European Union high court sends new signals on reach of internet regulation
Image from Shutterstock.com.
A recent pair of cases out of the European Union have provided new insight into the reach of the EU’s regulation of the internet.
Both cases revolve around whether an EU member state’s court can order an internet company to take down or de-list information online and whether that power extends beyond the EU.
In one case, the European Court of Justice seemed to put limits on France’s ability to make Google de-list search results beyond Europe. However, last week, the same court concluded that Facebook must take down a defamatory post worldwide. Both cases cannot be appealed.
The first case concerned itself with the “right to be forgotten” under the General Data Protection Regulation, the sweeping EU data privacy law that came into effect May 2018.
The basic idea behind the right to be forgotten, also called the right to erasure, is that people can petition internet companies, like Google, to pull specific information from search results—called de-listing—if it is “inadequate, irrelevant or no longer relevant or excessive,” as determined by the European Court of Justice in a 2014 ruling.
While the name may indicate otherwise, the right to be forgotten was never meant to be absolute, says Nikolas Guggenberger, executive director of the Information Society Project at Yale Law School and who previously worked in the EU Parliament.
“The right to be forgotten is not intended to be a guarantee that information cannot be accessed,” he says. “It’s simply a means to make it harder and more costly for that information to be obtained.”
At issue in the opinion delivered Sept. 24, was whether the French data protection agency CNIL could force Google to de-list, or de-reference, specific information pertaining to a French citizen worldwide, not just in the EU.
worldwide application
Google rebuffed the request and was fined. However, the search giant did create a geo-blocking feature that would block people with EU internet addresses from seeing de-listed information.
The court seems to have sided with Google.
“It follows that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject … to carry out such a de-referencing on all the versions of its search engine,” the opinion reads.
Google had asserted that a worldwide application of the right to be forgotten would give detrimental power to authoritarian regimes looking to edit the internet. “Since 2014, we’ve worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people’s rights of access to information and privacy,” the company said in a statement. “It’s good to see that the court agreed with our arguments.”
Others, however, see a very different outcome.
“At first sight, it seems the court gave Google a straight win,” says Lokke Moerel, senior of counsel at Morrison & Foerster in Berlin, “and I think that is not true.”
The challenge, the court reckoned, is that a right to be forgotten is not universally recognized, which led it to side with Google and limit de-listing to EU top-level domains, like .de and .fr. However, the opinion notes that while “EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.”
The decision went on to find that the GDPR applies to Google’s data processing on all of its domains globally, which could affect other aspects of the GDPR beyond the right to be forgotten, Moerel says.
In the immediate case concerning Google, the court laid out a balancing test that member states will need to weigh between a data subject’s right to privacy and a right to freedom of information. If, through this test, an EU member state determines that data should be de-listed through the right to be forgotten, then it is in the member’s right “to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.”
With this language, Moerel says, the court is leaving the door open for member state courts to decide whether the right to be forgotten applies to all search results, and not just those in the EU.
takedown requests
While that issue waits to be litigated, the court made a different ruling on Oct. 3, finding that an EU member court can order Facebook to take down a defamatory or illegal post globally.
Coming from Austria, this case concerned itself with a Green Party politician that sued the social media company over posts on the platform that called her a traitor and a fascist, among other insults, which an Austrian court found were defamatory.
The European Court of Justice found that member state courts can order Facebook to remove specific posts worldwide that violate national laws, including “equivalent” content. This case did not concern itself with the GDPR.
“This judgment raises critical questions around freedom of expression and the role that internet companies should play in monitoring, interpreting and removing speech that might be illegal in any particular country,” said a Facebook spokesperson in an emailed statement. “It undermines the long-standing principle that one country does not have the right to impose its laws on speech on another country. It also opens the door to obligations being imposed on internet companies to proactively monitor content and then interpret if it is ‘equivalent’ to content that has been found to be illegal.”
Guggenberger at Yale, however, argues that these two cases only seem at odds “at first glance.” The court in Facebook makes clear that the definitional and jurisdictional reach of defamation is left up to member states to define within the confines of their national and international law. In Google the reach is defined at the EU level, which leaves the two opinions logically consistent.
“That said, the situation can become quite complex now as member states might well follow different approaches,” he adds.
In a livestreamed event on Oct. 3, Facebook CEO Mark Zuckerberg talked about how it complies with takedown requests that violate national laws of the site’s own Community Standards. However, he noted that the company has fought overly broad takedown requests in the past.
In reference to the European court’s most recent decision and the expectation of future litigation, he said: “This is something I expect us and other companies will be litigating.”
Correction: Quotation marks that incorrectly attributed text to Guggenberger were removed and comparison between the two cases were clarified on Oct. 15.
See also:
ABAJournal.com: “Extraterritoriality, the internet and the right to be forgotten”
