In Google LLC v CNIL, the Court of Justice of the European Union (CJEU or Court) held that the EU law only requires valid ‘right to be forgotten’ ‘de-referencing’ requests to be carried out by a search engine operator on search engine versions accessible in EU Member States, as opposed to all versions of its search engine worldwide. The ruling has been perceived as a ‘win’ for Google and other interveners, such as Microsoft and the Wikimedia Foundation, who argued against worldwide de-referencing; while the Court has been praised for its restraint in finding that the current EU law on the ‘right to be forgotten’ only applies within the EU. However, the CJEU went further and recognized the EU Parliament’s ability to extend the GDPR to apply extraterritorially and Member States’ ability to apply national de-referencing laws beyond their borders. Moreover, the CJEU appears to have reached these conclusions at the expense of the GDPR’s aims to harmonize the data protection framework across the EU. The decision allows Member States to decide individually the territorial scope of de-referencing obligations, thus creating the potential for different results based on where the requester resides. By creating the potential for national data protection authorities to apply stronger protections than those afforded by the GDPR, this decision could be seen as another brick in the ‘data privacy wall’ which the CJEU has built to protect EU citizens. This note thus argues that Google LLC v CNIL’s significance can only be understood by situating it in the broader context of CJEU’s recent data privacy decisions, which reveals the continued forcefulness of the CJEU’s stance on data protection after Snowden and Cambridge Analytica scandal.
Zalnieriute, Monika, Google LLC v. Commission Nationale de l’informatique et des Libertés (CNIL) (January 9, 2020). Forthcoming (2020) 114(2) American Journal of International Law; UNSW Law Research Paper No 20-2.