Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Department of Law Spring Term 2018 Master’s Thesis in EU Law and Private International Law 30 ECTS
The Right to be Forgotten - The Extraterritorial Reach of EU Data Protection Law with Special Regard to the Case of Google v CNIL
Rätten att bli bortglömd - Den extraterritoriella räckvidden av EUs dataskyddslagstiftning med särskilt beaktande av målet Google mot CNIL
Author: Frida Almlöf Supervisor: Professor Maarit Jänterä-Jareborg
Foreword Four and a half years of law school is almost completed and this thesis will be the end
of what has been an incredible but tough journey. Without doubt, private international
issues in data protection law have been the trickiest but also amongst the most
interesting encounters during my time at law school. I would like to thank my conflict
of laws teacher at the University of Auckland, who introduced me to the complexity of
private international law issues arising in the Internet context, and for mentioning the
case of Google v CNIL in one of our classes, which gave me the idea to this thesis.
Furthermore, I would like to thank my supervisor Professor Maarit Jänterä-Jareborg at
Uppsala University for her great support and help throughout the process of writing this
thesis. And lastly, to my friends and family, thank you for being there for me during
these years and for constantly reminding me what is really important in life.
Frida Almlöf, Uppsala 16 July 2018
Abbreviations Brussels 1 bis Regulation Regulation No 1215/2012 on jurisdiction and the
recognition and enforcement of judgments in civil and commercial matters
The Charter The Charter on Fundamental Rights and Freedoms CJEU The Court of Justice of the European Union CNIL La Commission national de l’informatique et des
libertés (the French Data Protection Authority) The Data Protection Directive Directive 95/46/EC on the protection of individuals
with regard to the processing of personal data and on the free movement of such data
ECHR The European Convention on Human Rights ECHtR The European Court of Human Rights GDPR Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data Rome I Regulation Regulation (EC) No 593/2008 of the European
Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations.
Rome II Regulation Regulation no 864/2007 on the law applicable to non-
contractual obligations TEU The Treaty of the European Union TFEU The Treaty on the Functioning of the European Union U.S. The United States of America The Working Party Article 29 Working Party
Relevant Terminology
Article 29 Working Party The Article 29 Working Party was an independent European advisory body, which consisted of representative from the data protection authorities of each Member State, the European Data Protection Supervisor and the EU Commission. After the GDPR entered into force 25 May 2018, the Article 29 Working Party was replaced by the European Data Protection Board.
De-listing De-listing refers to the removal of links to web pages
from a list of search results displayed when an Internet user makes a search on a search engine.
Domain name Websites generally have domain names that identify
which country the website is associated with, such as “.se” for Sweden or “.dk” for Denmark.
IP-address IP-address stands for Internet Protocol address and is a
way to determine a an Internet user physical location thorough the location of its device (computer, cell phone etc.) It contains a unique string of numbers, which can identify the location of the user to State, province, city, longitude and latitude.
Third country A third country is a country that is not a Member State of
the European Union (EU). Search engine A search engine enables Internet users to find existing
information on the World Wide Web by searching on specific search terms. The search results are presented in a list of search results. The most used search engine in the world is Google Search operated by the U.S. company Google LCC.
VPN VPN stands for Virtual Private Network. A VPN makes it possible for a user to reroute its connection via an IP- address located somewhere else, making it appear as the computer is located in another country.
Web page The World Wide Web consists of billions of web pages. Each web page has a unique address, a specific string of symbols also known as Uniform Resource Locator (URL), by which it can be found. A website usually consists of a collection of different web pages.
Table of Contents
1. Introduction .................................................................................................... 1 1.1. Background ................................................................................................ 1 1.2. Objectives ................................................................................................... 4 1.3. Demarcations ............................................................................................. 5 1.4. Method and Sources ................................................................................... 7 1.5. Outline ...................................................................................................... 11
2. Data Protection in the EU ............................................................................ 12 2.1. Introduction .............................................................................................. 12 2.2. A History of Data Protection – From the ECHR to the GDPR ............... 12 2.3. The Right to Privacy and the Protection of Personal Data ..................... 14 2.4. The Scope of the Rights ............................................................................ 15 2.5. Not Absolute Rights .................................................................................. 16 2.6. Data Subjects and Personal Data ............................................................ 17 2.7. Controllers, Processors and Processing .................................................. 18
3. Data Protection, Jurisdiction and Choice of Law ..................................... 20 3.1. Introduction .............................................................................................. 20 3.2. Data Protection – Public or Private Law? .............................................. 21 3.3. Traditional Private International Law Instruments ................................. 22 3.4. Jurisdiction and Choice of Law in Data Protection Litigation ................ 23 3.5. Jurisdiction under Public International Law ........................................... 25
4. Google Spain and The Right to Be Forgotten ............................................ 28 4.1. Introduction .............................................................................................. 28 4.2. The Google Group and Google Search .................................................... 29 4.3. Background of the Google Spain Case .................................................... 30 4.4. The Liability of Search Engine Operators ............................................... 30 4.5. A Right to be Forgotten ............................................................................ 32
4.5.1. The Existence of a Right to be Forgotten ................................................... 32 4.5.2. The Balancing of the Interests Involved .................................................... 35
4.6. The Territorial Scope of the Directive ..................................................... 37 4.7. The Implementation of the Google Spain Ruling ..................................... 39
5. Google v CNIL .............................................................................................. 42 5.1. Introduction .............................................................................................. 42 5.2. The Appealed Decision ............................................................................ 42 5.3. Reference to Preliminary Ruling .............................................................. 45 5.4. The Data Protection Directive or the GDPR? ......................................... 47 5.5. The GDPR and The Right to be Forgotten ............................................... 48
5.5.1. The Territorial Scope ................................................................................. 48 5.5.2. A Strengthened Right to be Forgotten ........................................................ 49
6. Google v CNIL in light of Google Spain ..................................................... 53 6.1. Introduction .............................................................................................. 53 6.2. Advertisement Linked to the Territory of a Member State ....................... 53
6.3. One Single Processing of Personal Data ................................................. 55 6.4. A Comparison with a Recent Swedish Judgment ..................................... 56 6.5. The Effective and Complete Protection of Personal Data ....................... 59 6.6. Conclusion ................................................................................................ 61
7. The Effective Protection of Personal Data ................................................. 63 7.1. Introduction .............................................................................................. 63 7.2. How Comprehensive is the Right to be Forgotten? ................................. 64 7.3. The Notion of an Effective and Complete Protection ............................... 65 7.4. Potential Approaches and Their Effectiveness ........................................ 66
7.4.1. Question 1 and 2 – is Global De-listing a Necessary Measure? ................ 66 7.4.2. Question 3 – the Use of Geo-blocking Techniques .................................... 68
7.5. Does the Law Need to Be 100% Efficient? .............................................. 70 8. Freedom of Expression and Information on the Internet ........................ 73
8.1. Introduction .............................................................................................. 73 8.2. The Freedom of Expression and Information .......................................... 74 8.3. Impacts on the Freedom of Expression and Information ......................... 75 8.4. Freedom of Expression and Information in Third Countries ................... 77 8.5. Considerations of Sovereignty and Comity .............................................. 78
9. Final Remarks .............................................................................................. 81 Bibliography ........................................................................................................ 82
1
1. Introduction
1.1. Background
“Since the beginning of time, for us humans, forgetting has been the norm and
remembering the exception. Because of digital technology and global networks,
however, this balance has shifted. Today, with the help of widespread technology,
forgetting has become the exception, and remembering the default.”1
In the preliminary ruling of Google Spain2 from 2014 the Court of Justice of the
European Union (CJEU) established that there existed a right to be forgotten on the
Internet to be respected by search engine operators under the Data Protection Directive3.
The right obliges search engine operators to, under certain circumstances, de-list links
to third party web pages appearing in the search results. This may be required when the
web page contains personal data relating to an individual and is made available
following a search made on the basis on the individual’s name. When an individual
makes a request to a search engine operator, de-listing is required by the search engine
operator when the information in question is inadequate, irrelevant or excessive in
relation to the purpose for which the data is being processed. This is after considering
the data subject’s fundamental right to privacy contra the search engine’s economic
interest and the general public’s interest of accessing the information. The right to be
forgotten is now clearly expressed in Article 17 of the General Data Protection
Regulation4 (GDPR), which was applicable from 25 May 2018.
The CJEU’s ruling in Google Spain was without doubt a controversial one; it has led to
an intense debate in legal doctrine and amongst organisations advocating for privacy,
and on the contrary, freedom of expression and information online. The judgment has
further lead to great implementation difficulties. How should a search engine operator 1 Viktor Mayer-Schoenberger, Delete: The Virtue of Forgetting in the Digital Age, p 2. 2 Case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. 3 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 4 Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data.
2
draw the balance between the right to privacy, its own economic interests and the
general public’s interest in accessing the information? Moreover, how far does the right
to be forgotten reach, from a geographical point of view?
The question of geographical width or “territorial reach” is relevant when search
engines, as they generally do, operate from several different country specific versions.
To give a concrete example: Google Search, operated by the American company
Google LCC (Google), is the most used search engine in the world.5 Google Search
operates from several different country specific versions of the search engine and the
content shown on these different versions varies. For example, the language used, the
search results and the advertisement shown are adapted to the preferences of Internet
users of each specific country.6
Up until October 2017, the country specific version of the search engine, which an
Internet user accessed, was determined by the domain name entered into the browser,
such as “google.se” (Sweden) “google.fr” (France) and “google.co.nz” (New Zealand).
After October 2017, Google has turned to an approach, which automatically determines
the version of the search engine accessed by location. In practice and as will be shown
later, this does not result in any major change as it is possible to access another
country’s version of the search engine by changing the settings. For the sake of
simplicity and in order to adopt the terminology of the preliminary ruling in Google V
CNIL7, I will in the foregoing use the term “domain name” when referring to the
different country specific versions of the search engine.
After the ruling in Google Spain, Google has consequently removed search results from
all the country specific domains within the EU, when the company has found a request
on the right to be forgotten justified. Google has, in addition, blocked search results
from showing on non-EU domains, if the searches are made within the EU through the
user’s IP-address, so-called geo-blocking.8 The Article 29 Working Party (the Working
Party), an independent European advisory body set up in order to give guidelines on EU
data protection matters, argues that the de-listing needs to be global. According to the 5 Curwen, "Google: A regular column on the information industries", p 191-194. 6 See Google, AdSense help, “How ads work”. 7 Case C-507/17 Google Inv. v Commission nationale d’informatique et des libertés. 8 Google Transparency Report, “Search removals under European privacy law”.
3
Working Party, this is the only way to sufficiently protect the data subject’s right to be
forgotten. The Working Party recognizes that an approach of limiting the de-listing to
EU domains would allow circumvention of EU data protection law.9
The ambiguity concerning the “territorial reach” of the right to be forgotten has lead the
French Court, le Conseil d’État, to request a preliminary ruling on the matter, the case
of Google v CNIL. The request was filed in August of 2017. The French Court wants to
know if the right to be forgotten requires the Court to order de-listing of search results
on all of Google’s domains or if de-listing from the domains within the EU, potentially
combined with geo-blocking techniques, is sufficient to ensure the effective protection
of the right.
The case and the forthcoming preliminary ruling in Google v CNIL raise several
interesting legal issues as several fundamental interests collide. No one can blame the
EU for wanting to ensure an effective protection of its residents’ fundamental rights to
privacy and protection of personal data, as guaranteed by the European Convention on
Human Rights (ECHR) and the Charter on Fundamental Rights and Freedoms (the
Charter). Yet, if content is to be removed on all of the search engine’s domains
worldwide, it would undoubtedly limit what the rest of the countries of the world can
access on the Internet. But can the guaranteed right to be forgotten be sufficiently
protected if its reach is not global? And what would the potential implications be on the
freedom of expression and information online if the right to be forgotten is given
extraterritorial reach?
The question on how to divide jurisdiction between different States and which country’s
law that applies to certain situations have long been subject to discussion in both private
international law and public international law.10 The borderless nature of the Internet
makes these issues more complex than ever. Litigation is increasingly directed against
global players, such as search engines and social media platforms, as they have the
9 Article 29 Working Party, “Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Span and Inc v. Agencia Española de Proteccíon de datos (AEPD) and Mario Costeja González” C-131/12”, p 3. 10 Mills, The Confluence of Public and Private International Law: Justice, Pluralism and Subsidiarity in the International Constitutional Ordering of Private Law, p 2.
4
power to accomplish global removal of content placed online.11 The forthcoming
preliminary ruling in Google v CNIL displays some of the challenges for Internet
regulation and some of the interests at stake.
1.2. Objectives
The main aim with this thesis is to identify and discuss relevant legal issues that the
CJEU has to consider when delivering its forthcoming preliminary ruling in Google v
CNIL. In essence, the question is whether the right to be forgotten is to be implemented
on a global scale, only within the EU, or only within the Member State from which the
request of a data subject is made. The parties to the proceedings are the French data
protection authority La Commission national de l’informatique et des libertés (CNIL)
and the United States (U.S.) company Google. However, the underlying dispute
concerns two private parties, a data subject in the EU who wants “to be forgotten” and a
search engine operator’s potential obligation to do so. The questions will hence
primarily be evaluated from a private international law perspective.
In order to reach this aim it is necessary to first properly investigate the data protection
law of the EU and how private international law issues relating to data protection are
determined. What are the underlying principles of data protection law? Who is covered
by its protection and who is covered by its obligations? How is jurisdiction and choice
of law determined in data protection matters? What considerations might be necessary
in relation to other countries when applying private international law rules that have
effect outside the EU?
The preliminary ruling in Google Spain, where the CJEU established that data subjects
had a right to be forgotten by search engine operators and the territorial scope of the
Data Protection Directive, will be carefully examined as the ruling sets the legal
background to the dispute in Google v CNIL. The referred questions from the French
Court to the CJEU will be described as well as the argumentation of the parties in the
national proceedings. I will further discuss the relevance of the new GDPR to the
forthcoming preliminary ruling. Lastly, I will analyse potential answers that the CJEU
might provide in the forthcoming ruling in light of the Google Spain judgment. In other
11 Svantesson, Private International Law and the Internet, p 20, 21.
5
words, does Google Spain give any guidance as to how the questions might be
approached in Google v CNIL?
After establishing the relevant EU law and examining the relevant cases, I will discuss
legal issues appropriate for the CJEU to consider when delivering its forthcoming
ruling. Firstly, can the effective protection of EU resident’s right to privacy and data
protection, as reflected in the right to be forgotten, be guaranteed if the de-listing of
search results is not global? Or would the protection still be sufficient if the de-listing of
content made by search engines were limited to the EU, potentially combined with geo-
blocking? Secondly, how might the right to be forgotten affect the freedom of
expression and information as guaranteed by the ECHR and the Charter? And what
could possible consequences be for third countries citizens right to freedom of
expression and information be if the data protection law of the EU were given such
extraterritorial reach? Issues of sovereignty and comity will be touched upon in this
context.
Although the focus of the thesis is to evaluate the right to be forgotten in relation to the
extraterritorial reach of EU’s data protection law, the thesis is relevant in a much
broader context: how should countries go about when regulating content on the
borderless Internet? In their eagerness to protect their own citizens, countries may
overlook other interests, which are necessary to consider. Google v CNIL is, in my
view, an excellent case to display the different interests involved when dealing with
Internet regulation. Thus, some of the conclusions in this thesis may be relevant for
other countries outside the EU and other areas of law as well.
1.3. Demarcations
The main focus of this thesis is to analyse the case and the forthcoming preliminary
ruling of Google v CNIL. This is largely made in light of the previous preliminary ruling
of Google Spain. Due to the limited scope of the thesis, only EU law directly relevant
for the two cases will be analysed. Both cases concern processing of personal data in
relation to the Data Protection Directive, carried out before the GDPR entered into force
25 May 2018. The thesis will thus focus on the Data Protection Directive, although
relevant potential changes will naturally be discussed as all future right to be forgotten-
6
requests are to be evaluated under the GPDR. The GDPR has expanded the territorial
scope of EU data protection law. The new territorial scope of the GDPR is both
important and interesting to discuss. However, due to its complexity, it will only be
evaluated to the extent that it is directly relevant for the assessment of Google v CNIL.
EU data protection law has two principal aims – to protect natural persons with regard
to the processing of personal data and to enable free movement of personal data within
the union.12 This study focuses solely on the protection of natural persons with regard to
the processing of personal data. Further, it should be emphasised that this is a study in
EU law and private international law. Public international law aspects of Google v CNIL
are nonetheless relevant, as EU law might come in conflict with the interests of other
States. Public international law will be touched upon, but it is not the aim of this thesis
to provide a comprehensive analysis of Google v CNIL from a public international law
perspective. For an analysis from the perspective of public international law, I refer to
previous works.13
In the case of Google Spain, the CJEU held that three potential interests might collide
when search results were to be de-listed by search engine operators, namely, the data
subject’s interest of privacy and data protection, the interest of individual’s wishing to
access the search results and the economic interest of the search engine. I have chosen
to focus on the first two interests, i.e. the right to privacy and data protection and
freedom of expression and information. The demarcation is based on the limited weight
that the CJEU gave to the search engine’s economic interest in the case. More
specifically, the Court held that an interference with the data subject’s fundamental right
to privacy and data protection could “not be justified by merely the economic interest
which the operator of such an engine has in the processing”.14
Because of the limited scope of this thesis, I have further chosen to focus on search
engine operators, and more specifically Google. This is done for several reasons. The
two cases subject to analysis, Google Spain and Google v CNIL, concern the search
12 See Article 1 of the GDPR and Article 1 of the Data Protection Directive. 13 See for example Van Alsenoy and Koekkoek “The Extraterritorial Reach of the Right to be Forgotten”, and, for a general analysis of the extraterritoriality in EU data protection law from a public international law perspective, see Ryngaert ”Symposium issue on extraterritoriality and EU data protection”. 14 Google Spain above n 2 para 81.
7
engine operator Google. Google is the major search engine, with approximately 90% of
the market shares within the European Economic Area.15 Moreover, search engine
operators are global players that have the possibility to achieve global removal of online
content; this is in contrast to most other controllers of personal data. Search engine
operators play an especially important role in the information society. Hence, when
regulating their activities, it might have serious implications on the freedom of
expression and information on the Internet. Further, because of the important role
search engines play for the information society, to not be able to effectively regulate
them may, on the contrary, be especially harmful for individuals’ protection of privacy
and personal data.
The EU legislation that will be in focus is the Data Protection Directive and the GDPR.
National data protection laws will not be studied. Other private international law
instruments, such as the Brussels I bis Regulation and the Rome II Regulation, will be
mentioned but merely to display the particular role data protection law has received
within EU private international law.
1.4. Method and Sources
The thesis is an analysis of the extraterritorial reach of data protection law of the EU
with special regard to the case of Google v CNIL. The analysis is made from the
perspective of EU law. I will hence adopt the EU legal method.
The EU is an international organization with its roots in public international law. It
does, however, enjoy a particular position as an international organisation because of its
supranational character.16 EU law may thus be regarded as an autonomous legal system.
The legal method of the EU can be described as how to approach the legal sources of
the union, namely, how EU legal sources are to be interpreted and applied.17
15 European Parliament,”Google antitrust proceedings: Digital Business and Competition”, Briefing on July 2015, p 1. 16 Riensenhuber, European Legal Methodology, p 154, 155. 17 Reichel, Juridisk metodlära, p 109.
8
The primary law of the EU consists of the Treaty on European Union (TEU) and the
Treaty on the Functioning of the European Union (TFEU) and the Charter of
Fundamental Rights of the European Union (the Charter). The treaties and the Charter
all enjoy equal legal value and have been ratified by each Member State.18 The primary
law is further normally considered to include the general principles of EU law. General
principles are unwritten and developed by CJEU case law, although some of them have
been codified in the Treaties.19 The secondary law is based on the primary law. It
consists of, amongst others, Regulations and Directives.20 There is a hierarchical
relationship between the primary law and the secondary law, meaning that adopted
secondary law must comply with the treaties, the Charter and the general principles of
EU law.21
The secondary law that will primarily be examined is the Data Protection Directive and
the GDPR, which replaced the Data Protection Directive as of 25 May 2018. The two
legal acts are largely similar. In Recital 9 of the GDPR it is stated that the objectives
and the principles of the Data Protection Directive remain sound. When the GDPR
contains identical or similar provisions, the case law developed in relation to the Data
Protection Directive may thus be relevant in relation to the interpretation of the GDPR
as well.22
Pursuant to Article 288 of the TFEU, a Directive is binding as to the result to be
achieved, but leave the Member States the choice of form and method. Consequently, a
Directive leaves the Member States some degree of discretion. The Member States
further need to transpose a Directive into their national law in order to give effect to it,
although Directives may under certain circumstances have direct effect.23 A Regulation,
on the other hand, is directly applicable in all Member States in its entirety. Thus, no
national measures are required in order to give effect to a Regulation.24
18 Riensenhuber above n 16 p 153. 19 Cuyvers, General Principles of EU Law, p 218, 219. 20 Barnard and Peers European Union Law, p 99-103. 21 Barnard and Peers above p 103, 104. 22 See Jay, Guide to the General Data Protection Regulation: A Companion to Data Protection Law Practice, p 46. 23 Barnard and Peers above p 100. 24 Barnard and Peers above n 20 p 100.
9
The relationship between the EU and the Member States is governed by several central
principles. These include the EU law’s primacy over the laws of the Member States, the
principle of direct effect and the principle of sincere cooperation. The principle of direct
effect means that a EU provision becomes an immediate source of law for the national
courts and the administrator, without further implementation measures required.25 The
principle of sincere cooperation obliges the Member States to take all necessary
measures to ensure that the obligations imposed on them by EU law are fulfilled. It also
obliges Member States to refrain from every measure that might jeopardize the
fulfilment of the objective of the union and includes an obligation to interpret national
law in light of EU law.26
The CJEU is the main judicial organ of the Union and has played an important role in
the development of EU law. It consists of three judicial bodies: the Court of Justice, the
General Court and the Civil Service Tribunal.27 I will use the general term “CJEU”
throughout this thesis without any distinction between the Courts.
The CJEU uses several legal methods when interpreting the legal acts of the union; the
wording of the provisions, the legal context in which the provision appears and the
teleological interpretation method based on the objective of the provision. The latter
interpretation method is especially associated with the CJEU.28 The doctrine of effet
utile is used by the CJEU as part of the teleological interpretation and refers to the
practical effect of EU law. It means that EU law is to be interpreted in such a way that it
is not deprived of its effectiveness. Furthermore, the Court may rely on the effet utile to
make sure that a regulatory purpose is achieved to the greatest extent possible.29
Recitals are included in the preambles of both the Data Protection Directive and the
GDPR. Recitals do not establish any right for individuals, as rights require a provision
in the operative part of the act. Recitals may nevertheless be useful for the CJEU when
analysing the legislator’s intention in relation to a legal act. 30
25 Barnard and Peers above n 20 p 143. 26 Reichel above n 17 p 113. 27 Barnard and Peers above n 20 p 256. 28 Reichel above n 17 p 122. 29 Riensenhuber above n 16 p 252, 253. 30 Riensenhuber above n 16 p 248.
10
Preliminary rulings are an important source of law in this thesis. Preliminary rulings are
regulated in Article 267 TFEU. Pursuant to the Article national courts of the Member
States may refer questions to the CJEU for a preliminary ruling when guidance on how
to interpret EU law is desired. Preliminary rulings can clarify the interpretation of both
primary and secondary law. In a preliminary ruling, the CJEU does not decide an actual
case based on its merits but gives a ruling on the validity or interpretation of EU law.
Thus, preliminary rulings may be regarded as an interim stage in the national
proceedings, which continue after the ruling by the CJEU. The national court referring
the questions is bound by the answers provided by the CJEU; failure to comply
constitutes a breach of EU law. 31 The prevailing opinion is further that preliminary
rulings also bind courts of other Member States. Preliminary rulings lay down how EU
law must be interpreted, which make the interpretation by the CJEU an integral part of
the EU provision in question. The view that the courts of all Member States are bound
by a preliminary ruling is further supported by the fact that the CJEU itself attaches a
general validity to its own preliminary rulings.32
This thesis is primarily concerned with the fundamental right to protection of personal
data and freedom of expression and information, which are protected by the Charter and
the ECHR. The Charter has status as primary law within the EU. Although the EU is not
a member to the ECHR, the CJEU has declared that the articles of the ECHR are part of
the general principles of EU law.33 It is further stated in the Charter that when the
Charter contains rights corresponding to rights guaranteed by the ECHR, the meaning
and the scope of those rights shall be the same.34
Other legal sources that will be used in this thesis are legal doctrine and opinions by the
Working Party. The Working Party was an independent European advisory body, which
consisted of representative from the data protection authorities of each Member State,
the European Data Protection Supervisor and the EU commission.35 After the GDPR
was applicable from 25 May 2018, the European Data Protection Board replaced the
31 Broberg and Fenger, Preliminary References to the European Court of Justice, p 441. 32 Broberg, and Fenger, above p 450, 451. 33 Ferraro and Carmona, “Fundamental Rights in the European Union: the role of the Charter after the Lisbon Treaty”, p 5. 34 See Article 52.3 of the Charter. 35 Datainspektionen, “Sammarbete inom EU”.
11
Working Party.36 Statements by the Working Party only have advisory status but
because of the Working Party’s composition, they are generally greatly respected.37
1.5. Outline
The study will initially introduce the data protection law of the EU in Chapter 2. This
includes an explanation of the principles underlying data protection law and certain vital
definitions. I will refer to both the Data Protection Directive and the GDPR when
explaining the terms, as the definitions are in principle the same in the two legal
frameworks. The introduction is followed by an overview of jurisdiction and choice of
law issues in data protection law, both from the view of private international law and, to
some extent, public international law in Chapter 3. This is essential in order to grasp the
issues relating to extraterritorial reach of data protection law.
In Chapter 4, the CJEU’s judgment in Google Spain will be studied. In Chapter 5, the
issues raised in the case of Google v CNIL are described. This includes an introduction
to the procedural history as well as the questions referred to preliminary ruling by the
French Court. Further, I will comment on the differences between the Data Protection
Directive and the GDPR to the extent relevant to the case. In Chapter 6, I will analyse
potential answers to the question referred to the CJEU in Google v CNIL in light of the
judgment in Google Spain.
In Chapter 7, the effective protection of individuals within the EU’s right to privacy and
data protection will be analysed in relation to the possible answers that may be provided
by the CJEU in Google v CNIL. In Chapter 8, the potential limitations that the right to
be forgotten has on the freedom of expression and information on the Internet will be
discussed, first from a more general perspective, and secondly, from a third country
perspective. The third country perspective also involves issues of sovereignty and
comity. Lastly, Chapter 9 will contain some final remarks.
36 Article 29 Working Party, “The Article 29 Working Party Ceased to exist as of May 25 2018”. 37 Carey, Data Protection: A Practical Guide to UK and EU Law, p 9.
12
2. Data Protection in the EU
2.1. Introduction
Rapid technological developments pose new threats to the protection of privacy and
personal data.38 Due to the global reach and exponential growth of the Internet personal
data “can be collected, transmitted and stored easier than ever before”, Meier explains.39
And personal data is without doubt a valuable commodity; some of the world’s most
profitable companies have no valuable assets besides the personal data of their
customers.40 As a response to this development, data protection legislation has been
adopted all around the world in the last three decades, the European Human Rights
framework being the most comprehensive one.41 In the following section, I will start by
presenting the history of the data protection law within the EU. Thereafter, I will
describe the protection that privacy and personal data enjoys within the EU. Lastly,
definitions related to the Data Protection Directive and the GDPR will be explained.
2.2. A History of Data Protection – From the ECHR to the GDPR
The development of a shared framework for data protection within Europe commenced
with the European Convention on Human Rights (ECHR). The ECHR was adopted by
the Council of Europe in 1950 and entered into force 1953. Today, the Council of
Europe has 47 Member States, including all Member States of the EU. The ECHR
includes a right to respect for privacy and family life in Article 8. The need for specific
protection of personal data, alongside with the right to privacy, was addressed by the
Council of Europe in the 1970s. This resulted in the adoption of the Convention for the
Protection of Individuals with regard to Automatic Processing of personal data, which
entered into force 1981.42 The Convention includes basic principles for the processing
of personal data, such as rights for data subjects and requirements for data controllers.
38 Witzleb et al, Emerging Challenges in Privacy Law, p 2. 39 Meier, “How Has the Law Attempted to Tackle the Borderless Nature of the Internet?”, p 156. 40 Meier above p 156. 41 Witzleb et al above p 4. 42 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No 108.
13
In the Convention, data protection is defined as the protection of fundamental rights and
freedoms of natural persons, in particular their right to privacy, with respect to the
processing of personal data.43
The EU legislature considered that the progress of information technology, and the
national variations of data protection in the different Member States, required a more
comprehensive and harmonized protection of personal data within the EU.44 Thus, the
Data Protection Directive was adopted in 1995. The Data Protection Directive was
based on the principles of the Convention but developed and specified the protection in
many ways.45
In 2000, the EU adopted the Charter on the Fundamental Rights and Freedoms (the
Charter). The Charter was based on the ECHR, but provided for a specific right to data
protection in Article 8 parallel to the right to respect for privacy in Article 7. The Lisbon
Treaty was adopted in 2009. The Treaty introduced a legal basis for legislation on data
protection in Article 16 TFEU with the independent aim of the protection of personal
data. This gave the right to the protection of personal data a particular – and horizontal –
position in the primary law of the EU.46 On the legal basis of Article 16 TFEU, the EU
legislature adopted the GDPR on 27 April 2016. The GDPR was applicable from 25
May 2018. In the preamble to the GDPR it is particularly specified that: “rapid
technologies developments and globalisation have brought new challenges for the
protection of personal data”47 and that the developments “require a strong and more
coherent data protection framework within the Union”.48 The GDPR has the same
objectives as the Data Protection Directive but makes the data protection law of the EU
directly applicable in the Member States without national variations, except when
expressly allowing for such variations.49
43 Witzleb et al above n 38 p 62, 63. 44 See Recitals 7-10 of the Data Protection Directive. 45 Witzleb et al above n 38 p 64. 46 Witzleb et al above n 38 p 65, 66. 47 Recital 6 of the GDPR. 48 Recital 7 of the GDPR. 49 See for example Article 8 of the GDPR, according to which the Member States may decide at what age a proper consent to the processing of personal data can be given.
14
2.3. The Right to Privacy and the Protection of Personal Data
The right to respect for privacy and family life is guaranteed by Article 8 of the ECHR
and states, “everyone has the right to respect for his private and family life, his home
and his correspondence”. The right to respect for privacy is also declared in the Charter
with an identical wording. Article 8 of the Charter further provides for the specific
protection of personal data, “[e]veryone has the right to the protection of personal data
concerning him or her”. It is clear that the right to privacy and the protection of personal
data are treated as two distinguished rights within the meaning of the Charter. This
distinction is further emphasized by Recital 4 of the GDPR:
“This Regulation respects all fundamental rights and observes the freedoms and
principles recognised in the Charter as enshrined in the Treaties, in particular the
respect for private and family life, home and communications, the protection of
personal data […]”50
But what are the real differences between the protection of personal data and the right to
respect for privacy? In its case law, the The European Court of Human Rights (ECHtR)
has interpreted the respect of private life as including a right to the protection of
personal data.51 The right to respect for private life also include a range of other rights,
including the right to personhood and the right to be left alone and the right to personal
integrity.52 The right to protection of personal data can thus be seen as a category under
the much broader “right to privacy”.
Nevertheless, in Bavarian Lager53 the CJEU pointed out that:
“[T]he fact that the concept of ‘private life’ is a broad one, in accordance with the
case-law of the European Court of Human Rights, and that the right to the protection of
personal data may constitute one of the aspects of the right to respect for private life
50 Recital 4 of the GDPR. My emphasis added. 51 Kokott and Sobotta, “The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR” p 222; see further Cameron, An Introduction to the European Convention on Human Rights p 116. 52 See Tzanou, “Data protection as a fundamental right next to privacy? ‘Reconstructing’ a not so new right” p 90. 53 Case T-194/04 Bavarian Lager v. Commission.
15
does not mean that all personal data necessarily fall within the concept of ‘private
life’.”54
In other words, it may be argued that the right to the protection has a different, to some
extent wider, scope than the right to privacy. In this context, it can be noted that the
right to protection of personal data includes additional safeguards in relation to the right
to privacy, such as data security, data quality and the principle of non-discrimination.55
It may thus be concluded that the right to data protection can be seen as a
distinguishable right to the right to respect for privacy. Yet, it must be emphasized that
these rights are closely related. The Data Protection Directive expressly refers to the
protection of privacy as one of its main aims, whereas the GDPR makes a more general
reference that the Regulation respects the right to privacy in recital 4. Furthermore, the
data protection law of the EU must comply with the right to privacy in ECHR as it
constitutes a general principle of EU law. In its case law, the CJEU has further
repeatedly conflated the two rights without clearly distinguishing between the two.56
2.4. The Scope of the Rights
Article 1 of the ECHR declares that parties to the Convention “shall secure to everyone
within their jurisdiction the rights and freedoms defined in section 1 of this
Convention”. The parties to the Convention are States. Furthermore, Article 51 of the
Charter states that the provisions of the Charter are addressed to the institutions and
bodies of the Union and to the Member States when they are implementing EU law.
Thus, at a first glance, the Charter and the ECHR are only applicable in the relationship
between States and individuals – not in the relationship between two private parties. For
example, a private party cannot lodge an application to ECtHR and complain that
another private party have breached its right under the Convention.57
54 Bavarian Lager v. Commission above n 53 para 118. 55 Tzanou above n 52 p 88–99. 56 See Lynskey, “Deconstructing Data Protection: The ‘Added-Value’ of a Right to Data Protection in the EU Legal Order” p 574, 575; see further Google Spain above n 2, which is a clear example of when the CJEU does not distinguish between the right to privacy and the protection of personal data. 57 See Article 34 of the ECHR.
16
Arguably, the non-horizontal application of these fundamental rights instruments should
not be exaggerated. In relation to the right to respect for privacy, the ECHR can be held
to include a positive obligation for States to act to ensure individuals’ rights and
freedoms even in the relation between two private parties.58 Individuals can further turn
to the ECHtR and complain when States fail to sufficiently protect their rights against
infringements by other individuals.59
Both the Charter and the ECHR, whose provisions are regarded as general principles of
EU law, are included in the primary law of the EU. Secondary legislation needs comply
with primary law. Case law of the CJEU further show the Court’s willingness to
interpret EU legislation in light of the fundamental rights laid down in the Charter and
the ECHR.60 The Data Protection Law of the EU – the Data Protection Directive and the
GDPR – are both based on the principles of protection of privacy and personal data.
They include provisions applicable in the relationship between private parties, such as
the “right to be forgotten”. In other words, in data protection litigation between two
private parties, it appears evident that the CJEU will consider the fundamental rights to
privacy and protection of personal data as guaranteed by the ECHR and the Charter.
2.5. Not Absolute Rights
The right to privacy and data protection are not absolute rights. According to the ECHR,
the right to respect for privacy and family life in Article 8 can be restricted if it is in
accordance with the law and necessary in a democratic society and, inter alia, for the
protection of the rights and freedoms of others. Limitations to the rights and freedoms
recognized by the Charter must be provided for by law and respect the essence of those
rights and freedoms, subject to the principle of proportionality and limitations may only
be made if they are necessary and genuinely meet objectives of general interest
recognised by the Union or the need to protect the rights and freedoms of others.61
Both the Data Protection Directive and the GDPR also specify situations when the
rights laid down in the respective legislative acts may be subject to restrictions. Article 58 Cameron, above n 51 p 116. 59 Cameron, above n 51 p 50, 51. 60 See Hijmans, The European Union as Guardians of Internet Privacy: The Story of Art 16 TFEU, p 38. 61 Article 52.1 of the Charter.
17
13 (g) of the Data Protection Directive states that Member States may adopt legislative
measures to restrict the scope of the obligations and rights provided for in the Data
Protection Directive when such restrictions constitute necessary measures to safeguard
the protection of the data subject or of the rights and freedoms of others. The GDPR
includes a similar provision to that of the Data Protection Directive in Article 23 (i). It
provides that EU or Member State law may by legislative measure restrict the scope of
obligations and rights provided for in the GDPR, when the restrictions respects the
essence of fundamental rights and freedoms and is necessary and proportionate measure
in a democratic society to safeguard the protection of the data subject or the rights and
freedoms of others.
2.6. Data Subjects and Personal Data
One of the aims of the Data Protection Directive and the GDPR is to protect natural
persons with regard to the processing of personal data.62 Legal persons are excluded
from the scope of both the Data Protection Directive and the GDPR.63
The protection provided by the Directive and the Regulation grants rights to data
subjects. The meaning of data subject is found in the definition of personal data in
Article 4 (1) of the GDPR. Data subject is “an identified or identifiable natural person
who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person”. The Data Protection Directive contains an
identical definition in Article 2 (a).
Pursuant to Article 4 (1) of the GDPR and Article 2 (a) of the Data Protection Directive,
personal data is further defined as “any information relating to an identified or
identifiable natural person”. It is clear from the wording that the definition is broad. The
list of potential “identifiers”, with which the data subject can be identified, serves as
guidance for what may constitute personal data but the wording “in particular”, suggest
that the list is not exhaustive. The Working Party has noted that the concept of personal
62 See Article 1 of the Data Protection Directive and Article 1 of the GDPR. 63 See Recital 24 of the Data Protection Directive and Rectial 14 of the GDPR.
18
data includes any sort of information about a person, both objective “such as the
presence of a certain substance in one’s blood” and subjective information such as
“opinions or assessments”.64
Recital 2 of the GDPR makes clear that Regulation applies to the processing of personal
data of natural persons “whatever their nationality or residence”.65 The Data Protection
Directive includes a similar Recital.66 Consequently, if a natural person is considered as
a data subject, he or she does neither have to be a resident nor a citizen of any of the EU
Member States in order to be covered by the Data Protection Directive or the GDPR.67
In relation to data subjects’ right to be forgotten, the Working Party has stated that
everyone has a right to be forgotten under EU law but that data protection authorities in
practice “will focus on claims where there is a clear link between the data subject and
the EU, for instance where the data subject is a citizen or resident of a EU Member
State”.68
2.7. Controllers, Processors and Processing
Under the GDPR, a controller is defined as the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data.69 A processor is defined as a natural or legal
person, public authority, agency or other body, which processes personal data on behalf
of the controller. The difference between a controller and a processor is that the
controller is the one determining why and how the data is being processed, while a
processor only processes data on behalf of the controller without any additional
purposes.70 The Data Protection Directive generally only imposes direct obligations on
64 Article 29 Working Party, “Opinion 4/2007 on the concept of personal data” p 6. 65 Recital 2 of the Data Protection Directive states: “whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals”. 66 See ITGP Privacy Team, EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide, p 22. 67 ITGP Privacy Team, above p 22. 68 Article 29 Working Party, above n 9 p 3. 69 Article 4 (7) of the GDPR and Article 2 (d) of the Data Protection Directive. 70 See Article 29 Working Party, “Opinion 1/2010 on the concepts of “controller” and “processor””, p 7, 8 and 25, 26.
19
behalf of the controller whereas the GDPR imposes direct obligations on both
controllers and processors.71
Processing is defined in Article 4 (2) of the GDPR as “any operation or set of
operations which is performed on personal data or on sets of personal data, whether or
not by automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction”. Only corporations are covered by the obligations of the GDPR.
Processing that is carried out “in course of a purely personal or household activity” is
excluded from its scope.72
71 See Article 3 of the GDPR. See however Article 16 and 17 of the Data Protection Directive, which contains certain obligations directly imposed on a processor of personal data. 72 See Article 2 (c) and Article 3 (2) of the Data Protection Directive.
20
3. Data Protection, Jurisdiction and Choice of Law
3.1. Introduction
The issue of which country’s court that has jurisdiction and which country’s law that the
court should apply is particularly interesting in the Internet context, and not least in data
protection matters. While the Internet has increased the need for the protection of
personal data, the borderless nature of the Internet has without doubt caused regulatory
challenges. As Meier puts it, the Internet has the ability to “swiftly and effortlessly
transcend national boarders and sovereign territories”.73 The Internet thus challenges the
predominant territorial approach to jurisdiction and choice of law.74
A data subject’s right to be forgotten by a search engine operator is a dispute between
two private parties. Litigation between two private parties involving a foreign element
falls within the area of private international law. Private international law rules
historically form a part of national law and countries are generally free to formulate
their private international law rules as they please. 75 In the last decades, the
harmonization and unification of private international law of the Member States of the
EU has increased immensely and it may be argued that private international law issues
relating to data protection litigation has received a unique treatment by the adoption of
the Data Protection Directive and the GDPR. Public international law is an international
body of law regulating the relationship between States. This give rise to an interesting
question: what happens when countries formulate their private international law rules in
such a way that it conflicts with the interests of another State?
The purpose of the following sections is to describe the relationships between data
protection law, private international law and public international law. Understanding
these relationships is vital in order understand the legal issues at stake in the preliminary
ruling of Google Spain and the case of Google v CNIL. This thesis is concerned with the
extraterritorial reach of EU data protection law. The focus in the following sections will
thus be to explain how jurisdiction and choice of law in data protection litigation is
determined in relation to defendants based outside the EU. 73 Meier, above n 39, p 142. 74 Svantesson above n 11 p 8, 9. 75 See Eek, Lagkonflikter i tvistemål: metod och material i svensk internationell privaträtt, p 5, 6.
21
3.2. Data Protection – Public or Private Law?
A national court faced with a dispute with an international element must first ask itself
whether it has jurisdiction to determine the case. If yes, the second question would then
be of choice of law. The question of choice of law is primarily relevant in relation to
private law. Generally, courts do not apply public laws of foreign countries.76 In order
to determine applicable law pursuant to traditional private international law method, a
court must first qualify to which area of law the legal issue belongs, for example,
contracts or torts. After this qualification, the court must consult the relevant private
international law rules providing one or several connecting factors between the dispute
and the country, which law is to be applied77, such as the place where the damage
occurred for torts or the place of performance for contracts.78
The qualification of data protection law into any traditional areas of the law is not an
easy task – it “straddles the boundaries between public and private law, criminal law
and civil law”.79 Data protection law comes from several legal sources; human rights
law, consumer protection law and internal market law.80 As Bing points out, data
protection law will thus typically contain provisions of both public and private nature.81
The Data Protection Directive and the GDPR apply both in the private law and the
public law sector, without any distinction between the two. A systematic distinction was
considered and rejected by the EU legislature before adopting the Data Protection
Directive.82 As already noted, this thesis is concerned with the relationship between two
private parties, a natural person who wants “to be forgotten” and a private company’s
potential obligation to do so. Such a relationship falls under the category of private
international law.
76 See Bing,“Data Protection, Jurisdiction and the Choice of Law” p 2; see further Bogdan, Svensk internationell privat-och processrätt, p 74-75. 77 See Bogdan, above p 33. 78 See Article 7.1 (a) and Article 7.2 of the Brussels I bis Regulation. 79 Kuner, “Data Protection Law and International Jurisdiction on the Internet (Part 1)”, p 182. 80 Kuner, above p 182. 81 Bing,“Data Protection, Jurisdiction and the Choice of Law”, p 2, 3. 82 Witzleb et al, above n 37 p 67.
22
3.3. Traditional Private International Law Instruments
In order to determine jurisdiction in cross-boarder disputes in civil and commercial
matters, the EU adopted the Brussels 1 bis Regulation83 in 2012. The Regulation was
preceded by the Brussels Convention84 from 1968 and the Brussels I Regulation85 from
2001. The Brussels 1 bis Regulation is applicable in “civil and commercial matters”,
which raises the question of whether the Brussels 1 bis Regulation includes data
protection litigation. As concluded above: data protection can be considered as both
public and private law. However, litigation between individuals generally falls within
the scope of the Regulation, if not expressly excluded from its scope.86 Claims based on
data protection law between two private parties have thus historically fallen within the
scope of the Brussels I bis Regulation and its predecessors.87
The Brussels I bis Regulation is with a few specified exceptions, such as litigation
concerning immovable property and consumer contracts, only applicable when the
defendant is domiciled in a Member State.88 A legal person is domiciled in the EU if it
has it statutory seat, central administration or principle place of business in the union,
according to Article 63 of the Regulation. When litigation concerns a foreign defendant,
Member States consequently apply their national private international law rules of
domestic origin for issues of jurisdiction.89 However, it should be noted that a foreign
defendant could be subject to the jurisdiction of a court of a Member State due to a
choice of court agreement pursuant to Article 25 or by appearing in front of a Member
State’s court pursuant to Article 26 of the Brussels I bis Regulation.
When qualifying a violation of data protection law, it could be considered as both a
contractual obligation if there is a contract between the parties or as tort if no contract
exists. The two relevant legal frameworks concerning choice of law within the EU are
83 Regulation No 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters. 841968 Brussels Convention on jurisdiction and the enforcement of judgments in civil and commercial matters. 85 Regulation No 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters. 86 Magnus and Manokowski, ECPIL: European commentaries on Private International Law, p 64. 87 See Brkan, “Data protection and European private international law: observing a bull in a China shop”, p 257-278. 88 See Articles 4-6 and Articles 18 (1), 21(2) and 24 of the Brussels I bis Regulation. 89 See Article 6 of the Brussels I bis Regulation.
23
the Rome I Regulation on the law applicable to contractual obligations90 and the Rome
II Regulation on the law applicable to non-contractual obligations.91 The Regulations
are, correspondingly the Brussels 1 bis Regulation, applicable in civil and commercial
matters.92
In relation to a data subject’s right to be forgotten by a search engine operator, no
contract between the parties exist. Consequently, a violation of a data subject’s right to
be forgotten could be considered as tort and could then fall under the Rome II
Regulation. However, Article 1 (g) of the Rome II Regulation explicitly excludes non-
contractual obligations arising out of violations of privacy and rights relating to
personality, including defamation, from the scope. Violations of data protection rights
are not expressly mentioned in Article 1 (g). And as been discussed in above, it is not
clear whether the right to privacy and data protection may be regarded as the same right.
Nonetheless, it has been claimed that the provision also extends to civil claims
concerning data protection.93 Assuming that data protection rights are included in the
exclusion of Article 1 (g), one may hence conclude that there is no traditional EU
private international instrument regulating choice of law relating to data protection
matters in tort.
3.4. Jurisdiction and Choice of Law in Data Protection Litigation
In relation to data protection, private international law issues have received a special
treatment. The Data Protection Directive was adopted by the EU legislature in 1995.
The principal aim with the Directive was not to function as a private international law
instrument; it nevertheless contained a specific private international law provision. 94 In
relation to choice of law, Article 4.1 has the heading “national law applicable” and
provides for several connecting factors when a Member State’s national data protection
law, adopted pursuant to the Data Protection Directive, is to be applied.
90 Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations. 91 Regulation no 864/2007 on the law applicable to non-contractual obligations. 92 See Article 1 of the Rome I Regulation and Article 1 of the Rome II Regulation. 93 See Dickinson, The Rome II Regulation: the Law Applicable to Non Contractual Obligations, p 240; see further Brkan, ”Data Protection and Conflict-of-laws: A Challenging Relationship”, p 331. 94 See Revolidis, “Judicial Jurisdiction over Internet Privacy Violations and the GDPR: a Case of Privacy Tourism?”, p 8-10.
24
At a first glance, the Data Protection Directive is silent regarding jurisdiction in relation
to foreign defendants. Article 28.6 only divides the competence between the different
supervisory authorities of the Member States. It has been argued that the distinction
between choice of law and jurisdiction is vague in the area of data protection law.95 This
is arguably true as regards to the Data Protection Directive. In relation to foreign
defendants, Article 4.1 could be said to work as both a jurisdiction and choice of law
provision. The practical consequence of the stated is that when the national law of a
Member State is applicable, the supervisory authority or the court of that Member State
also has jurisdictional competence in relation to the foreign defendant.96
For natural reasons, the GDPR does not contain any choice of law provision; GDPR
unifies the laws of the Member States and is directly applicable. 97 Thus, no conflict of
law issues would generally arise amongst the Member States themselves.98 However,
Article 3 has the heading “territorial scope” and determines how wide the geographical
scope of the GDPR is by providing different connecting factors when the GDPR
applies. Article 79 further divides jurisdiction between the national supervisory
authorities and national courts in a much clearer way than the Data Protection Directive.
It can be concluded that it is somewhat complex to sort data protection law into the
traditional categories of jurisdiction and choice of law in private international law.
Firstly, it must be noted that the distinction between jurisdiction and choice of law
appears blurry under the Data Protection Directive. Moreover, the basic idea underlying
most choice of law rules is that the private law relationship should preferably be
governed by the legal system with which the relationship has the closest and most
relevant connection.99 However, Article 4.1 of the Data Protection Directive and Article
3 of GDPR determines when the two legal frameworks are applicable and does not
leave any room for the potential application of foreign law. For example, the court of a
Member State would never apply foreign data protection law in a dispute when the Data
Protection Directive and the GDPR is applicable, even if the dispute has a closer
connection to a third country. 95 Kuner, above n 79 p 180. 96 See Kuner above n 79 p 180, 181. 97 See Brkan, above n 93 p 336. 98 See however Brkan above n 93 p 336, 337, who argues that conflict of law issues, may arise in relation to the provisions where the GDPR leaves from for national variations. 99 See Bogdan, Concise Introduction to EU Private International Law, p 3.
25
The explanation for the special treatment of data protection litigation arguably lies in
the protective elements of data protection law.100 One of the main objectives of data
protection law is to ensure the fundamental protection of personal data. Although
traditional private international law instruments need to comply with the fundamental
rights and freedoms of the Charter and the ECHR, the primary role of private
international law is, in contrast to data protection law, not to be a guardian of privacy
and data protection. 101 EU private international law is based upon additional
considerations such as predictability, the sound administration of justice and party
autonomy.102 In relation to data protection litigation, one may thus argue that the normal
interests considered in private international law have had to give way for the need to
effectively ensure the right to protection of personal data.103
3.5. Jurisdiction under Public International Law
In contrast to private international law, public international law is primarily concerned
with the relationship between States. Under public international law, jurisdiction may be
regarded as the power of a sovereign state to regulate or otherwise impact upon people,
property or circumstances.104 It reflects the principles of sovereignty, equality of states
and non-interference in domestic affairs.105 Territoriality has long been regarded as the
most basic principle of jurisdiction under public international law. 106 According to the
principle of territoriality, a country may assert jurisdiction over acts, persons and
property within its boarders. 107 Jurisdiction may become a concern of public
international law when States regulate interests that are not exclusively domestic.108 The
phenomenon is commonly referred to as “extraterritorial jurisdiction” or sometimes
100 See Kuner, above n 79 p 180, 181. 101See Kuner above n 79 p 180, 181; see further Revolidis, above n 94 p 10. 102 See for example Recitals 15 and 16 of the Brussels 1 bis Regulation, and Article 3 of the Rome I Regulation. 103 See for example Brkan, above n 91, p 333, 334, who argues that the prevailing opinion is that Data Protection law are considered as overriding mandatory rules, which would make courts disregard a choice of court agreement according to the Rome II Regulation. 104 Shaw, International Law, p 469. 105 Shaw above p 469. 106 Ryngaert, Jurisdiction in International Law, p 42. 107 See Malanczuk, Akehurst’s Modern Introduction to International Law, p 109, 110. 108 Ryngaert above n 106 p 5.
26
“exorbitant jurisdiction”.109 Put differently, if a country asserts jurisdiction outside its
territory, it may interfere with the sovereignty of another State, in particular when the
asserted jurisdiction contradicts the interests of that other State.110
The Internet has a borderless nature. Thus, when one country applies its own laws to
remove content on the Internet – it affects what the rest of the world can access online.
This may potentially contradict the interests of other States. Does this mean that it
would be a violation of the principle of sovereignty, i.e. public international law, for
States to do so? While acknowledging that this question is extremely complex, some
observations of will be made concerning public international law principles and the
relationship between private and public international law.
Sovereignty is a public international law principle and may be defined as a principle
according to which, “a State may not perform any governmental act in the territory of
another State without the latter’s consent”.111 The question of whether sovereignty
constitutes a binding legal norm, which prevents States from acting within the territory
of others, has been debated. While some argue that the answers is yes, others argue that
sovereignty is rather a principle of international law which guide State interactions, but
is in itself not a binding norm, provided that the effects do not result in an unlawful use
of force or an unlawful intervention.112
Closely linked to the respect for the sovereignty of other States is the principle of
comity. Comity is a concept used in both public and private international law. The
meaning of comity is not easily pinned down. It has been described as a “wonderful
word to use when one wants to blur the distinction between public and private
international law, or to avoid clarity of thought”.113 The word comity comes from Latin
and can be translated into “courtesy” or “friendliness”.114
Under public international law, comity can be held to represent acts performed by States
towards other States for reasons other than the belief that there is a binding legal norm
109 Rygaert above n 106 p 6, 7; see further Zatucki, “Extraterritorial Jurisdiction in International Law” p 404, 405. 110 See Zatucki above n 109 p 405. 111 Malanczuk, above n 107 p 109. 112 See Corn and Taylor, “Sovereignty in the Age of Cyber”, p 208, 209. 113 Malanczuk, above n 107 p 73. 114 See Schultz and Ridi, “Comity and International Courts and Tribunals”, p 7.
27
obliging them to do so.115 The doctrine of comity was once seen as the basis for private
international law.116 Although this is no longer the case, comity has, for example,
played an important role in shaping private international law in common law
countries.117 At common law, comity can be used as a justification to place trust in
foreign courts, show restrain when exercising jurisdiction over foreign defendants or
when applying domestic laws extraterritorially.118 Although the principle of comity
arguably does not have an as clear mandate within EU law, the European Commission
has previously stated that any domestic law that creates cross-boarder obligations
should be applied and interpreted in a manner that is mindful to considerations of
international comity.119
The question of whether public international law poses any limits to private
international law has been somewhat disputed. One view is that exorbitant jurisdictional
claims in civil cases could lead to international responsibility.120 Yet the prevailing
opinion of today appears to be that public international law does not pose any limits to
how countries formulate their private international law rules, unless there is an
international treaty stipulating the contrary.121 Regarding jurisdiction and choice of law
in data protection matters, there is no such international instrument of global reach.122 In
relation to enforcement actions in civil proceedings however, the conclusion is
generally another.123 For example, it would constitute a breach of public international
law if the governmental authorities in State A seized a defendant’s assets located in
State B without the latter State’s consent.124
115 Schultz and Ridi above n 114 p 8-10. 116 See Bogdan, Svensk internationell privat-och processrätt, p 22-25; see further Mapesbury and Harris, Dicey, Morris and Collins on the Conflict of Laws, p 5. 117 Mapesbury and Harris above p 5-9. 118 Mapesbury and Harris above p 5-9; see also Schultz and Ridi above n 114 p 10-12. 119 United States of America v Microsoft, Brief of the European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party. 120 Crawford, Brownlie’s Principles of Public International Law, p 471. 121 Bogdan, Private International Law As Component of the Law of the Forum, p 41; see further Malanczuk above n 107 p 73, 74, for a similar conclusion. However, see Svantesson above n 11 p 120, who argues that it is of fundamental importance that private international law does not go beyond what is allowed according to public international law. 122 Kuner above n 79 p 186. 123 See Crawford above p 471. 124 See Shaw above n 104 p 469, 470.
28
4. Google Spain and The Right to Be Forgotten
4.1. Introduction
”The near-ubiquitous, pervasive access to online personal data is a new phenomenon,
which poses significant risks to individual privacy and personal autonomy. Given the
ease with which digital data can be copied and distributed, the most that can be done is
to reduce the accessibility of the data. Potentially the most effective way of doing this is
to inhibit access to personal data by means of search engines.”125
The main tool to access information on the Internet is via search engines.126 Examples
of such search engines are Google Search, Bing and Yahoo!. Google Search is the
major actor. In a briefing of the European Parliament from 2015, it was concluded that
Google holds around 90% of the market share for Internet search services in most
European Economic Area countries.127 Search engines are crucial for the information
society. Without the access to search engines, universal accessibility of online content
would not be possible.128
Historically, the liability of search engines for content placed online by third parties has
been limited in order to enable their legitimate services.129 However, in 2014, the CJEU
delivered the ground-breaking preliminary ruling of Google Spain. The Court held that
search engine operators were responsible under the Data Protection Directive for
processing personal data on third party web pages. The case is most famous for
establishing a right to be forgotten by search engines under the Data Protection
Directive. In the case, the CJEU further clarified the territorial scope of the Data
Protection Directive.
The judgment in Google Spain can be regarded as highly relevant for search engine
operators other than Google Search. It should however be noted that the CJEU takes the
functioning of Google Search and the business structure of the Google Group as a basis
125 Lindsay, ”The ‘right to be forgotten’ by search engines under data privacy law: a legal and policy analysis of the Costeja decision”, p 201. 126 Lindsay, above p 202. 127 European Parliament, above n 15 p 1. 128 Opinion of Advocate General Jääskinen, Google Spain, para 36. 129 Opinion of Advocate General Jääskinen, Google Spain, para 36, 37.
29
for its reasoning. In order to properly understand the judgment, it is necessary to first
clarify how Google’s search engine, Google Search, works and to describe the business
structure of the Google Group.
4.2. The Google Group and Google Search
Google LCC is the parent company of the Google Group. Google LCC changed its
name from Google Inc on the 30th of September 2017. Google is a U.S. company
registered in Delaware with its primary place of business in California.130 Google is the
parent company of multiple subsidiaries in Europe, amongst others, Google Spain.131
Google operates the search engine Google Search, whereas the European subsidiaries
are primarily responsible for the promoting and selling of advertising space offered by
the Google Search.132
Google Search is offered worldwide. It operates from its general domain “google.com”
and from country specific domains such as “google.e