Department of Law Spring Term 2018 Master’s Thesis in EU Law and Private International Law 30 ECTS

The Right to be Forgotten - The Extraterritorial Reach of EU Data Protection Law with Special Regard to the Case of Google v CNIL

Rätten att bli bortglömd - Den extraterritoriella räckvidden av EUs dataskyddslagstiftning med särskilt beaktande av målet Google mot CNIL

Author: Frida Almlöf Supervisor: Professor Maarit Jänterä-Jareborg

Foreword Four and a half years of law school is almost completed and this thesis will be the end

of what has been an incredible but tough journey. Without doubt, private international

issues in data protection law have been the trickiest but also amongst the most

interesting encounters during my time at law school. I would like to thank my conflict

of laws teacher at the University of Auckland, who introduced me to the complexity of

private international law issues arising in the Internet context, and for mentioning the

case of Google v CNIL in one of our classes, which gave me the idea to this thesis.

Furthermore, I would like to thank my supervisor Professor Maarit Jänterä-Jareborg at

Uppsala University for her great support and help throughout the process of writing this

thesis. And lastly, to my friends and family, thank you for being there for me during

these years and for constantly reminding me what is really important in life.

Frida Almlöf, Uppsala 16 July 2018

Abbreviations Brussels 1 bis Regulation Regulation No 1215/2012 on jurisdiction and the

recognition and enforcement of judgments in civil and commercial matters

The Charter The Charter on Fundamental Rights and Freedoms CJEU The Court of Justice of the European Union CNIL La Commission national de l’informatique et des

libertés (the French Data Protection Authority) The Data Protection Directive Directive 95/46/EC on the protection of individuals

with regard to the processing of personal data and on the free movement of such data

ECHR The European Convention on Human Rights ECHtR The European Court of Human Rights GDPR Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data Rome I Regulation Regulation (EC) No 593/2008 of the European

Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations.

Rome II Regulation Regulation no 864/2007 on the law applicable to non-

contractual obligations TEU The Treaty of the European Union TFEU The Treaty on the Functioning of the European Union U.S. The United States of America The Working Party Article 29 Working Party

Relevant Terminology

Article 29 Working Party The Article 29 Working Party was an independent European advisory body, which consisted of representative from the data protection authorities of each Member State, the European Data Protection Supervisor and the EU Commission. After the GDPR entered into force 25 May 2018, the Article 29 Working Party was replaced by the European Data Protection Board.

De-listing De-listing refers to the removal of links to web pages

from a list of search results displayed when an Internet user makes a search on a search engine.

Domain name Websites generally have domain names that identify

which country the website is associated with, such as “.se” for Sweden or “.dk” for Denmark.

IP-address IP-address stands for Internet Protocol address and is a

way to determine a an Internet user physical location thorough the location of its device (computer, cell phone etc.) It contains a unique string of numbers, which can identify the location of the user to State, province, city, longitude and latitude.

Third country A third country is a country that is not a Member State of

the European Union (EU). Search engine A search engine enables Internet users to find existing

information on the World Wide Web by searching on specific search terms. The search results are presented in a list of search results. The most used search engine in the world is Google Search operated by the U.S. company Google LCC.

VPN VPN stands for Virtual Private Network. A VPN makes it possible for a user to reroute its connection via an IP- address located somewhere else, making it appear as the computer is located in another country.

Web page The World Wide Web consists of billions of web pages. Each web page has a unique address, a specific string of symbols also known as Uniform Resource Locator (URL), by which it can be found. A website usually consists of a collection of different web pages.

     

Table of Contents

1. Introduction .................................................................................................... 1 1.1. Background ................................................................................................ 1 1.2. Objectives ................................................................................................... 4 1.3. Demarcations ............................................................................................. 5 1.4. Method and Sources ................................................................................... 7 1.5. Outline ...................................................................................................... 11

2. Data Protection in the EU ............................................................................ 12 2.1. Introduction .............................................................................................. 12 2.2. A History of Data Protection – From the ECHR to the GDPR ............... 12 2.3. The Right to Privacy and the Protection of Personal Data ..................... 14 2.4. The Scope of the Rights ............................................................................ 15 2.5. Not Absolute Rights .................................................................................. 16 2.6. Data Subjects and Personal Data ............................................................ 17 2.7. Controllers, Processors and Processing .................................................. 18

3. Data Protection, Jurisdiction and Choice of Law ..................................... 20 3.1. Introduction .............................................................................................. 20 3.2. Data Protection – Public or Private Law? .............................................. 21 3.3. Traditional Private International Law Instruments ................................. 22 3.4. Jurisdiction and Choice of Law in Data Protection Litigation ................ 23 3.5. Jurisdiction under Public International Law ........................................... 25

4. Google Spain and The Right to Be Forgotten ............................................ 28 4.1. Introduction .............................................................................................. 28 4.2. The Google Group and Google Search .................................................... 29 4.3. Background of the Google Spain Case .................................................... 30 4.4. The Liability of Search Engine Operators ............................................... 30 4.5. A Right to be Forgotten ............................................................................ 32

4.5.1. The Existence of a Right to be Forgotten ................................................... 32 4.5.2. The Balancing of the Interests Involved .................................................... 35

4.6. The Territorial Scope of the Directive ..................................................... 37 4.7. The Implementation of the Google Spain Ruling ..................................... 39

5. Google v CNIL .............................................................................................. 42 5.1. Introduction .............................................................................................. 42 5.2. The Appealed Decision ............................................................................ 42 5.3. Reference to Preliminary Ruling .............................................................. 45 5.4. The Data Protection Directive or the GDPR? ......................................... 47 5.5. The GDPR and The Right to be Forgotten ............................................... 48

5.5.1. The Territorial Scope ................................................................................. 48 5.5.2. A Strengthened Right to be Forgotten ........................................................ 49

6. Google v CNIL in light of Google Spain ..................................................... 53 6.1. Introduction .............................................................................................. 53 6.2. Advertisement Linked to the Territory of a Member State ....................... 53

6.3. One Single Processing of Personal Data ................................................. 55 6.4. A Comparison with a Recent Swedish Judgment ..................................... 56 6.5. The Effective and Complete Protection of Personal Data ....................... 59 6.6. Conclusion ................................................................................................ 61

7. The Effective Protection of Personal Data ................................................. 63 7.1. Introduction .............................................................................................. 63 7.2. How Comprehensive is the Right to be Forgotten? ................................. 64 7.3. The Notion of an Effective and Complete Protection ............................... 65 7.4. Potential Approaches and Their Effectiveness ........................................ 66

7.4.1. Question 1 and 2 – is Global De-listing a Necessary Measure? ................ 66 7.4.2. Question 3 – the Use of Geo-blocking Techniques .................................... 68

7.5. Does the Law Need to Be 100% Efficient? .............................................. 70 8. Freedom of Expression and Information on the Internet ........................ 73

8.1. Introduction .............................................................................................. 73 8.2. The Freedom of Expression and Information .......................................... 74 8.3. Impacts on the Freedom of Expression and Information ......................... 75 8.4. Freedom of Expression and Information in Third Countries ................... 77 8.5. Considerations of Sovereignty and Comity .............................................. 78

9. Final Remarks .............................................................................................. 81 Bibliography ........................................................................................................ 82

1

1. Introduction

1.1. Background

“Since the beginning of time, for us humans, forgetting has been the norm and

remembering the exception. Because of digital technology and global networks,

however, this balance has shifted. Today, with the help of widespread technology,

forgetting has become the exception, and remembering the default.”1

In the preliminary ruling of Google Spain2 from 2014 the Court of Justice of the

European Union (CJEU) established that there existed a right to be forgotten on the

Internet to be respected by search engine operators under the Data Protection Directive3.

The right obliges search engine operators to, under certain circumstances, de-list links

to third party web pages appearing in the search results. This may be required when the

web page contains personal data relating to an individual and is made available

following a search made on the basis on the individual’s name. When an individual

makes a request to a search engine operator, de-listing is required by the search engine

operator when the information in question is inadequate, irrelevant or excessive in

relation to the purpose for which the data is being processed. This is after considering

the data subject’s fundamental right to privacy contra the search engine’s economic

interest and the general public’s interest of accessing the information. The right to be

forgotten is now clearly expressed in Article 17 of the General Data Protection

Regulation4 (GDPR), which was applicable from 25 May 2018.

The CJEU’s ruling in Google Spain was without doubt a controversial one; it has led to

an intense debate in legal doctrine and amongst organisations advocating for privacy,

and on the contrary, freedom of expression and information online. The judgment has

further lead to great implementation difficulties. How should a search engine operator                                                                                                                1 Viktor Mayer-Schoenberger, Delete: The Virtue of Forgetting in the Digital Age, p 2. 2 Case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. 3 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 4 Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data

and on the free movement of such data.  

2

draw the balance between the right to privacy, its own economic interests and the

general public’s interest in accessing the information? Moreover, how far does the right

to be forgotten reach, from a geographical point of view?

The question of geographical width or “territorial reach” is relevant when search

engines, as they generally do, operate from several different country specific versions.

To give a concrete example: Google Search, operated by the American company

Google LCC (Google), is the most used search engine in the world.5 Google Search

operates from several different country specific versions of the search engine and the

content shown on these different versions varies. For example, the language used, the

search results and the advertisement shown are adapted to the preferences of Internet

users of each specific country.6

Up until October 2017, the country specific version of the search engine, which an

Internet user accessed, was determined by the domain name entered into the browser,

such as “google.se” (Sweden) “google.fr” (France) and “google.co.nz” (New Zealand).

After October 2017, Google has turned to an approach, which automatically determines

the version of the search engine accessed by location. In practice and as will be shown

later, this does not result in any major change as it is possible to access another

country’s version of the search engine by changing the settings. For the sake of

simplicity and in order to adopt the terminology of the preliminary ruling in Google V

CNIL7, I will in the foregoing use the term “domain name” when referring to the

different country specific versions of the search engine.

After the ruling in Google Spain, Google has consequently removed search results from

all the country specific domains within the EU, when the company has found a request

on the right to be forgotten justified. Google has, in addition, blocked search results

from showing on non-EU domains, if the searches are made within the EU through the

user’s IP-address, so-called geo-blocking.8 The Article 29 Working Party (the Working

Party), an independent European advisory body set up in order to give guidelines on EU

data protection matters, argues that the de-listing needs to be global. According to the                                                                                                                5  Curwen, "Google: A regular column on the information industries", p 191-194. 6 See Google, AdSense help, “How ads work”. 7 Case C-507/17 Google Inv. v Commission nationale d’informatique et des libertés. 8 Google Transparency Report, “Search removals under European privacy law”.

3

Working Party, this is the only way to sufficiently protect the data subject’s right to be

forgotten. The Working Party recognizes that an approach of limiting the de-listing to

EU domains would allow circumvention of EU data protection law.9

The ambiguity concerning the “territorial reach” of the right to be forgotten has lead the

French Court, le Conseil d’État, to request a preliminary ruling on the matter, the case

of Google v CNIL. The request was filed in August of 2017. The French Court wants to

know if the right to be forgotten requires the Court to order de-listing of search results

on all of Google’s domains or if de-listing from the domains within the EU, potentially

combined with geo-blocking techniques, is sufficient to ensure the effective protection

of the right.

The case and the forthcoming preliminary ruling in Google v CNIL raise several

interesting legal issues as several fundamental interests collide. No one can blame the

EU for wanting to ensure an effective protection of its residents’ fundamental rights to

privacy and protection of personal data, as guaranteed by the European Convention on

Human Rights (ECHR) and the Charter on Fundamental Rights and Freedoms (the

Charter). Yet, if content is to be removed on all of the search engine’s domains

worldwide, it would undoubtedly limit what the rest of the countries of the world can

access on the Internet. But can the guaranteed right to be forgotten be sufficiently

protected if its reach is not global? And what would the potential implications be on the

freedom of expression and information online if the right to be forgotten is given

extraterritorial reach?

The question on how to divide jurisdiction between different States and which country’s

law that applies to certain situations have long been subject to discussion in both private

international law and public international law.10 The borderless nature of the Internet

makes these issues more complex than ever. Litigation is increasingly directed against

global players, such as search engines and social media platforms, as they have the

                                                                                                               9 Article 29 Working Party, “Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Span and Inc v. Agencia Española de Proteccíon de datos (AEPD) and Mario Costeja González” C-131/12”, p 3. 10 Mills, The Confluence of Public and Private International Law: Justice, Pluralism and Subsidiarity in the International Constitutional Ordering of Private Law, p 2.

4

power to accomplish global removal of content placed online.11 The forthcoming

preliminary ruling in Google v CNIL displays some of the challenges for Internet

regulation and some of the interests at stake.

1.2. Objectives

The main aim with this thesis is to identify and discuss relevant legal issues that the

CJEU has to consider when delivering its forthcoming preliminary ruling in Google v

CNIL. In essence, the question is whether the right to be forgotten is to be implemented

on a global scale, only within the EU, or only within the Member State from which the

request of a data subject is made. The parties to the proceedings are the French data

protection authority La Commission national de l’informatique et des libertés (CNIL)

and the United States (U.S.) company Google. However, the underlying dispute

concerns two private parties, a data subject in the EU who wants “to be forgotten” and a

search engine operator’s potential obligation to do so. The questions will hence

primarily be evaluated from a private international law perspective.

In order to reach this aim it is necessary to first properly investigate the data protection

law of the EU and how private international law issues relating to data protection are

determined. What are the underlying principles of data protection law? Who is covered

by its protection and who is covered by its obligations? How is jurisdiction and choice

of law determined in data protection matters? What considerations might be necessary

in relation to other countries when applying private international law rules that have

effect outside the EU?

The preliminary ruling in Google Spain, where the CJEU established that data subjects

had a right to be forgotten by search engine operators and the territorial scope of the

Data Protection Directive, will be carefully examined as the ruling sets the legal

background to the dispute in Google v CNIL. The referred questions from the French

Court to the CJEU will be described as well as the argumentation of the parties in the

national proceedings. I will further discuss the relevance of the new GDPR to the

forthcoming preliminary ruling. Lastly, I will analyse potential answers that the CJEU

might provide in the forthcoming ruling in light of the Google Spain judgment. In other

                                                                                                               11 Svantesson, Private International Law and the Internet, p 20, 21.

5

words, does Google Spain give any guidance as to how the questions might be

approached in Google v CNIL?

After establishing the relevant EU law and examining the relevant cases, I will discuss

legal issues appropriate for the CJEU to consider when delivering its forthcoming

ruling. Firstly, can the effective protection of EU resident’s right to privacy and data

protection, as reflected in the right to be forgotten, be guaranteed if the de-listing of

search results is not global? Or would the protection still be sufficient if the de-listing of

content made by search engines were limited to the EU, potentially combined with geo-

blocking? Secondly, how might the right to be forgotten affect the freedom of

expression and information as guaranteed by the ECHR and the Charter? And what

could possible consequences be for third countries citizens right to freedom of

expression and information be if the data protection law of the EU were given such

extraterritorial reach? Issues of sovereignty and comity will be touched upon in this

context.

Although the focus of the thesis is to evaluate the right to be forgotten in relation to the

extraterritorial reach of EU’s data protection law, the thesis is relevant in a much

broader context: how should countries go about when regulating content on the

borderless Internet? In their eagerness to protect their own citizens, countries may

overlook other interests, which are necessary to consider. Google v CNIL is, in my

view, an excellent case to display the different interests involved when dealing with

Internet regulation. Thus, some of the conclusions in this thesis may be relevant for

other countries outside the EU and other areas of law as well.

1.3. Demarcations

The main focus of this thesis is to analyse the case and the forthcoming preliminary

ruling of Google v CNIL. This is largely made in light of the previous preliminary ruling

of Google Spain. Due to the limited scope of the thesis, only EU law directly relevant

for the two cases will be analysed. Both cases concern processing of personal data in

relation to the Data Protection Directive, carried out before the GDPR entered into force

25 May 2018. The thesis will thus focus on the Data Protection Directive, although

relevant potential changes will naturally be discussed as all future right to be forgotten-

6

requests are to be evaluated under the GPDR. The GDPR has expanded the territorial

scope of EU data protection law. The new territorial scope of the GDPR is both

important and interesting to discuss. However, due to its complexity, it will only be

evaluated to the extent that it is directly relevant for the assessment of Google v CNIL.

EU data protection law has two principal aims – to protect natural persons with regard

to the processing of personal data and to enable free movement of personal data within

the union.12 This study focuses solely on the protection of natural persons with regard to

the processing of personal data. Further, it should be emphasised that this is a study in

EU law and private international law. Public international law aspects of Google v CNIL

are nonetheless relevant, as EU law might come in conflict with the interests of other

States. Public international law will be touched upon, but it is not the aim of this thesis

to provide a comprehensive analysis of Google v CNIL from a public international law

perspective. For an analysis from the perspective of public international law, I refer to

previous works.13

In the case of Google Spain, the CJEU held that three potential interests might collide

when search results were to be de-listed by search engine operators, namely, the data

subject’s interest of privacy and data protection, the interest of individual’s wishing to

access the search results and the economic interest of the search engine. I have chosen

to focus on the first two interests, i.e. the right to privacy and data protection and

freedom of expression and information. The demarcation is based on the limited weight

that the CJEU gave to the search engine’s economic interest in the case. More

specifically, the Court held that an interference with the data subject’s fundamental right

to privacy and data protection could “not be justified by merely the economic interest

which the operator of such an engine has in the processing”.14  

Because of the limited scope of this thesis, I have further chosen to focus on search

engine operators, and more specifically Google. This is done for several reasons. The

two cases subject to analysis, Google Spain and Google v CNIL, concern the search

                                                                                                               12 See Article 1 of the GDPR and Article 1 of the Data Protection Directive. 13 See for example Van Alsenoy and Koekkoek “The Extraterritorial Reach of the Right to be Forgotten”, and, for a general analysis of the extraterritoriality in EU data protection law from a public international law perspective, see Ryngaert ”Symposium issue on extraterritoriality and EU data protection”. 14 Google Spain above n 2 para 81.

7

engine operator Google. Google is the major search engine, with approximately 90% of

the market shares within the European Economic Area.15 Moreover, search engine

operators are global players that have the possibility to achieve global removal of online

content; this is in contrast to most other controllers of personal data. Search engine

operators play an especially important role in the information society. Hence, when

regulating their activities, it might have serious implications on the freedom of

expression and information on the Internet. Further, because of the important role

search engines play for the information society, to not be able to effectively regulate

them may, on the contrary, be especially harmful for individuals’ protection of privacy

and personal data.

The EU legislation that will be in focus is the Data Protection Directive and the GDPR.

National data protection laws will not be studied. Other private international law

instruments, such as the Brussels I bis Regulation and the Rome II Regulation, will be

mentioned but merely to display the particular role data protection law has received

within EU private international law.

1.4. Method and Sources

The thesis is an analysis of the extraterritorial reach of data protection law of the EU

with special regard to the case of Google v CNIL. The analysis is made from the

perspective of EU law. I will hence adopt the EU legal method.

The EU is an international organization with its roots in public international law. It

does, however, enjoy a particular position as an international organisation because of its

supranational character.16 EU law may thus be regarded as an autonomous legal system.

The legal method of the EU can be described as how to approach the legal sources of

the union, namely, how EU legal sources are to be interpreted and applied.17

                                                                                                               15 European Parliament,”Google antitrust proceedings: Digital Business and Competition”, Briefing on July 2015, p 1. 16 Riensenhuber, European Legal Methodology, p 154, 155. 17 Reichel, Juridisk metodlära, p 109.

8

The primary law of the EU consists of the Treaty on European Union (TEU) and the

Treaty on the Functioning of the European Union (TFEU) and the Charter of

Fundamental Rights of the European Union (the Charter). The treaties and the Charter

all enjoy equal legal value and have been ratified by each Member State.18 The primary

law is further normally considered to include the general principles of EU law. General

principles are unwritten and developed by CJEU case law, although some of them have

been codified in the Treaties.19 The secondary law is based on the primary law. It

consists of, amongst others, Regulations and Directives.20 There is a hierarchical

relationship between the primary law and the secondary law, meaning that adopted

secondary law must comply with the treaties, the Charter and the general principles of

EU law.21

The secondary law that will primarily be examined is the Data Protection Directive and

the GDPR, which replaced the Data Protection Directive as of 25 May 2018. The two

legal acts are largely similar. In Recital 9 of the GDPR it is stated that the objectives

and the principles of the Data Protection Directive remain sound. When the GDPR

contains identical or similar provisions, the case law developed in relation to the Data

Protection Directive may thus be relevant in relation to the interpretation of the GDPR

as well.22

Pursuant to Article 288 of the TFEU, a Directive is binding as to the result to be

achieved, but leave the Member States the choice of form and method. Consequently, a

Directive leaves the Member States some degree of discretion. The Member States

further need to transpose a Directive into their national law in order to give effect to it,

although Directives may under certain circumstances have direct effect.23 A Regulation,

on the other hand, is directly applicable in all Member States in its entirety. Thus, no

national measures are required in order to give effect to a Regulation.24

                                                                                                               18 Riensenhuber above n 16 p 153. 19 Cuyvers, General Principles of EU Law, p 218, 219. 20 Barnard and Peers European Union Law, p 99-103. 21 Barnard and Peers above p 103, 104. 22 See Jay, Guide to the General Data Protection Regulation: A Companion to Data Protection Law Practice, p 46. 23 Barnard and Peers above p 100. 24 Barnard and Peers above n 20 p 100.

9

The relationship between the EU and the Member States is governed by several central

principles. These include the EU law’s primacy over the laws of the Member States, the

principle of direct effect and the principle of sincere cooperation. The principle of direct

effect means that a EU provision becomes an immediate source of law for the national

courts and the administrator, without further implementation measures required.25 The

principle of sincere cooperation obliges the Member States to take all necessary

measures to ensure that the obligations imposed on them by EU law are fulfilled. It also

obliges Member States to refrain from every measure that might jeopardize the

fulfilment of the objective of the union and includes an obligation to interpret national

law in light of EU law.26

The CJEU is the main judicial organ of the Union and has played an important role in

the development of EU law. It consists of three judicial bodies: the Court of Justice, the

General Court and the Civil Service Tribunal.27 I will use the general term “CJEU”

throughout this thesis without any distinction between the Courts.

The CJEU uses several legal methods when interpreting the legal acts of the union; the

wording of the provisions, the legal context in which the provision appears and the

teleological interpretation method based on the objective of the provision. The latter

interpretation method is especially associated with the CJEU.28 The doctrine of effet

utile is used by the CJEU as part of the teleological interpretation and refers to the

practical effect of EU law. It means that EU law is to be interpreted in such a way that it

is not deprived of its effectiveness. Furthermore, the Court may rely on the effet utile to

make sure that a regulatory purpose is achieved to the greatest extent possible.29

Recitals are included in the preambles of both the Data Protection Directive and the

GDPR. Recitals do not establish any right for individuals, as rights require a provision

in the operative part of the act. Recitals may nevertheless be useful for the CJEU when

analysing the legislator’s intention in relation to a legal act. 30

                                                                                                               25 Barnard and Peers above n 20 p 143. 26 Reichel above n 17 p 113. 27 Barnard and Peers above n 20 p 256. 28 Reichel above n 17 p 122. 29 Riensenhuber above n 16 p 252, 253. 30 Riensenhuber above n 16 p 248.

10

Preliminary rulings are an important source of law in this thesis. Preliminary rulings are

regulated in Article 267 TFEU. Pursuant to the Article national courts of the Member

States may refer questions to the CJEU for a preliminary ruling when guidance on how

to interpret EU law is desired. Preliminary rulings can clarify the interpretation of both

primary and secondary law. In a preliminary ruling, the CJEU does not decide an actual

case based on its merits but gives a ruling on the validity or interpretation of EU law.

Thus, preliminary rulings may be regarded as an interim stage in the national

proceedings, which continue after the ruling by the CJEU. The national court referring

the questions is bound by the answers provided by the CJEU; failure to comply

constitutes a breach of EU law. 31 The prevailing opinion is further that preliminary

rulings also bind courts of other Member States. Preliminary rulings lay down how EU

law must be interpreted, which make the interpretation by the CJEU an integral part of

the EU provision in question. The view that the courts of all Member States are bound

by a preliminary ruling is further supported by the fact that the CJEU itself attaches a

general validity to its own preliminary rulings.32

This thesis is primarily concerned with the fundamental right to protection of personal

data and freedom of expression and information, which are protected by the Charter and

the ECHR. The Charter has status as primary law within the EU. Although the EU is not

a member to the ECHR, the CJEU has declared that the articles of the ECHR are part of

the general principles of EU law.33 It is further stated in the Charter that when the

Charter contains rights corresponding to rights guaranteed by the ECHR, the meaning

and the scope of those rights shall be the same.34

Other legal sources that will be used in this thesis are legal doctrine and opinions by the

Working Party. The Working Party was an independent European advisory body, which

consisted of representative from the data protection authorities of each Member State,

the European Data Protection Supervisor and the EU commission.35 After the GDPR

was applicable from 25 May 2018, the European Data Protection Board replaced the

                                                                                                               31 Broberg and Fenger, Preliminary References to the European Court of Justice, p 441. 32 Broberg, and Fenger, above p 450, 451. 33 Ferraro and Carmona, “Fundamental Rights in the European Union: the role of the Charter after the Lisbon Treaty”, p 5. 34 See Article 52.3 of the Charter. 35 Datainspektionen, “Sammarbete inom EU”.

11

Working Party.36 Statements by the Working Party only have advisory status but

because of the Working Party’s composition, they are generally greatly respected.37

1.5. Outline

The study will initially introduce the data protection law of the EU in Chapter 2. This

includes an explanation of the principles underlying data protection law and certain vital

definitions. I will refer to both the Data Protection Directive and the GDPR when

explaining the terms, as the definitions are in principle the same in the two legal

frameworks. The introduction is followed by an overview of jurisdiction and choice of

law issues in data protection law, both from the view of private international law and, to

some extent, public international law in Chapter 3. This is essential in order to grasp the

issues relating to extraterritorial reach of data protection law.

In Chapter 4, the CJEU’s judgment in Google Spain will be studied. In Chapter 5, the

issues raised in the case of Google v CNIL are described. This includes an introduction

to the procedural history as well as the questions referred to preliminary ruling by the

French Court. Further, I will comment on the differences between the Data Protection

Directive and the GDPR to the extent relevant to the case. In Chapter 6, I will analyse

potential answers to the question referred to the CJEU in Google v CNIL in light of the

judgment in Google Spain.

In Chapter 7, the effective protection of individuals within the EU’s right to privacy and

data protection will be analysed in relation to the possible answers that may be provided

by the CJEU in Google v CNIL. In Chapter 8, the potential limitations that the right to

be forgotten has on the freedom of expression and information on the Internet will be

discussed, first from a more general perspective, and secondly, from a third country

perspective. The third country perspective also involves issues of sovereignty and

comity. Lastly, Chapter 9 will contain some final remarks.

                                                                                                               36 Article 29 Working Party, “The Article 29 Working Party Ceased to exist as of May 25 2018”. 37 Carey, Data Protection: A Practical Guide to UK and EU Law, p 9.

12

2. Data Protection in the EU

2.1. Introduction

Rapid technological developments pose new threats to the protection of privacy and

personal data.38 Due to the global reach and exponential growth of the Internet personal

data “can be collected, transmitted and stored easier than ever before”, Meier explains.39

And personal data is without doubt a valuable commodity; some of the world’s most

profitable companies have no valuable assets besides the personal data of their

customers.40 As a response to this development, data protection legislation has been

adopted all around the world in the last three decades, the European Human Rights

framework being the most comprehensive one.41 In the following section, I will start by

presenting the history of the data protection law within the EU. Thereafter, I will

describe the protection that privacy and personal data enjoys within the EU. Lastly,

definitions related to the Data Protection Directive and the GDPR will be explained.

2.2. A History of Data Protection – From the ECHR to the GDPR

The development of a shared framework for data protection within Europe commenced

with the European Convention on Human Rights (ECHR). The ECHR was adopted by

the Council of Europe in 1950 and entered into force 1953. Today, the Council of

Europe has 47 Member States, including all Member States of the EU. The ECHR

includes a right to respect for privacy and family life in Article 8. The need for specific

protection of personal data, alongside with the right to privacy, was addressed by the

Council of Europe in the 1970s. This resulted in the adoption of the Convention for the

Protection of Individuals with regard to Automatic Processing of personal data, which

entered into force 1981.42 The Convention includes basic principles for the processing

of personal data, such as rights for data subjects and requirements for data controllers.

                                                                                                               38 Witzleb et al, Emerging Challenges in Privacy Law, p 2. 39 Meier, “How Has the Law Attempted to Tackle the Borderless Nature of the Internet?”, p 156. 40 Meier above p 156. 41 Witzleb et al above p 4. 42 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No 108.  

13

In the Convention, data protection is defined as the protection of fundamental rights and

freedoms of natural persons, in particular their right to privacy, with respect to the

processing of personal data.43

The EU legislature considered that the progress of information technology, and the

national variations of data protection in the different Member States, required a more

comprehensive and harmonized protection of personal data within the EU.44 Thus, the

Data Protection Directive was adopted in 1995. The Data Protection Directive was

based on the principles of the Convention but developed and specified the protection in

many ways.45

In 2000, the EU adopted the Charter on the Fundamental Rights and Freedoms (the

Charter). The Charter was based on the ECHR, but provided for a specific right to data

protection in Article 8 parallel to the right to respect for privacy in Article 7. The Lisbon

Treaty was adopted in 2009. The Treaty introduced a legal basis for legislation on data

protection in Article 16 TFEU with the independent aim of the protection of personal

data. This gave the right to the protection of personal data a particular – and horizontal –

position in the primary law of the EU.46 On the legal basis of Article 16 TFEU, the EU

legislature adopted the GDPR on 27 April 2016. The GDPR was applicable from 25

May 2018. In the preamble to the GDPR it is particularly specified that: “rapid

technologies developments and globalisation have brought new challenges for the

protection of personal data”47 and that the developments “require a strong and more

coherent data protection framework within the Union”.48 The GDPR has the same

objectives as the Data Protection Directive but makes the data protection law of the EU

directly applicable in the Member States without national variations, except when

expressly allowing for such variations.49

                                                                                                               43 Witzleb et al above n 38 p 62, 63. 44 See Recitals 7-10 of the Data Protection Directive. 45 Witzleb et al above n 38 p 64. 46 Witzleb et al above n 38 p 65, 66. 47 Recital 6 of the GDPR. 48 Recital 7 of the GDPR. 49 See for example Article 8 of the GDPR, according to which the Member States may decide at what age a proper consent to the processing of personal data can be given.

14

2.3. The Right to Privacy and the Protection of Personal Data

The right to respect for privacy and family life is guaranteed by Article 8 of the ECHR

and states, “everyone has the right to respect for his private and family life, his home

and his correspondence”. The right to respect for privacy is also declared in the Charter

with an identical wording. Article 8 of the Charter further provides for the specific

protection of personal data, “[e]veryone has the right to the protection of personal data

concerning him or her”. It is clear that the right to privacy and the protection of personal

data are treated as two distinguished rights within the meaning of the Charter. This

distinction is further emphasized by Recital 4 of the GDPR:

“This Regulation respects all fundamental rights and observes the freedoms and

principles recognised in the Charter as enshrined in the Treaties, in particular the

respect for private and family life, home and communications, the protection of

personal data […]”50

But what are the real differences between the protection of personal data and the right to

respect for privacy? In its case law, the The European Court of Human Rights (ECHtR)

has interpreted the respect of private life as including a right to the protection of

personal data.51 The right to respect for private life also include a range of other rights,

including the right to personhood and the right to be left alone and the right to personal

integrity.52 The right to protection of personal data can thus be seen as a category under

the much broader “right to privacy”.

Nevertheless, in Bavarian Lager53 the CJEU pointed out that:

“[T]he fact that the concept of ‘private life’ is a broad one, in accordance with the

case-law of the European Court of Human Rights, and that the right to the protection of

personal data may constitute one of the aspects of the right to respect for private life

                                                                                                               50 Recital 4 of the GDPR. My emphasis added. 51 Kokott and Sobotta, “The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR” p 222; see further Cameron, An Introduction to the European Convention on Human Rights p 116. 52   See Tzanou, “Data protection as a fundamental right next to privacy? ‘Reconstructing’ a not so new right” p 90.  53 Case T-194/04 Bavarian Lager v. Commission.

15

does not mean that all personal data necessarily fall within the concept of ‘private

life’.”54

In other words, it may be argued that the right to the protection has a different, to some

extent wider, scope than the right to privacy. In this context, it can be noted that the

right to protection of personal data includes additional safeguards in relation to the right

to privacy, such as data security, data quality and the principle of non-discrimination.55

It may thus be concluded that the right to data protection can be seen as a

distinguishable right to the right to respect for privacy. Yet, it must be emphasized that

these rights are closely related. The Data Protection Directive expressly refers to the

protection of privacy as one of its main aims, whereas the GDPR makes a more general

reference that the Regulation respects the right to privacy in recital 4. Furthermore, the

data protection law of the EU must comply with the right to privacy in ECHR as it

constitutes a general principle of EU law. In its case law, the CJEU has further

repeatedly conflated the two rights without clearly distinguishing between the two.56

2.4. The Scope of the Rights

Article 1 of the ECHR declares that parties to the Convention “shall secure to everyone

within their jurisdiction the rights and freedoms defined in section 1 of this

Convention”. The parties to the Convention are States. Furthermore, Article 51 of the

Charter states that the provisions of the Charter are addressed to the institutions and

bodies of the Union and to the Member States when they are implementing EU law.

Thus, at a first glance, the Charter and the ECHR are only applicable in the relationship

between States and individuals – not in the relationship between two private parties. For

example, a private party cannot lodge an application to ECtHR and complain that

another private party have breached its right under the Convention.57

                                                                                                               54 Bavarian Lager v. Commission above n 53 para 118. 55 Tzanou above n 52 p 88–99. 56 See Lynskey, “Deconstructing Data Protection: The ‘Added-Value’ of a Right to Data Protection in the EU Legal Order” p 574, 575; see further Google Spain above n 2, which is a clear example of when the CJEU does not distinguish between the right to privacy and the protection of personal data. 57 See Article 34 of the ECHR.

16

Arguably, the non-horizontal application of these fundamental rights instruments should

not be exaggerated. In relation to the right to respect for privacy, the ECHR can be held

to include a positive obligation for States to act to ensure individuals’ rights and

freedoms even in the relation between two private parties.58 Individuals can further turn

to the ECHtR and complain when States fail to sufficiently protect their rights against

infringements by other individuals.59

Both the Charter and the ECHR, whose provisions are regarded as general principles of

EU law, are included in the primary law of the EU. Secondary legislation needs comply

with primary law. Case law of the CJEU further show the Court’s willingness to

interpret EU legislation in light of the fundamental rights laid down in the Charter and

the ECHR.60 The Data Protection Law of the EU – the Data Protection Directive and the

GDPR – are both based on the principles of protection of privacy and personal data.

They include provisions applicable in the relationship between private parties, such as

the “right to be forgotten”. In other words, in data protection litigation between two

private parties, it appears evident that the CJEU will consider the fundamental rights to

privacy and protection of personal data as guaranteed by the ECHR and the Charter.

2.5. Not Absolute Rights

The right to privacy and data protection are not absolute rights. According to the ECHR,

the right to respect for privacy and family life in Article 8 can be restricted if it is in

accordance with the law and necessary in a democratic society and, inter alia, for the

protection of the rights and freedoms of others. Limitations to the rights and freedoms

recognized by the Charter must be provided for by law and respect the essence of those

rights and freedoms, subject to the principle of proportionality and limitations may only

be made if they are necessary and genuinely meet objectives of general interest

recognised by the Union or the need to protect the rights and freedoms of others.61

Both the Data Protection Directive and the GDPR also specify situations when the

rights laid down in the respective legislative acts may be subject to restrictions. Article                                                                                                                58 Cameron, above n 51 p 116. 59 Cameron, above n 51 p 50, 51. 60 See Hijmans, The European Union as Guardians of Internet Privacy: The Story of Art 16 TFEU, p 38. 61 Article 52.1 of the Charter.

17

13 (g) of the Data Protection Directive states that Member States may adopt legislative

measures to restrict the scope of the obligations and rights provided for in the Data

Protection Directive when such restrictions constitute necessary measures to safeguard

the protection of the data subject or of the rights and freedoms of others. The GDPR

includes a similar provision to that of the Data Protection Directive in Article 23 (i). It

provides that EU or Member State law may by legislative measure restrict the scope of

obligations and rights provided for in the GDPR, when the restrictions respects the

essence of fundamental rights and freedoms and is necessary and proportionate measure

in a democratic society to safeguard the protection of the data subject or the rights and

freedoms of others.

2.6. Data Subjects and Personal Data

One of the aims of the Data Protection Directive and the GDPR is to protect natural

persons with regard to the processing of personal data.62 Legal persons are excluded

from the scope of both the Data Protection Directive and the GDPR.63

The protection provided by the Directive and the Regulation grants rights to data

subjects. The meaning of data subject is found in the definition of personal data in

Article 4 (1) of the GDPR. Data subject is “an identified or identifiable natural person

who can be identified, directly or indirectly, in particular by reference to an identifier

such as a name, an identification number, location data, an online identifier or to one or

more factors specific to the physical, physiological, genetic, mental, economic, cultural

or social identity of that natural person”. The Data Protection Directive contains an

identical definition in Article 2 (a).

Pursuant to Article 4 (1) of the GDPR and Article 2 (a) of the Data Protection Directive,

personal data is further defined as “any information relating to an identified or

identifiable natural person”. It is clear from the wording that the definition is broad. The

list of potential “identifiers”, with which the data subject can be identified, serves as

guidance for what may constitute personal data but the wording “in particular”, suggest

that the list is not exhaustive. The Working Party has noted that the concept of personal

                                                                                                               62 See Article 1 of the Data Protection Directive and Article 1 of the GDPR. 63 See Recital 24 of the Data Protection Directive and Rectial 14 of the GDPR.

18

data includes any sort of information about a person, both objective “such as the

presence of a certain substance in one’s blood” and subjective information such as

“opinions or assessments”.64

Recital 2 of the GDPR makes clear that Regulation applies to the processing of personal

data of natural persons “whatever their nationality or residence”.65 The Data Protection

Directive includes a similar Recital.66 Consequently, if a natural person is considered as

a data subject, he or she does neither have to be a resident nor a citizen of any of the EU

Member States in order to be covered by the Data Protection Directive or the GDPR.67

In relation to data subjects’ right to be forgotten, the Working Party has stated that

everyone has a right to be forgotten under EU law but that data protection authorities in

practice “will focus on claims where there is a clear link between the data subject and

the EU, for instance where the data subject is a citizen or resident of a EU Member

State”.68

2.7. Controllers, Processors and Processing

Under the GDPR, a controller is defined as the natural or legal person, public authority,

agency or other body which, alone or jointly with others, determines the purposes and

means of the processing of personal data.69 A processor is defined as a natural or legal

person, public authority, agency or other body, which processes personal data on behalf

of the controller. The difference between a controller and a processor is that the

controller is the one determining why and how the data is being processed, while a

processor only processes data on behalf of the controller without any additional

purposes.70 The Data Protection Directive generally only imposes direct obligations on

                                                                                                               64 Article 29 Working Party, “Opinion 4/2007 on the concept of personal data” p 6. 65 Recital 2 of the Data Protection Directive states: “whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals”. 66 See ITGP Privacy Team, EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide, p 22. 67 ITGP Privacy Team, above p 22. 68 Article 29 Working Party, above n 9 p 3. 69 Article 4 (7) of the GDPR and Article 2 (d) of the Data Protection Directive. 70 See Article 29 Working Party, “Opinion 1/2010 on the concepts of “controller” and “processor””, p 7, 8 and 25, 26.

19

behalf of the controller whereas the GDPR imposes direct obligations on both

controllers and processors.71

Processing is defined in Article 4 (2) of the GDPR as “any operation or set of

operations which is performed on personal data or on sets of personal data, whether or

not by automated means, such as collection, recording, organisation, structuring,

storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or combination, restriction,

erasure or destruction”. Only corporations are covered by the obligations of the GDPR.

Processing that is carried out “in course of a purely personal or household activity” is

excluded from its scope.72

                                                                                                               71 See Article 3 of the GDPR. See however Article 16 and 17 of the Data Protection Directive, which contains certain obligations directly imposed on a processor of personal data. 72 See Article 2 (c) and Article 3 (2) of the Data Protection Directive.

20

3. Data Protection, Jurisdiction and Choice of Law

3.1. Introduction

The issue of which country’s court that has jurisdiction and which country’s law that the

court should apply is particularly interesting in the Internet context, and not least in data

protection matters. While the Internet has increased the need for the protection of

personal data, the borderless nature of the Internet has without doubt caused regulatory

challenges. As Meier puts it, the Internet has the ability to “swiftly and effortlessly

transcend national boarders and sovereign territories”.73 The Internet thus challenges the

predominant territorial approach to jurisdiction and choice of law.74

A data subject’s right to be forgotten by a search engine operator is a dispute between

two private parties. Litigation between two private parties involving a foreign element

falls within the area of private international law. Private international law rules

historically form a part of national law and countries are generally free to formulate

their private international law rules as they please. 75 In the last decades, the

harmonization and unification of private international law of the Member States of the

EU has increased immensely and it may be argued that private international law issues

relating to data protection litigation has received a unique treatment by the adoption of

the Data Protection Directive and the GDPR. Public international law is an international

body of law regulating the relationship between States. This give rise to an interesting

question: what happens when countries formulate their private international law rules in

such a way that it conflicts with the interests of another State?

The purpose of the following sections is to describe the relationships between data

protection law, private international law and public international law. Understanding

these relationships is vital in order understand the legal issues at stake in the preliminary

ruling of Google Spain and the case of Google v CNIL. This thesis is concerned with the

extraterritorial reach of EU data protection law. The focus in the following sections will

thus be to explain how jurisdiction and choice of law in data protection litigation is

determined in relation to defendants based outside the EU.                                                                                                                73 Meier, above n 39, p 142. 74 Svantesson above n 11 p 8, 9. 75 See Eek, Lagkonflikter i tvistemål: metod och material i svensk internationell privaträtt, p 5, 6.

21

3.2. Data Protection – Public or Private Law?

A national court faced with a dispute with an international element must first ask itself

whether it has jurisdiction to determine the case. If yes, the second question would then

be of choice of law. The question of choice of law is primarily relevant in relation to

private law. Generally, courts do not apply public laws of foreign countries.76 In order

to determine applicable law pursuant to traditional private international law method, a

court must first qualify to which area of law the legal issue belongs, for example,

contracts or torts. After this qualification, the court must consult the relevant private

international law rules providing one or several connecting factors between the dispute

and the country, which law is to be applied77, such as the place where the damage

occurred for torts or the place of performance for contracts.78

The qualification of data protection law into any traditional areas of the law is not an

easy task – it “straddles the boundaries between public and private law, criminal law

and civil law”.79 Data protection law comes from several legal sources; human rights

law, consumer protection law and internal market law.80 As Bing points out, data

protection law will thus typically contain provisions of both public and private nature.81

The Data Protection Directive and the GDPR apply both in the private law and the

public law sector, without any distinction between the two. A systematic distinction was

considered and rejected by the EU legislature before adopting the Data Protection

Directive.82 As already noted, this thesis is concerned with the relationship between two

private parties, a natural person who wants “to be forgotten” and a private company’s

potential obligation to do so. Such a relationship falls under the category of private

international law.

                                                                                                               76 See Bing,“Data Protection, Jurisdiction and the Choice of Law” p 2; see further Bogdan, Svensk internationell privat-och processrätt, p 74-75. 77 See Bogdan, above p 33. 78 See Article 7.1 (a) and Article 7.2 of the Brussels I bis Regulation.  79 Kuner, “Data Protection Law and International Jurisdiction on the Internet (Part 1)”, p 182. 80 Kuner, above p 182. 81 Bing,“Data Protection, Jurisdiction and the Choice of Law”, p 2, 3. 82 Witzleb et al, above n 37 p 67.

22

3.3. Traditional Private International Law Instruments

In order to determine jurisdiction in cross-boarder disputes in civil and commercial

matters, the EU adopted the Brussels 1 bis Regulation83 in 2012. The Regulation was

preceded by the Brussels Convention84 from 1968 and the Brussels I Regulation85 from

2001. The Brussels 1 bis Regulation is applicable in “civil and commercial matters”,

which raises the question of whether the Brussels 1 bis Regulation includes data

protection litigation. As concluded above: data protection can be considered as both

public and private law. However, litigation between individuals generally falls within

the scope of the Regulation, if not expressly excluded from its scope.86 Claims based on

data protection law between two private parties have thus historically fallen within the

scope of the Brussels I bis Regulation and its predecessors.87

The Brussels I bis Regulation is with a few specified exceptions, such as litigation

concerning immovable property and consumer contracts, only applicable when the

defendant is domiciled in a Member State.88 A legal person is domiciled in the EU if it

has it statutory seat, central administration or principle place of business in the union,

according to Article 63 of the Regulation. When litigation concerns a foreign defendant,

Member States consequently apply their national private international law rules of

domestic origin for issues of jurisdiction.89 However, it should be noted that a foreign

defendant could be subject to the jurisdiction of a court of a Member State due to a

choice of court agreement pursuant to Article 25 or by appearing in front of a Member

State’s court pursuant to Article 26 of the Brussels I bis Regulation.

When qualifying a violation of data protection law, it could be considered as both a

contractual obligation if there is a contract between the parties or as tort if no contract

exists. The two relevant legal frameworks concerning choice of law within the EU are

                                                                                                               83 Regulation No 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters. 841968 Brussels Convention on jurisdiction and the enforcement of judgments in civil and commercial matters. 85 Regulation No 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters. 86 Magnus and Manokowski, ECPIL: European commentaries on Private International Law, p 64. 87 See Brkan, “Data protection and European private international law: observing a bull in a China shop”, p 257-278. 88 See Articles 4-6 and Articles 18 (1), 21(2) and 24 of the Brussels I bis Regulation. 89 See Article 6 of the Brussels I bis Regulation.

23

the Rome I Regulation on the law applicable to contractual obligations90 and the Rome

II Regulation on the law applicable to non-contractual obligations.91 The Regulations

are, correspondingly the Brussels 1 bis Regulation, applicable in civil and commercial

matters.92

In relation to a data subject’s right to be forgotten by a search engine operator, no

contract between the parties exist. Consequently, a violation of a data subject’s right to

be forgotten could be considered as tort and could then fall under the Rome II

Regulation. However, Article 1 (g) of the Rome II Regulation explicitly excludes non-

contractual obligations arising out of violations of privacy and rights relating to

personality, including defamation, from the scope. Violations of data protection rights

are not expressly mentioned in Article 1 (g). And as been discussed in above, it is not

clear whether the right to privacy and data protection may be regarded as the same right.

Nonetheless, it has been claimed that the provision also extends to civil claims

concerning data protection.93 Assuming that data protection rights are included in the

exclusion of Article 1 (g), one may hence conclude that there is no traditional EU

private international instrument regulating choice of law relating to data protection

matters in tort.

3.4. Jurisdiction and Choice of Law in Data Protection Litigation

In relation to data protection, private international law issues have received a special

treatment. The Data Protection Directive was adopted by the EU legislature in 1995.

The principal aim with the Directive was not to function as a private international law

instrument; it nevertheless contained a specific private international law provision. 94 In

relation to choice of law, Article 4.1 has the heading “national law applicable” and

provides for several connecting factors when a Member State’s national data protection

law, adopted pursuant to the Data Protection Directive, is to be applied.

                                                                                                               90 Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations. 91 Regulation no 864/2007 on the law applicable to non-contractual obligations. 92 See Article 1 of the Rome I Regulation and Article 1 of the Rome II Regulation. 93 See Dickinson, The Rome II Regulation: the Law Applicable to Non Contractual Obligations, p 240; see further Brkan, ”Data Protection and Conflict-of-laws: A Challenging Relationship”, p 331. 94 See Revolidis, “Judicial Jurisdiction over Internet Privacy Violations and the GDPR: a Case of Privacy Tourism?”, p 8-10.

24

At a first glance, the Data Protection Directive is silent regarding jurisdiction in relation

to foreign defendants. Article 28.6 only divides the competence between the different

supervisory authorities of the Member States. It has been argued that the distinction

between choice of law and jurisdiction is vague in the area of data protection law.95 This

is arguably true as regards to the Data Protection Directive. In relation to foreign

defendants, Article 4.1 could be said to work as both a jurisdiction and choice of law

provision. The practical consequence of the stated is that when the national law of a

Member State is applicable, the supervisory authority or the court of that Member State

also has jurisdictional competence in relation to the foreign defendant.96

For natural reasons, the GDPR does not contain any choice of law provision; GDPR

unifies the laws of the Member States and is directly applicable. 97 Thus, no conflict of

law issues would generally arise amongst the Member States themselves.98 However,

Article 3 has the heading “territorial scope” and determines how wide the geographical

scope of the GDPR is by providing different connecting factors when the GDPR

applies. Article 79 further divides jurisdiction between the national supervisory

authorities and national courts in a much clearer way than the Data Protection Directive.

It can be concluded that it is somewhat complex to sort data protection law into the

traditional categories of jurisdiction and choice of law in private international law.

Firstly, it must be noted that the distinction between jurisdiction and choice of law

appears blurry under the Data Protection Directive. Moreover, the basic idea underlying

most choice of law rules is that the private law relationship should preferably be

governed by the legal system with which the relationship has the closest and most

relevant connection.99 However, Article 4.1 of the Data Protection Directive and Article

3 of GDPR determines when the two legal frameworks are applicable and does not

leave any room for the potential application of foreign law. For example, the court of a

Member State would never apply foreign data protection law in a dispute when the Data

Protection Directive and the GDPR is applicable, even if the dispute has a closer

connection to a third country.                                                                                                                95 Kuner, above n 79 p 180. 96 See Kuner above n 79 p 180, 181. 97 See Brkan, above n 93 p 336. 98 See however Brkan above n 93 p 336, 337, who argues that conflict of law issues, may arise in relation to the provisions where the GDPR leaves from for national variations. 99 See Bogdan, Concise Introduction to EU Private International Law, p 3.

25

The explanation for the special treatment of data protection litigation arguably lies in

the protective elements of data protection law.100 One of the main objectives of data

protection law is to ensure the fundamental protection of personal data. Although

traditional private international law instruments need to comply with the fundamental

rights and freedoms of the Charter and the ECHR, the primary role of private

international law is, in contrast to data protection law, not to be a guardian of privacy

and data protection. 101 EU private international law is based upon additional

considerations such as predictability, the sound administration of justice and party

autonomy.102 In relation to data protection litigation, one may thus argue that the normal

interests considered in private international law have had to give way for the need to

effectively ensure the right to protection of personal data.103

3.5. Jurisdiction under Public International Law

In contrast to private international law, public international law is primarily concerned

with the relationship between States. Under public international law, jurisdiction may be

regarded as the power of a sovereign state to regulate or otherwise impact upon people,

property or circumstances.104 It reflects the principles of sovereignty, equality of states

and non-interference in domestic affairs.105 Territoriality has long been regarded as the

most basic principle of jurisdiction under public international law. 106 According to the

principle of territoriality, a country may assert jurisdiction over acts, persons and

property within its boarders. 107 Jurisdiction may become a concern of public

international law when States regulate interests that are not exclusively domestic.108 The

phenomenon is commonly referred to as “extraterritorial jurisdiction” or sometimes

                                                                                                               100 See Kuner, above n 79 p 180, 181. 101See Kuner above n 79 p 180, 181; see further Revolidis, above n 94 p 10. 102 See for example Recitals 15 and 16 of the Brussels 1 bis Regulation, and Article 3 of the Rome I Regulation. 103 See for example Brkan, above n 91, p 333, 334, who argues that the prevailing opinion is that Data Protection law are considered as overriding mandatory rules, which would make courts disregard a choice of court agreement according to the Rome II Regulation. 104 Shaw, International Law, p 469. 105 Shaw above p 469. 106 Ryngaert, Jurisdiction in International Law, p 42. 107 See Malanczuk, Akehurst’s Modern Introduction to International Law, p 109, 110. 108 Ryngaert above n 106 p 5.

26

“exorbitant jurisdiction”.109 Put differently, if a country asserts jurisdiction outside its

territory, it may interfere with the sovereignty of another State, in particular when the

asserted jurisdiction contradicts the interests of that other State.110

The Internet has a borderless nature. Thus, when one country applies its own laws to

remove content on the Internet – it affects what the rest of the world can access online.

This may potentially contradict the interests of other States. Does this mean that it

would be a violation of the principle of sovereignty, i.e. public international law, for

States to do so? While acknowledging that this question is extremely complex, some

observations of will be made concerning public international law principles and the

relationship between private and public international law.

Sovereignty is a public international law principle and may be defined as a principle

according to which, “a State may not perform any governmental act in the territory of

another State without the latter’s consent”.111 The question of whether sovereignty

constitutes a binding legal norm, which prevents States from acting within the territory

of others, has been debated. While some argue that the answers is yes, others argue that

sovereignty is rather a principle of international law which guide State interactions, but

is in itself not a binding norm, provided that the effects do not result in an unlawful use

of force or an unlawful intervention.112

Closely linked to the respect for the sovereignty of other States is the principle of

comity. Comity is a concept used in both public and private international law. The

meaning of comity is not easily pinned down. It has been described as a “wonderful

word to use when one wants to blur the distinction between public and private

international law, or to avoid clarity of thought”.113 The word comity comes from Latin

and can be translated into “courtesy” or “friendliness”.114

Under public international law, comity can be held to represent acts performed by States

towards other States for reasons other than the belief that there is a binding legal norm

                                                                                                               109 Rygaert above n 106 p 6, 7; see further Zatucki, “Extraterritorial Jurisdiction in International Law” p 404, 405. 110 See Zatucki above n 109 p 405. 111 Malanczuk, above n 107 p 109. 112 See Corn and Taylor, “Sovereignty in the Age of Cyber”, p 208, 209. 113 Malanczuk, above n 107 p 73. 114 See Schultz and Ridi, “Comity and International Courts and Tribunals”, p 7.

27

obliging them to do so.115 The doctrine of comity was once seen as the basis for private

international law.116 Although this is no longer the case, comity has, for example,

played an important role in shaping private international law in common law

countries.117 At common law, comity can be used as a justification to place trust in

foreign courts, show restrain when exercising jurisdiction over foreign defendants or

when applying domestic laws extraterritorially.118 Although the principle of comity

arguably does not have an as clear mandate within EU law, the European Commission

has previously stated that any domestic law that creates cross-boarder obligations

should be applied and interpreted in a manner that is mindful to considerations of

international comity.119

The question of whether public international law poses any limits to private

international law has been somewhat disputed. One view is that exorbitant jurisdictional

claims in civil cases could lead to international responsibility.120 Yet the prevailing

opinion of today appears to be that public international law does not pose any limits to

how countries formulate their private international law rules, unless there is an

international treaty stipulating the contrary.121 Regarding jurisdiction and choice of law

in data protection matters, there is no such international instrument of global reach.122 In

relation to enforcement actions in civil proceedings however, the conclusion is

generally another.123 For example, it would constitute a breach of public international

law if the governmental authorities in State A seized a defendant’s assets located in

State B without the latter State’s consent.124

                                                                                                               115 Schultz and Ridi above n 114 p 8-10. 116 See Bogdan, Svensk internationell privat-och processrätt, p 22-25; see further Mapesbury and Harris, Dicey, Morris and Collins on the Conflict of Laws, p 5. 117 Mapesbury and Harris above p 5-9. 118 Mapesbury and Harris above p 5-9; see also Schultz and Ridi above n 114 p 10-12. 119 United States of America v Microsoft, Brief of the European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party. 120 Crawford, Brownlie’s Principles of Public International Law, p 471. 121 Bogdan, Private International Law As Component of the Law of the Forum, p 41; see further Malanczuk above n 107 p 73, 74, for a similar conclusion. However, see Svantesson above n 11 p 120, who argues that it is of fundamental importance that private international law does not go beyond what is allowed according to public international law. 122 Kuner above n 79 p 186. 123 See Crawford above p 471. 124 See Shaw above n 104 p 469, 470.

28

4. Google Spain and The Right to Be Forgotten

4.1. Introduction

”The near-ubiquitous, pervasive access to online personal data is a new phenomenon,

which poses significant risks to individual privacy and personal autonomy. Given the

ease with which digital data can be copied and distributed, the most that can be done is

to reduce the accessibility of the data. Potentially the most effective way of doing this is

to inhibit access to personal data by means of search engines.”125

The main tool to access information on the Internet is via search engines.126 Examples

of such search engines are Google Search, Bing and Yahoo!. Google Search is the

major actor. In a briefing of the European Parliament from 2015, it was concluded that

Google holds around 90% of the market share for Internet search services in most

European Economic Area countries.127 Search engines are crucial for the information

society. Without the access to search engines, universal accessibility of online content

would not be possible.128

Historically, the liability of search engines for content placed online by third parties has

been limited in order to enable their legitimate services.129 However, in 2014, the CJEU

delivered the ground-breaking preliminary ruling of Google Spain. The Court held that

search engine operators were responsible under the Data Protection Directive for

processing personal data on third party web pages. The case is most famous for

establishing a right to be forgotten by search engines under the Data Protection

Directive. In the case, the CJEU further clarified the territorial scope of the Data

Protection Directive.

The judgment in Google Spain can be regarded as highly relevant for search engine

operators other than Google Search. It should however be noted that the CJEU takes the

functioning of Google Search and the business structure of the Google Group as a basis

                                                                                                               125 Lindsay, ”The ‘right to be forgotten’ by search engines under data privacy law: a legal and policy analysis of the Costeja decision”, p 201. 126 Lindsay, above p 202. 127 European Parliament, above n 15 p 1. 128 Opinion of Advocate General Jääskinen, Google Spain, para 36. 129 Opinion of Advocate General Jääskinen, Google Spain, para 36, 37.

29

for its reasoning. In order to properly understand the judgment, it is necessary to first

clarify how Google’s search engine, Google Search, works and to describe the business

structure of the Google Group.

4.2. The Google Group and Google Search

Google LCC is the parent company of the Google Group. Google LCC changed its

name from Google Inc on the 30th of September 2017. Google is a U.S. company

registered in Delaware with its primary place of business in California.130 Google is the

parent company of multiple subsidiaries in Europe, amongst others, Google Spain.131

Google operates the search engine Google Search, whereas the European subsidiaries

are primarily responsible for the promoting and selling of advertising space offered by

the Google Search.132

Google Search is offered worldwide. It operates from its general domain “google.com”

and from country specific domains such as “google.e