Yesterday Google announced in a blog post that the company will legally challenge a decision and fine imposed by the French Data Protection Authority (CNIL). Information about the procedure is available on the CNIL website. There is also an unofficial translation of the relevant decision (PDF) available on the website.
In particular, the CNIL considers that it is not sufficient under the current European data protection law and in light of the judgment of the European Court of Justice (ECJ) in its Google decision (C-131/12), if after a complaint from a data subject, links to search result are solely suppressed on websites with European extensions (.de, .es or .fr) and also for searches originating from the Member State of the complainant on all sites of the search engine (so also on Google.com). This approach was recently chosen by Google. The French Authority in fact requires that links from search results must be suppressed on all sites of the search engine and also irrespective of the Member State where the complainant is located and from where the search is made.
As a result, the question arises whether European data protection law and in particular its enforcement by Data Protection Authorities (DPAs) take global validity and know no territorial borders. So whether, on the grounds of a decision of the French authorities, a user of the search engine located in the other Member States (for example in Germany or Spain) and, secondly, in countries outside the EEA such as the US (Google.com) or Japan (Google.co.jp), may only see the changed search result list.
Please find some food for thought below, which is certainly not exhaustive, but may foster the discussion.
In principle, one can determine that the ECJ in its Google decision made no concrete statement on the territorial scope of the so-called „Right to be forgotten“. But what the ECJ always emphasizes (not only in this ruling), is the importance of possible enforcement and full effect the guarantees and established safeguards of the Data Protection Directive (DPD) for data subjects.
In its Google judgment, the ECJ held that
the operator of the search engine as the controller in respect of that processing must ensure, within the framework of its responsibilities, powers and capabilities, that that processing meets the requirements of Directive 95/46, in order that the guarantees laid down by the directive may have full effect. (Margin No 83)
Of course, a major role in achieving the objective of enforcement of European law and its full effect is played by the DPAs. That’s also emphasized by the ECJ in its judgment:
In this connection, it is to be noted that it is clear from Article 28(3) and (4) of Directive 95/46 that each supervisory authority is to hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data and that it has investigative powers and effective powers of intervention enabling it to order in particular the blocking, erasure or destruction of data or to impose a temporary or definitive ban on such processing. (Margin No 78)
From this, one can already conclude that the question of whether European data protection law should “govern the world” or at least countries outside of the EEA, must always be seen in connection with its enforcement by supervisory authorities. Because the applicability of European data protection law alone has nothing to do with the realization of the guarantees provided by the DPD and, in the words of the ECJ, its full effect, or also the guarantees provided by the Charter of Fundamental Rights of the European Union for the individuals concerned.
I want to support this view with a reference to the well-known judgment of the ECJ repealing the data retention directive (C-293/12 and C-594/12). There, the Court criticized that the directive
does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data. (Margin No 68)
So the ECJ assumes that when the possibility for a DPA to control compliance with the rules of the DPD and, in the worst case, also enforce these rules exists, only then can the requirements of the Charter of Fundamental Rights and also the corresponding guarantees for the protection of personal data in the DPD be fully fulfilled and ensured. But this possibility of control and especially enforcement by a public authority is only possible within the Union.
Assuming therefore that in addition to pure applicability of European data protection law also the possibility of monitoring its compliance and in particular its enforcement must always be considered as an inherent guarantee, this inevitably raises the question of how far the powers of European DPAs, particularly from a territorial perspective, reach.
To this end, I would like to refer to a further decision of the ECJ, the Weltimmo decision (C-230/14). In that judgment, the Court addressed the question of how far the competences of the European DPAs reach.
It follows from Article 28(1) DPD that each supervisory authority established by a Member State is to ensure compliance, within the territory of that Member State, with the provisions adopted by the Member States pursuant to the DPD (Margin No 47; emphasizes added). Furthermore, according to the ECJ, it is apparent from Article 28(1) and (3) DPD that each supervisory authority is to exercise all of the powers conferred on it on the territory of its own Member State in order to ensure, on that territory, compliance with data protection rules (Margin No 51, emphasizes added). Additionally, the ECJ held that it follows from the requirements derived from the territorial sovereignty of the Member State concerned, the principle of legality and the concept of the rule of law that the exercise of the power to impose penalties cannot take place, as a matter of principle, outside the legal limits within which an administrative authority is authorised to act subject to the law of its own Member State (Margin No 56, emphasizes added).
Weltimmo concerned an intra-European issue and the question of the extent to which the DPA of one Member State may exercise its powers on the territory of another Member State. This is rejected by the court with the above reasoning. The sanctioning power of a DPA may not be exercised outside the legal limits of its own Member State.
Transferred to the dispute between Google and the French DPA now the question arises whether it would be consistent with the aforementioned ECJ case law, to concede the power to a European supervisory authority to regulate, on the one hand, data processing operations initiated by and targeted to persons in other European Member States (the respective user of the search engine, who searches for a name of an affected person) or, on the other hand, also such processing operations initiated by persons on the territory of countries outside the European Union, and, in the end, also to influence such data processing operations with a relevant administrative decision.
The measure of a European authority would have a direct impact in other States. Already for the first constellation that a decision by the French DPA would affect persons on the territory of Germany or Spain, I have my doubts. This is of course even more valid in the second constellation, outside the European Union and thus also outside the competences of European authorities.
Now one surely can cite as a counter-argument that the territorial scope of European data protection law is interpreted in a very broad way, also by the ECJ, and European data protection law applies to the activities of Google Inc., with headquarters in the USA. That is correct. But in my view, as described above, it is inevitably necessary in order to achieve the objectives laid down in the DPD and in the Charter of Fundamental Rights of the European Union that a DPA is able to monitor the compliance with these rules and enforce the rights and guarantees (I refer again to the ECJ judgment regarding the Data retention directive). Such enforcement, however, due to the principle of territorial sovereignty of States, is not always possible.
The European DPAs seem to be aware of this situation. If one looks at the official guidelines on the implementation of the Google decision (WP 225, PDF), one can find on page 8 in paragraph 19 the following statement: “In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State”. So the DPAs propose only to focus on situations where a clear connecting factor to a European Member State exists.
In the end, one must observe that that the territorial enforcement European data protection law is certainly not an easy and also a disputatious topic. It will be interesting to see how this case moves further in France. Perhaps the ECJ has to decide again.