Extraterritoriality, the internet and the right to be forgotten
Dan Shefet.
From a legal policy point of view, the hottest issue might be that of territorial reach of content and privacy regulations.
The two main questions are to what extent laws of one jurisdiction may apply in others, and to what extent such extraterritorial reach may be enforced? In other words, the sovereign state’s unrestricted legislative and adjudicatory authority may or may not be enforceable beyond its territorial boundaries under public international law, but how—and who decides?
I have personally worked extensively in the field of extraterritorial enforcement of laws and contributed to the recognition of such enforcement of the right to be forgotten under European law against the local French subsidiary of Google by obtaining an injunction, imposing daily penalties until Google (at the time) delisted content (judgment on Sept. 16, 2014).
This classic conflict of laws reaches an almost emotional level when it applies to content, given the significant cultural differences on either side of the Atlantic. It quickly turns into a debate on free speech and constitutional values; the First Amendment pitted against traditionally accepted speech restrictions in Europe.
In this context, a long-awaited judgment of the European Union Court of Justice in the case on global reach of the right to be forgotten, Google v. CNIL, came down on Sept. 24.
The right to be forgotten is now explicitly included in the General Data Protection Regulation Article 17. Before the GDPR entered into effect May 25, 2018, it was based in a May 13, 2014, judgment from the European Union Court of Justice. It provides for the right to have hurtful content delisted from search engines.
It was expected that the EUCJ would finally help solve the increasing conflicts between European content regulation and data protection laws on one side, and the U.S. First Amendment and sectoral approach to privacy on the other.
Media coverage immediately presented the judgment as a victory for Google, arguing that the judgment amounted to territorial limitations on content regulation and a curtailment of the extraterritorial scope of the GDPR. But a closer analysis of the case leads us to the opposite conclusion.
But first, a few words of background:
The EUCJ was asked at the request of the French Conseil d’État, the supreme court for administrative matters, to answer prejudicial questions as to the legality of the French Data Protection Agency’s Commission Nationale de l’Informatique fine of March 10, 2016 in the amount of 100,000 euros levied against Google for not dereferencing links to certain URLs worldwide, pursuant to a May 21, 2015 order, with which Google did not comply.
The EUCJ’s decision on this precise question was that the order—and the subsequent fine—did not meet the requirements under the right to be forgotten judgment of 2014, the directive of 1995/46 (the predecessor of the GDPR) and the GDPR itself.
The general principle of global reach (or extraterritorial application) was however developed in some detail by the court, even though the EUCJ actually did not have to do so, in order to reach the above decision, which related to the specific question of the legality of imposing extraterritorial fines in a concrete case.
Paragraph 72 of the judgment is particularly interesting in this regard (quoted in part):
“… it should be emphasised that, while … E.U. law does not currently require that the de-referencing granted concern all versions of the search engine in question [i.e., Google’s U.S. version, Google.com] it also does not prohibit such a practice. Accordingly, a supervisory or judicial authority of a member state remains competent to weigh up, in the light of national standards of protection of fundamental rights … a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine” [i.e. extraterritoriality].
This paragraph, among others, demonstrates that the EUCJ did not follow the advocate general’s Jan. 10, 2019, recommendation entirely, and that the court wished to promulgate that as a general principle extraterritoriality was not unlawful. The advocate general recommended limiting the reach of decisions passed by E.U. Data Protection Agencies (or courts) to E.U. versions of search engines when accessed from the E.U. (based on IP geo localization) and his recommendation included a much more narrow exception allowing extraterritoriality.
The EUCJ declined to follow with this recommendation on at least the following three important points:
(1) The EUCJ emphasizes that from a legal point of view, it is not prohibited under EU law.
(2) “The interest of the Union” is replaced by “protection of fundamental rights.”
(3) It is up to each and every data protection agency or members state court to decide whether protection of the fundamental rights of EU data subject requires extraterritorial application.
So, in addition to the fact that the judgment is very concrete (the fine imposed by the CNIL on March 10, 2016 is to be annulled) it only applies to article 17, the right to be forgotten. It doesn’t apply to data privacy in general or article 16, the right to rectification, which relates to incorrect information about an EU data subject, as opposed to the right to be forgotten, which is a right to have true information delisted because of the harmful effects it may have later in the data subject’s life. And the EUCJ explicitly allows global reach under the circumstances described in paragraph 72.
Finally, it is entirely up to the local data protection agency in each EU country to decide whether these circumstances apply.
It will therefore suffice now, where the EUCJ has explicitly allowed it, that a data protection agency in a global reach order simply refers to “the need to protect fundamental rights” and the order will have global reach.
Furthermore, the reference to the fundamental rights mainly concerns article 7 and 8 (privacy and protection of personal data) of the Charter of Fundamental Rights (a preamble to the EU treaties). These fundamental rights were the basis of the right to be forgotten judgment.
In other words, when it comes to article 17, “The Right To Be Forgotten,” it might be argued that dereferencing orders against a search engine passed by a local data protection agency by definition “relate to fundamental rights.”
The Sept. 24 judgment is far from a victory for search engines. Rather, it confirms that there is no prohibition against global reach; it explicitly allows such decisions to be made by the local data protection agency (sovereign decisions); and finally, it even allows all article 17 decisions to have global reach, since they are based on “fundamental rights.”
As far as non-E.U. data subjects are concerned—for instance, U.S.-E.U. dual residents—it is not hard to imagine that a data subject having business, family or other interests in the U.S. would be allowed to have hurtful links dereferenced on the basis of Article 17, by reference to “national standards of protection of fundamental rights,” in the event it may not be accepted that Article 17 per se reflects a fundamental right.
The above analysis has just been confirmed by another EUCJ judgment of Oct. 3, involving a request made by a member of the Austrian Parliament to take down defamatory and offensive content on Facebook. Pursuant to her request, she obtained an order against Facebook including an obligation to take down (1) “equivalent” content and (2) on a worldwide basis.
The court’s judgment is very clear: The e-commerce directive (This is the directive from 2000, which is the equivalent in the E.U. to CDA 230—the important difference is, however, that it does not exclude accountability) “ … does not preclude a court of a member state from:
— ordering a host provider to remove information …, the content of which is identical to the content of information, which was previously declared to be unlawful, …
— ordering a host provider to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law.”
Within one week—Sept. 24 to Oct. 3—the European Court of Justice thus came down with two decisions that will shape the scope of content regulation and privacy laws probably for many years to come. Both decisions allow extraterritoriality and both decisions allow enforcement against the local (E.U. based) subsidiary without distinctions between fines, daily penalties and civil damages.
For all lawyers advising on IT and privacy law, and especially those who have media clients, it is essential to understand the practical applications of extraterritorial enforcement.
The real challenge to media companies targeting the EU is not the GDPR, but member state content legislation. The German Hate Speech law (NetzDG) and very soon the French similar law both impose fines up to 50m € (Germany) and 4% of global turnover (France).
See also:
ABAJournal.com: “European Union high court sends new signals on reach of internet regulation”
ABA Journal: “Companies and their lawyers brace for wide-ranging EU data-privacy law”
ABAJournal.com: “A right to be forgotten? Top EU court rules for lawyer who wants Google to delete some links”
ABAJournal.com: “Google will fight French bid to extend ‘right to be forgotten’ worldwide”
ABAJournal.com: “Top European Union court rules Facebook can be ordered to remove defamatory content worldwide”
ABA Journal: “Erasing the News: Should some stories be forgotten?”
Dan Shefet is a French lawyer born in Denmark and is the author of an individual specialist report to UNESCO on online radicalization. He is also an expert with the Council of Europe on the Internet Ombudsman and is president of the Association for Accountability and Internet Democracy. Shefet has a philosophy degree and a law degree from the University of Copenhagen in addition to law studies in France. He specializes in European law and human rights. Shefet is a frequent speaker at international conferences on IT law, data privacy and content regulation. In 2014, he founded the AAID.
ABAJournal.com is accepting queries for original, thoughtful, nonpromotional articles and commentary by unpaid contributors to run in the Your Voice section. Details and submission guidelines are posted at “Your Submissions, Your Voice.”
Your Voice submissions
The ABA Journal wants to host and facilitate conversations among lawyers about their profession. We are now accepting thoughtful, non-promotional articles and commentary by unpaid contributors.