Takeaways

The EU’s top court has ruled that Google does not have to de-reference data viewable outside the 28-member bloc.
Links still have to be removed from search results but only those seen in EU countries.
Ruling is facts specific and does not mean GDPR ceases to apply to U.S. businesses.

Five years after the application of the European Union’s right to be forgotten (right to erasure) rule, and four years after France’s data regulator Commission Nationale de l'Informatique et des Libertés (CNIL) fined Google for not applying the right to be forgotten globally, the EU’s top court has ruled that Google is not obligated to censor search results outside of the EU.

In its statement, the European Court of Justice (ECJ) concluded that “currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject […] to carry out such a de-referencing on all the versions of its search engine.”

The ECJ decision should bring some relief for Google as it scores a victory over what it felt was overreach by a European regulator. When complying with a “right to be forgotten” request, the company can just limit the removable links to search results in Europe instead of having to remove links to data globally.

The decision likely will also please free speech campaigners who were pushing for a ruling in Google's favor, worried that the application of the rule outside of the EU could lead to other countries more aggressively censoring or editing search engines globally based on national laws.

This case continues a trend of European regulator fines and rulings from Europe’s top court over the past five years which have global implications. Along with the concept of extraterritorial reach baked into the new European General Data Protection Regulation (GDPR), this case highlights the tension around the international reach of data laws and conflicting rights, a tension that makes it extremely difficult for global businesses to know what to do.

All that said, it should be remembered that the right to be forgotten has not gone away. Nor has the GDPR, which contains numerous new rights and obligations on businesses that come with substantial fines of up to 4% of global revenue or 20 million euro (whichever is higher and per breach of the rules). Importantly, the GDPR was also deliberately drafted to apply to companies even if they were not physically in the EU.

Even as the decision is welcomed by many U.S. and other non-European businesses, it should be remembered it was very much facts specific. Since the first right-to-be-forgotten ruling five years ago, Google has been actioning high numbers of requests and logging what it felt were its correct compliance efforts—this likely played a role in convincing the ECJ that the efforts were reasonable and that to make it do more would be disproportionate and unnecessary.

Meanwhile, we will continue to see the trend of regulators in Europe holding U.S. and other non-European businesses accountable for any non-compliance with GDPR. That means taking advice on how the EU laws apply to one’s company (even if it is not in Europe), and then taking and recording reasonable steps to comply, remains the best approach to reducing risk and increasing the chances of avoiding or overcoming regulator action.