By some accounts, this was inevitable. Google has refused to comply with a French order that would apply the “right to be forgotten” to all worldwide domains — and not just European ones.
This latest volley in this contest came down in May of 2015, when France’s Commission Nationale de l’Informatique et des Libertés, or CNIL, issued an order that required Google to apply European data protection laws outside of European domains. Readers of this column will remember that in May of 2014, Europe’s top court, the European Court of Justice, had ruled that Google would have to consider requests from Europeans to remove links to content. This ruling established the so-called “right to be forgotten” — but it only applied to URLs like google.fr in France and google.de in Germany, and not google.com.
In the debates over the decision, observers noted that it was only a matter of time before any rules that applied to European domains may have to extend beyond them in order to fulfill the true intent of the “right to be forgotten.” The CNIL’s May ruling that the issue was brought back into the limelight. Google has refused and appealed, calling the CNIL ruling “a troubling development that risks serious chilling effects on the Web.”
By its own account, Google has been a stand-up corporate citizen: it has sifted through more than a quarter of a million requests and taken down more than one million links. It has published transparency reports, and it has managed to put these systems in place without considerable delay. “Whenever a request meets the criteria set by the Court for removal (which are that the information can be deemed inadequate, irrelevant, no longer relevant or excessive, and not in the public interest) we delist it from search results for that individual’s name from all European versions of Google Search,” wrote Peter Fleischer, Google’s Global Privacy Counsel.
Their case should sound familiar to anyone who has followed global Internet censorship over the prior years. One country ought not to control what other country’s users can see, Google contends, and complying with the CNIL decision risks encouraging other countries to tighten their grip on what users can and cannot view, beginning “a race to the bottom” in which “the Internet would only be as free as the world’s least free place.”
But the stronger rationale is the simpler, empirical one: the disproportionate share, some 97 percent, of French searches use google.fr, not google.com or other non-EU domains. In other words, forcing Google to apply this rule beyond European domains would accomplish very little — and potentially risk a great deal.
“We have worked hard to strike the right balance in our implementation of the European Court’s ruling and have maintained a collaborative dialogue with the CNIL and other data protection authorities, who agree with our decisions in the majority of cases referred to them. We are committed to continuing to work with regulators in this open and transparent way,” wrote Fleischer.
The CNIL, for its part, believes itself to be adhering to the letter of the law. In a statement to the New York Times, they noted “that Google’s arguments are partly political” while “those of C.N.I.L … were based strictly on legal reasoning.”
What penalties does Google face for noncompliance? Some modest fees, and the possibility that the case remains tied up in court for years to come. While no stranger to European courts, this can’t come as a welcome development for Google, which has been trying to change its image among European regulators and lawmakers.
This is an important development in a critical case. The scrutinizing of Google isn’t an isolated phenomenon, and American firms (and politicians) concerned about legal and regulatory challenges abroad would do well to pay attention as Google navigates the implementation of the “right to be forgotten.”
