The EU’s top court cemented its place as the world’s leading privacy tribunal by allowing Alphabet Inc.'s Google to limit what search links it must remove in a landmark “right to be forgotten” case, privacy attorneys and academics said.
The Court of Justice for the European Union, known as the CJEU, determined that Google didn’t have to delete inaccurate search links globally after a French regulator ruled it must take them down. The decision, which can’t be appealed, came five years after the CJEU ordered Google to remove search links just in the EU containing out-of-date misinformation or content that could unfairly harm a person’s reputation.
The decision continues the trend of “rulings from Europe’s top court over the past 5 years which have global implications,” Rafi Azim-Khan, data protection partner at Pillsbury Winthrop Shaw Pittman LLP in London, said.
Since 2014, the court has curtailed an international data transfer system, limited how law enforcement can retain EU citizens’ data, and clarified how airlines must store passenger name record data.
The CJEU has emerged as the top data protection court in part because the U.S. has been unwilling to promote data protection standards in international trade agreements, and lawmakers have been unable to pass a U.S. federal privacy law, privacy practitioners say.
“Without a baseline data protection law, the U.S. doesn’t have a front seat at global debates about data protection issues,” Jules Polonetsky, CEO of the privacy advocacy group the Future of Privacy Forum, said. “Even on a core American issue such as freedom of expression, without a law to reference, the U.S. has no voice on the international balance between privacy and freedom expression.”
Impact on Multinationals
The CEJU has set the tone for how tech companies around the world operate in a global digital market place. U.S.-based multinationals will continue to closely follow the court’s decisions to see if they have to abide by EU privacy rules in the U.S. and other countries, privacy attorneys said.
For example, the CJEU invalidated the U.S.-EU Safe Harbor data transfer framework used by over 4,000 U.S. companies in October 2015. At the time, businesses were left scrambling with how to transfer valuable EU citizens’ data from the bloc to the U.S. A new deal was struck months later, in February 2016, so as not to interrupt access to the lucrative European digital single market.
Multinationals that operate in the EU are likely to comply with CJEU decisions if they want to stay in the global digital market, privacy attorneys said. Businesses will follow privacy rules from the strictest regime to make sure they are compliant around the globe, they said.
“The strictest regulatory regime has a tendency to set” rules and regulations, in what is called the Brussels effect, Peter Swire, senior counsel at Alston & Bird and professor of privacy and cybersecurity law at Georgia Institute of Technology’s Scheller College of Business.
The CJEU, through its strict rulings in international cases, has become “the Supreme Court globally for privacy,” Swire said.
Future Cases
The court will further flex its influence in upcoming decisions.
The CJEU is set to rule by early next year in Data Protection Commissioner v. Facebook Ireland Ltd., Maximilian Schrems, known as Schrems II, on whether standard contractual clauses provide enough protection to EU citizens’ data when it is transferred to U.S. companies. In that case, the court is also open to consider whether the EU-U.S. Privacy Shield, which replaced the invalidated Safe Harbor agreement, provides ample redress mechanisms for EU data subjects.
Schrems II is likely to impact the international privacy and data protection landscape more than the CJEU’s opinion in the Google right to be forgotten case, Alex van der Wolk, co-chair of Morrison & Foerster’s global privacy & data security practice in Brussels, said. The court has shown itself to be flexible in its decisions, so it could rule on whether U.S. data transfers are valid altogether, he said.
If the court thinks the Privacy Shield or other data transfer mechanisms have data protection issues, “This is their opportunity,” van der Wolk said.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.