Content Moderation, Digital Rights
Scarborough v. Frederick County School Board
Nominations Are Now Open for the 2024 Columbia Global Freedom of Expression Prizes. Learn more and nominate here.
Closed Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The French national data protection authority’s (CNIL) Restricted Section held an internet company responsible for breaching its users’ right to be forgotten. The company had received requests from internet users for the company to dereference links to webpages from search results of their name, and when the dereferencing was not done the users sent complaints to the CNIL. The CNIL instructed the company to follow the dereferencing requests for all geographical locations. When the company had not respected the time limits given by the CNIL to correct their breach of the law, and did not propose a sufficient measure to improve its referencing system, the CNIL imposed a financial sanction of 100,000 euros and a public statement of the judgment on the company.
The French national data protection authority (CNIL) had been repeatedly contacted by French Internet users with complaints that their requests to the company X for dereferencing had been rejected. X had as its major activity the operation of an Internet search engine with more than 30 billion URLs indexed at the beginning of 2013. The dereferencing requests were for X to remove from the list of results displayed following a search on a person’s name, links to web pages published by third parties and containing information relating to this person.
The CNIL is empowered (confirmed by the Court of Justice of the European Union) to challenge any operator that provides unsatisfactory responses to de-referencing requests. The CNIL instructed X to proceed to the dereferencing on all extensions requested, and in a letter dated April 9 2015, reminded the company that in order to be effective, the dereferencing should not be limited to the European extensions of its search engine.
On April 24, 2015, X replied to the CNIL, stating that they were capable of guaranteeing the effectiveness of the right to dereferencing. In a letter sent to the President of the G29 on January 21, 2016, after the time limits for compliance, the company committed to improving its dereferencing system by extending the system to all extensions of its search engine (including versions from countries outside the European Union) but only when the query appears to originate from the country of the requester (determined in priority by the user’s IP address).
The matter then went to the Restriction Section of the CNIL for determination.
Jean-François Carrez, President of the Restricted Section, delivered the judgment. The central issues for determination were to determine whether X’s move towards the CNIL to improve its dereferencing system by extending the system to all extensions of its search engine was sufficient, and to determine to what extent dereferencing is an infringement to freedom of expression and to the right to information.
X contested the validity of the injunction to remove the domain name from all the extensions of the search engine because it argued that the injunction has “no legal basis” and was based on “an imprecise and unforeseeable legal rule and that it is not based on specific complaints”. It submitted that dereferencing would disproportionately infringe the freedom of expression and information and that the CNIL was exceeding its powers by imposing a measure with extraterritorial scope. X submitted that the French Law on Information Technology and Liberties of 6 January 1978 is not applicable to queries made on the search engine outside France, which correspond to an activity that is neither directed at French Internet users nor indivisibly linked to its French subsidiary. X argued that dereferencing on all the search engine’s endings violates the principle of international law of comity and affronts the sovereignty of States because of its extraterritorial effects.
The CNIL referred to Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and Article 1 of the Directive 95/46/EC of the European Parliament which protect privacy and personal data of individuals. It also invoked Article 12 and 14 of the directive as they protect individuals’ right to ask the data controller to delete their data and the right to object on legitimate grounds to the processing of their data. These provisions form part of French law through Articles 38 and 40 of the French Law on Information Technology and Liberties of 6 January 1978 and the decision of the Court of Justice of the European Union in Google Spain v. Agencia Española de Protección de Datos highlights that the protection afforded by Directive 95/46/EC must apply to all European residents without any possibility of circumvention, and without any exemption from the “obligations and guarantees provided for by Directive 95/46, which would undermine the effectiveness of that directive and the effective and comprehensive protection of the fundamental rights and freedoms of natural persons which it seeks to ensure”.
The CNIL stated that it fulfilled its general mission entrusted by the legislator to ensure compliance with the Data Protection Act (Article 11) and so the complaint of unforeseeability should be dismissed. The CNIL also noted that the request made in the formal notice of May 21, 2015, which had previously been set out in a letter of April 9, 2015, and which granted the company a period of time to comply, was unambiguous.
The CNIL’s Restricted Section noted that the formal notice was based on eight complaints expressly referred to in the decision. It underlined that the implementation of the CNIL’s repressive powers is not conditional on the existence of a complaint and is not intended to compensate for any prejudice suffered by a complainant, but solely to “correct or sanction a breach of the Act of January 6, 1978”.
The CNIL stated that X, the search engine, is consulted in a way that goes beyond the geographical origin of the Internet user performing the search and the geographical extensions of the search engine are still operated by a single domain name. It referred to the Google Spain decision, stating: “the operator of a search engine collects data which it subsequently extracts, records and organizes in the context of its indexing programs, stores on its servers and, where appropriate, communicates to and makes available to its users in the form of lists of the results of their searches. Since those operations are explicitly and unconditionally referred to in Article 2(b) of Directive 95/46, they must be regarded as processing within the meaning of that provision: personal data are processed in the course of the activities of an establishment of the controller in the territory of a Member State, where the operator of a search engine sets up a branch or subsidiary in a Member State for the purpose of promoting and selling the advertising space offered by that engine and whose activity is aimed at the inhabitants of that Member State”. Accordingly, the company participates, on national territory, in the activity of the local operator of the search engine.
Applying Article 38 and 40 of Law no. 78-17 of January 6, 1978 and in the light of the Google Spain decision the CNIL emphasized that the proposed measure from the company to limit the dereferencing to search queries that appear to originate from the country of the requester, is not enough. It found that this measure is unfounded and imperfect as the limitation of the dereferencing to the query’s country extensions only represent technical paths allowing access to a single treatment, and the dereferenced links remain accessible and available for consultation by any Internet user located outside the territory concerned by the filtering measure.The CNIL stated that the CJEU’s protection standard can only be lawfully satisfied by a measure that covers all of the processing associated with the search engine without making a distinction between the extensions requested and the location of the Internet user conducting a search.
The CNIL reiterated that the request of dereferencing does not infringe the freedom of expression or the right to information as it does not result in the removal of any Internet content, nor the de-indexing of the pages of the concerned websites (which would consist of a removal of the links sought from the search engine results). Dereferencing only entails deleting links to web pages at the request of a real person when a search is conducted using only that person’s first and last name and so when alternative search terms are entered, these pages are still searchable.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The French data protection agency’s strict requirement that dereferencing can only happen if the prerequisites for exercising the rights of objection (subject to proof of a legitimate interest) or deletion (conditional on demonstrating the outmoded, incomplete, or erroneous character of the disputed material) are satisfied expands expression. The agency also maintained proportionality control through a strict balance between the respect of individuals’ rights to privacy and protection of personal data and the public’s interest in accessing information, notably if it is a public figure.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.