right to object to the processing of their personal data (Article 38 of the French data protection law
For CNIL, in order to be compliant with the Law, Google must delist links from all Google Search extensions globally, and unconditionally. The right to be delisted—which derives from the right to privacy, a universally recognized fundamental right laid down in international human rights law—should therefore be effective on all extensions, regardless of the geographic origin of the person performing the search. CNIL explains that the various geographic extensions (“.fr,” “.de,” “.com,” etc.) are simple means of access to a single data processing, and not multiple separate processing, as Google suggested. In the view of CNIL, the Law applies to personal data processing as a whole and Google may not modulate the protection of a fundamental right depending on the recipient of personal data. In this respect, CNIL recalls that Google Search was originally operated using the “.com” extension only, and that Google created local extensions later, to provide a service adapted to each country’s national language, which is further evidence that Google Search relies on a single processing.
Google has argued that this extraterritorial reach of the right to be forgotten is likely to raise conflict of laws issues and impair other States’ sovereignty. In particular, Google expressed concerns that a global delisting obligation would disproportionately undermine the freedom of expression and the freedom of information. But CNIL recalls that de-indexing a link does not entail the deletion of the underlying information, but only prevents its listing in the results showed based on searches for a person’s name. Therefore, the information remains available. Moreover, the decision to delist is only made if the conditions for application of the right to object (evidence of a legitimate interest) or to delete (information outdated, incomplete or inaccurate) are satisfied. Thus, the right to be forgotten is not absolute and must be balanced against the public’s right to information, in particular when the individual concerned plays a role in public life.
Therefore, for CNIL, the purpose of its decision to impose a fine is merely to ensure “effective and complete protection of data subjects,” as required by the ECJ.
And indeed, under the new approach the delisted result remains accessible outside the territory concerned by the delisting measure. For example, a result that is “completely” delisted in France is nevertheless still accessible from another EU country using a non-EU extension, or from any non-EU country using the local search engine. So a professional or personal contact located (or perhaps travelling) outside France could still find the delisted search result linking to content that may infringe the privacy of the data subject.
CNIL also notes that users in the country concerned by the delisting may also circumvent such measures, thanks to technical solutions allowing them to select the geographical origin of their Internet protocol (IP) address (e.g., using a virtual private network (VPN)). Likewise, users living near national borders usually have access to both in-country and other-country networks, which could allow them to avoid Google’s IP address filtering measure.
A Google spokesman has already confirmed that the company will appeal the CNIL’s decision;
If CNIL’s decision becomes final, Google will have to further adapt its approach to the right to be forgotten or face an additional fine up to 300,000 euros ($339,535). Although the financial implications may not seem very threatening to Google today, the French Assembly recently voted to increase the CNIL’s sanctioning power in anticipation of the General Data Protection Regulation (GDPR). The current draft of the French Law for a Digital Republic provides fines up to the higher of 20 million euros ($22.6 million) or, for legal entities, 4 percent of yearly worldwide revenues during the financial year preceding the year during which the violation occurred. Although not yet law, this provision could take effect before the GDPR’s anticipated application in the first half 2018. And even today, violations of the Law are punishable by criminal sanctions; a fine up to 1,500,000 euros ($1,696,950) can be ordered for processing individuals’ personal data despite their legitimate objection.
France is the country with the most “right to be forgotten” requests