Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) brings to the fore the interpretation of the ‘right of erasure’, also known as the right to be forgotten as codified in the General Data Protection Regulations (GDPR). This relates to the obligation of data erasure immediately after:
Under any of the above grounds, the data must be erased immediately. The controller of such information is also under the obligation must take all reasonable measures to inform all other controllers that links to this personal data must be erased. Search engines qualify as controllers and processors of data and thus are obliged to follow the obligations related to the processing of personal information set out to them in the GDPR.
A case involving Google and a French privacy provider called ‘CNIL’ disputed over the right to be forgotten. Back in 2015, ‘CNIL’ pushed Google to remove search listing to pages containing false data about an individual or data that is considered damaging to a person’s reputation. As a response to this, Google then introduces a geo-blocking feature which prevents European Union (‘EU’) citizens from being able to access such false or damaging information, while this information remains accessible to all jurisdictions falling outside of the EU’s scope.
‘CNIL’ then pursued further for Google to apply this feature globally, to which the Court of Justice of the European Union (‘CJEU’) responded that Google does not have the obligation to apply the principle of the right to be forgotten on a global level.
This case thus proved a territorial element in the right to be forgotten, and that the scope of this right extends to the EU Member States’ jurisdictions. The CJEU also allowed to retain certain listings which may contain information related to a person’s past convictions for ‘strictly necessary’ purposes. This was also decided in order to preserve the right of information of individuals.