GDPR LANDMARK CASE

Google vs. CNIL: Right to Be ForgottenGlobal Scope Challenge

Analysis of the landmark case that defined the territorial limits of the right to be forgotten under GDPR

Case Summary

Case

Google LLC v. Commission nationale de l'informatique et des libertés (CNIL)

Court

Court of Justice of the European Union (CJEU)

Year

2019 (Case C-507/17)

Key Issue

Whether EU data protection authorities can order search engines to apply de-referencing globally, beyond EU territories, or only within the EU.

Ruling Impact

Established territorial limits for right to be forgotten, balancing EU privacy rights with global freedom of information principles.

Background & Facts

Original Request

CNIL ordered Google to de-reference certain search results globally, not just on EU versions of its search engine, following right to be forgotten requests under GDPR Article 17.

Google's Position

Google argued that EU law should not have extraterritorial effect and that global de-referencing would conflict with other jurisdictions' laws and values.

CNIL's Stance

The French data protection authority maintained that effective protection required global de-referencing to prevent circumvention by accessing non-EU versions.

Core Tension

The case highlighted the tension between territorial data protection enforcement and the global nature of internet search services.

Court Decision & Reasoning

CJEU Ruling

EU law does not require global de-referencing. Search engines must de-reference on EU versions of their search engines but not necessarily on global versions.

Key Legal Principles

  • Territorial limits of EU data protection law
  • Balance between privacy rights and freedom of information
  • Respect for other jurisdictions' legal frameworks
  • Effective enforcement within territorial boundaries

Technical Implementation

The court required search engines to implement "geo-blocking" measures to prevent EU users from easily accessing non-EU versions to circumvent de-referencing.

Note: Search engines must take "sufficiently effective" measures to prevent circumvention while respecting territorial boundaries.

Implications for DPDPA 2023

Territorial Scope

Indian authorities should consider territorial limits when enforcing erasure rights

Balanced Approach

Balance individual privacy rights with broader societal interests

Technical Measures

Implement effective but proportionate technical enforcement measures

Key Takeaways for India

  • 1
    Territorial Enforcement: DPDPA authorities should focus on effective enforcement within Indian jurisdiction rather than seeking extraterritorial application
  • 2
    Technical Standards: Establish clear technical requirements for geo-blocking and anti-circumvention measures for Indian platforms
  • 3
    International Cooperation: Develop frameworks for cross-border cooperation on data protection enforcement while respecting sovereignty