French Data Protection Authority Orders Fine of 100,000 Euros Against Google Inc. for Violation of Right to Be Forgotten

In March 2016, Peter Fleischer, Google Inc.'s Global Privacy Counsel, announced ¹Peter Fleischer, Adapting Our Approach to the European Right to be Forgotten, Google Europe Blog (March 4, 2016). Google was adapting its approach to implementing data subjects’ right to be forgotten, which is achieved by delisting from search results links to contested content. The measures announced include the use of geolocation signals (like IP addresses) to restrict access to delisted URLs on all Google search engine domains, including google.com, but only when the search is made from the country of the person requesting the delisting. This new approach will be applied prospectively, but also “retrospectively” to all previous delistings by Google.

Fleischer said that this concession was the result of intense discussions between the Mountain View, Calif. company and European Union data protection authorities. Right to be forgotten issues have been particularly intense in France See previous story, 04/13/16, 15 PVLR 827, 4/18/16, 71 Privacy Law Watch, 4/13/16, 16 WDPR 04, 4/28/16, where the data protection authority, CNIL, issued a cease and desist order against Google in May 2015, and four months later rejected Google’s appeal of the order.

It has been reported ²Rick Mitchell,Google Right to Forget Amendment Plan Faces Skepticism, Bloomberg BNA, Feb. 29, 2016 39 Antitrust & Trade Regulation Daily, 2/29/16, 15 PVLR 412, 2/29/16, 39 Privacy Law Watch, 2/29/16, See previous story, 02/29/16, 110 ATRR 279, 3/4/16. that Google’s new approach is seen by several EU data protection authorities as a potentially acceptable solution. In particular, the U.K.'s Information Commissioner’s Office (ICO) considers that “this revised approach would appear to address the concerns previously set out by the ICO on the scope of the requirement to delist.” Even the data protection authority in Spain, the AEPD, where the case leading to the European Court of Justice’s (ECJ’s) 2014 affirmation of the right to be forgotten originated, considers that Google’s approach “is exactly what the agency is asking search engines to do in its final decisions. That is, to block the contested results in all EU domains and, in addition, to block them also in any other domain whenever a search is performed from Spain.”

CNIL’s announcement on March 10, 2016 that it was ordering a 100,000 euro ($113,200) fine against Google indicates that the French authority has for the moment taken a different view.

The fine was ordered for violation of data subjects’ right to object to the processing of their personal data (Article 38 of the French data protection law ³Law No. 78 17 of January 6, 1978 on “Information Technology, Data Files and Civil Liberty” (the Law)) and their right to delete their personal data (Article 40 of the Law), as interpreted in light of the landmark decision of the ECJ in Costeja v. Google
⁴Case C-131/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014.

For CNIL, in order to be compliant with the Law, Google must delist links from all Google Search extensions globally, and unconditionally. The right to be delisted—which derives from the right to privacy, a universally recognized fundamental right laid down in international human rights law—should therefore be effective on all extensions, regardless of the geographic origin of the person performing the search. CNIL explains that the various geographic extensions (“.fr,” “.de,” “.com,” etc.) are simple means of access to a single data processing, and not multiple separate processing, as Google suggested. In the view of CNIL, the Law applies to personal data processing as a whole and Google may not modulate the protection of a fundamental right depending on the recipient of personal data. In this respect, CNIL recalls that Google Search was originally operated using the “.com” extension only, and that Google created local extensions later, to provide a service adapted to each country’s national language, which is further evidence that Google Search relies on a single processing.

Google has argued that this extraterritorial reach of the right to be forgotten is likely to raise conflict of laws issues and impair other States’ sovereignty. In particular, Google expressed concerns that a global delisting obligation would disproportionately undermine the freedom of expression and the freedom of information. But CNIL recalls that de-indexing a link does not entail the deletion of the underlying information, but only prevents its listing in the results showed based on searches for a person’s name. Therefore, the information remains available. Moreover, the decision to delist is only made if the conditions for application of the right to object (evidence of a legitimate interest) or to delete (information outdated, incomplete or inaccurate) are satisfied. Thus, the right to be forgotten is not absolute and must be balanced against the public’s right to information, in particular when the individual concerned plays a role in public life.

Therefore, for CNIL, the purpose of its decision to impose a fine is merely to ensure “effective and complete protection of data subjects,” as required by the ECJ. ⁵Paragraphs 34, 38, 53, 58 and 84 The right to be forgotten is the right of an individual and CNIL considers that when the right applies, it must be effective without any restriction on the entire processing operation, even though it could conflict with other laws.

And indeed, under the new approach the delisted result remains accessible outside the territory concerned by the delisting measure. For example, a result that is “completely” delisted in France is nevertheless still accessible from another EU country using a non-EU extension, or from any non-EU country using the local search engine. So a professional or personal contact located (or perhaps travelling) outside France could still find the delisted search result linking to content that may infringe the privacy of the data subject.

CNIL also notes that users in the country concerned by the delisting may also circumvent such measures, thanks to technical solutions allowing them to select the geographical origin of their Internet protocol (IP) address (e.g., using a virtual private network (VPN)). Likewise, users living near national borders usually have access to both in-country and other-country networks, which could allow them to avoid Google’s IP address filtering measure.

A Google spokesman has already confirmed that the company will appeal the CNIL’s decision; Julia Fioretti, France Fines Google Over ‘Right to Be Forgotten’, Reuters, March 24, 2016. the appeal is to the French Supreme administrative court (Conseil d’Etat) and must be made within 2 months from the notification of the CNIL’s decision.

If CNIL’s decision becomes final, Google will have to further adapt its approach to the right to be forgotten or face an additional fine up to 300,000 euros ($339,535). Although the financial implications may not seem very threatening to Google today, the French Assembly recently voted to increase the CNIL’s sanctioning power in anticipation of the General Data Protection Regulation (GDPR). The current draft of the French Law for a Digital Republic provides fines up to the higher of 20 million euros ($22.6 million) or, for legal entities, 4 percent of yearly worldwide revenues during the financial year preceding the year during which the violation occurred. Although not yet law, this provision could take effect before the GDPR’s anticipated application in the first half 2018. And even today, violations of the Law are punishable by criminal sanctions; a fine up to 1,500,000 euros ($1,696,950) can be ordered for processing individuals’ personal data despite their legitimate objection.

France is the country with the most “right to be forgotten” requests ⁷As of April 3, 2016, Google reported 87,930 requests in France, concerning 287,832 URLs. and the CNIL’s decision means search engines are clearly exposed to financial sanctions. But as a Google spokesperson has put it, this is a “matter of principle,” ⁸See Fioretti. and observers have not forgotten that in 2010 Google shut down its search engine in China to protest against censorship. To be continued.