In its amicus brief submitted in relation to the US Microsoft Warrant case, the European Commission emphasised that:
“In the European Union’s view, any domestic law that creates cross-border obligations should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity.” (Amicus brief, p. 5)
The Google France case, coming before the Court of Justice of the European Union (CJEU) sometime in 2018, will show whether the Commission is equally firm in its views when it is the EU’s law that creates such cross-border obligations.
The matter coming before the CJEU stems from the well-known Google Spain case in which the CJEU articulated a right to have certain search results delisted where a search is based on a person’s name (the “right to be forgotten”). The question now before the CJEU relates to the scope of jurisdiction of such orders.
Prompted by an action by the French data protection authority (CNIL), the Conseil d’État of France has advanced essentially the following questions to the CJEU:
- Must a search engine operator deploy the de-referencing to all of the domain names used by its search engine?
- If not, must a search engine operator only remove the links on the domain name corresponding to the State in which the request is deemed to have been made or on the national extensions used by that search engine for all of the Member States of the European Union?
- Must a search engine operator use ‘geo-blocking’? If so, only from an IP address deemed to be located in the State of residence of the person benefiting from the ‘right to de-referencing’, or even, more generally, from an IP address deemed to be located in one of the Member States?
As to ‘geo-blocking’, it is worth recalling that, already in 2000 a French Court was willing to rely on geo-location technologies in relation to an order for the blocking of content in France (see: Yahoo! case). Given that the accuracy of geo-location technologies has increased, ‘geo-blocking’ may, presumably, remain a viable option.
The “right to be forgotten” is best viewed as a nuanced right to a fair first impression for searches based on a person’s name.
More importantly, the binary nature of the questions advanced by the Conseil d’État is both crude and inadequate. The “right to be forgotten” articulated in the Google Spain case is not aimed at unqualified protection; after all, the original content remains online and may be found using alternative search terms, not including the name of the person in question. Thus, the “right to be forgotten” is best viewed as a nuanced right to a fair first impression for searches based on a person’s name.
Given that the “right to be forgotten” is not unqualified, we do not need to pursue unqualified solutions in relation to jurisdiction. The real aim is an appropriate level of protection. In some cases – such as with sexual content involving minors – this clearly requires global delisting. In other cases – such as the accurate financial information at issue in the Google Spain case – more limited delisting will suffice. One size does not fit all.
The Conseil d’État also failed to acknowledge the international law aspects of the matter. The EU is subject to international law, which necessitates that the CJEU takes account of any limitations imposed by international law. So, what if anything does international law say that impacts the assessment in which the CJEU must now engage?
I am more than willing to admit that the relevant aspects of international law are messy and associated with both controversy and internal contradictions. But to gain an insight into some form of mainstream view of the applicable international law, we can draw upon the conclusions reached by the eminent group of experts who produced the Tallinn Manual 2.0.
If we adopt the conventional classification of jurisdiction (legislative, adjudicative, and enforcement), what we are dealing with here must clearly fall within so-called enforcement jurisdiction. As noted in the Tallinn Manual 2.0: “States generally do not possess enforcement authority outside their territory.” (Tallinn Manual 2.0, p. 52)
The most frequently cited description of sovereignty tells us that: “Sovereignty […] signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.” (Island of Palmas) Where the EU determines what is delisted for Internet users in, for example, New Zealand, it is arguably interfering with New Zealand’s sovereignty.
To this, we may add that both the notion of international comity and international human rights law can be seen to speak against the crude and simplistic global delisting sought by the CNIL. It must also be remembered that, as the human rights of non-EU citizens would be affected by the type of orders sought by the CNIL, the CJEU must consider international human rights law (notably the International Covenant on Civil and Political Rights (ICCPR)) in addition to European human rights law.
As it was emphasised in the Tallinn Manual 2.0:
“Restrictions on the right to seek, receive, and impart information pursuant to Article 19 of the ICCPR must satisfy a tripartite test: they must be provided for by law under the clearest and most precise terms possible, foster a legitimate objective recognised by international law, and be necessary to achieve that objective.” (Tallinn Manual 2.0, p. 202)
All aspects of this tripartite test may pose a challenge for global delisting orders. It may be difficult to argue that providing the “right to be forgotten” in a situation such as that in Google Spain makes it necessary to delist search results in Fiji, in the Falkland Islands, or even in Finland.
Additionally, where the EU seeks to require a global internet intermediary to delist content globally, based on the violation of local law, other countries like North Korea, China, and Russia may also seek to make such orders.
Featured image credit: “Mac-459196” by 377035. CC0 Creative Commons via Pixabay.