On March 28, 2016 the French DPA (CNIL) imposed a fine of EUR 100,000 on Google for inadequate implementation of the “right to be forgotten” – Google is appealing it. The appeal should take two years.
The sanction was imposed for failing to comply with users’ requests to have links to personal information about them removed from Google’s global search results (15 PVLR 674, 3/28/16). Even if the right to be forgotten is a European right, CNIL’s position is that the delisting should occur on all Google’s search engine websites worldwide (including the US .com) and not just EU domain (e.g., such as .fr, .de, .uk) (14 PVLR 1441, 8/3/15). The same position has been taken by the Article 29 Working Party, which is currently chaired by Isabelle Falque-Pierrotin (who is also CNIL President).
Google stated that it complied with 50% of the requests, after reviewing the merit of them, i.e. after making sure that the subject’s right to individual privacy outweighed the public’s right to be informed. See here for the WP29’s Guidelines on the right to be forgotten.
Google opposed the worldwide de-listing, on the substance, as a hindrance to free flow of information and, from a legal standpoint, as an impermissible extraterritorial effect of the law of one country (EU) outside of it. To partially solve the impasse, Google suggested using geoblocking technology on non-European websites so that EU users would find it hard to gather information but this suggestion was not enough to avoid CNIL’s sanction.
While I will not express a view on Google’s substantive argument of free flow of information, I notice that Google’s argument on unpermitted extraterritoriality of EU privacy law should be overcome anyway once the GDPR is in full force, by virtue of the new “targeting” approach of Article 3:
If the “.com” is offered to data subjects in the EU – or it monitors their behavior – the “right to be forgotten” applies.
For more information, Francesca Giannoni-Crystal