CNIL and Google: Stretching Boundaries?

September 21, 2015

It is fair to say that La Commission nationale de l’informatique et des libertés, the French data protection supervising body that is better known as the CNIL, has a fearsome reputation. Its President, Isabelle Falque-Pierrotin, is a well connected and influential figure in France and, as Chair of the Article 29 Working Group, she wields wide influence beyond its borders. The failure of Google’s ‘informal appeal’ against a CNIL ruling that, in implementing any right to delisting or right to be forgotten (RtbF), Google must remove results across geographical boundaries and on has led to many suggesting that the CNIL is seeking to impose French standards of privacy across the world. Since the English (but not the Scots) instinctively react to any French move towards control as if it were a Napoleonic invasion, the suggestion that the CNIL is power hungry tends to go down well. Is that suggestion justified or are we just {hanging the monkey:}?

According to the CNIL report of the appeal refusal (in the version in English), Google received several tens of thousands of requests from French citizens. It delisted some results on the European extensions of the search engine (.fr; .es;; etc.). However, it has not proceeded with delisting on other geographical extensions or on, which any internet user may alternatively visit. In May 2015, the President of the CNIL therefore put Google on notice to proceed with delisting on all of the search engine’s domain names. At the end of July, Google filed an informal appeal asking the President to withdraw this public formal notice. Google argued in particular that it would impede the public’s right to information and would be a form of censorship.

The CNIL President decided to reject this informal appeal and gave the following reasons:
• Geographical extensions are only paths giving access to the processing operation. Once delisting is accepted by the search engine, it must be implemented on all extensions, in accordance with the judgment of the ECJ.
• If this right was limited to some extensions, it could be easily circumvented: in order to find the delisted result, it would be sufficient to search on another extension (eg searching in France using, namely to use another form of access to the processing. This would equate to ‘stripping away the efficiency of this right’, and applying variable rights to individuals depending on the internet user who queries the search engine and not on the data subject.
• The right to delisting never leads to deletion of the information on the internet; it merely prevents some results being displayed following a search made on the sole basis of a person’s name. Thus, the information remains directly accessible on the source website or through a search using other terms. For instance, it is impossible to delist an event.
• The delisting right is not absolute: it has to be reconciled with the public’s right to information, in particular when the data subject is a public person, under the double supervision of the CNIL and of the court.

The CNIL expressly addresses the extraterritoriality issue, claiming that the decision does not show any willingness on the part of the CNIL to apply French law extraterritorially but simply requests full observance of European legislation by non-European players offering their services in Europe. Is that fair?

Google’s response to the decision was to say ‘We’ve worked hard to implement the “right to be forgotten” ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so. But as a matter of principle, we respectfully disagree with the idea that one national data protection authority can assert global authority to control the content that people can access around the world.’

I mentioned last week that {a recent ICO ruling on the RtbF:} seems out of step with the French line in that there was a specific limitation put on the delisting requirement, confining it to the .uk search engine. I may be reading too much into that limitation but I do wonder whether the next Article 29 Working Group meeting might see a clash of views on this. This seems like an excellent example of a situation where a concerted EU approach is vital – you cannot attack a mammoth like Google one spear at a time.

I tend to dismiss the allegation that the CNIL is the new Napoleon, even though the prospect of French standards of privacy being imposed worldwide is quite appetising. Anyway, the cloak of worldwide cyber-dictator sits more easily on the US shoulders that are seeking emails from servers in Ireland. The true answer in these circumstances seems to lie with finding ways to filter all google results including .com results, for French servers. That ‘answer’ comes with its own dangers – any such filter can be abused and it is not hard to imagine circumstances where it might be a real threat to freedom of speech. Full and immediate surrender from Google might very well create problems for it in terms of reputational damage and in terms of its search supremacy. But, given the USA’s very genuine, some would say over-enthusiastic, commitment to freedom of speech, surrender might even create legal problems in the USA.

As to the immediate situation, since the informal appeal has been rejected, Google ‘must now comply with the formal notice’ says the CNIL. ‘Otherwise, Isabelle Falque-Pierrotin {i}may{/i} designate a Rapporteur who {i}may{/i} refer to the CNIL’s sanctions committee with a view of obtaining a ruling on this matter’. That ‘otherwise’ will not have Google’s bosses quaking in their boots. It seems like a vague bureaucratic version of ‘disobey again and we’ll have another think about what to do’, which is something of a disciplinary non-no in kindergartens. The likely result is that Google will be fined and then appeal the fine and we are then likely to see a referral to the CJEU on the jurisdiction/territoriality issues. It could be a long wait for the legal side to be resolved. Sorting out effective filters is likely to be quicker.