EU to Allow Geographic Limits on Right-to-Be-Forgotten Requests if Court Adopts New AG Opinion

Published On January 11, 2019 | By Mason Weisz and Michelle Anderson | General, International, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The EU’s highest court may be poised to allow Google and other search engines to honor most right-to-be-forgotten requests in a way that impacts only searches from within the EU, i.e., without affecting results for searches performed by users outside the EU. EU Court of Justice (“CJEU”) Advocate General (“AG”) Maciej Szpunar released an opinion yesterday (available as of today only in French, but we read it for you, and this press release is in English) recommending that the CJEU take this position in a pending case involving Google. Although this sort of opinion is nonbinding, the CJEU often gives great weight to the AG’s recommendation and is expected to rule on the matter shortly.

In the underlying case, an individual wanted Google to de-list certain search results for searches of the individual’s name. Google at first agreed to do this only for searches from its websites with EU-based domain names, like Google.fr and Google.it. After the French privacy regulator (the Commission Nationale de l’Informatique et des Libertés or “CNIL”) threatened Google with a fine for failing to de-list the results for all queries worldwide (such as searches on Google.com), Google made a further adjustment of de-listing the results for all queries on non-EU Google sites if the IP address of the requesting user was from an EU member state. The CNIL then imposed a €100,000 fine, and the case eventually escalated to the CJEU.

“L’idée d’un déréférencement mondial peut paraître séduisante par sa radicalité, sa clarté, sa simplicité et son efficacité. Néanmoins, cette solution ne me convainc pas, car elle tient compte d’un seul côté de la médaille, à savoir la protection des données d’un individu.”


“The idea of global delisting may seem enticing because of its radicalness, its clarity, its simplicity and its effectiveness. However, that solution fails to convince me because it takes account of only one side of the coin, i.e., protection of the individual’s data.”


— Advocate General Maciej Szpunar

The AG recommends that the CJEU reason as follows:

  • It is dangerous to impose EU-based de-listing requirements worldwide because it invites other countries to impose their own de-listing or censorship requirements in a way that denies EU residents the ability to view information that they normally could lawfully access. This would have undesirable consequences for the right to freedom of expression, and the public’s interest in accessing information, against which the right to privacy must be balanced.
  • EU law does not normally require right-to-be-forgotten requests to search engines to be implemented in a way that impacts the search results that individuals outside the EU may see.
  • There may be cases where EU law does require such a global de-listing, but this is not one of them.
  • In response to a valid right-to-be-forgotten request for search results, a search engine subject to EU law should use every measure at its disposal to implement it with respect to search made within the borders of the EU, including geo-blocking.
  • The Article 29 Working Party’s 2014 guidance (which was issued after the CJEU’s first Google right-to-be-forgotten decision) indicated all such requests should be given global effect and was thus unjustifiably broad and should not be endorsed.
  • The referring court also asked the CJEU to opine specifically on whether the de-listing should be given pan-EU effect or whether it can be limited to the country where the individual lives. The CJEU should require pan-EU effect, but normally not global effect.

A few other points of interest:

  • This case arose under the old Data Protection Directive, though the decision mentions the GDPR, which of course will apply to any continued listing of search results on Google websites.
  • Do not expect the ultimate decision to conclude that the GDPR as a whole does not apply to individuals with non-EU IP addresses. Under GDRP Article 3, it clearly does apply to many such situations (for example, it applies to a data controller’s processing of data about individuals in the United States, regardless of their IP addresses), and search engines present some somewhat unique issues.
  • It will be interesting to see the extent to which the CJEU decision gives specific direction on how search results should be blocked when the requesting individual resides outside the EU.

We will continue following this case and read the CJEU decision closely—in particular for anything that could provide partial geographic relief from other GDPR requirements that negatively impact freedom of expression and access to information, such as the application of consent rules in ways hurt news websites’ ability to fund themselves through advertising technology.

About The Authors

Mason helps clients navigate a constantly shifting web of domestic and international laws regulating data collection, marketing, data sharing, computer crime, data security, electronic surveillance, online content, children’s privacy, financial privacy, information management, and other areas of privacy and Internet law. A former web designer, he has extensive experience with issues relating to digital media, new technology and e-commerce.

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Leave a Reply

Your email address will not be published. Required fields are marked *