The Territorial Scope of EU-Privacy Law; Two Opinions from AG Szpunar

By Stephan Mulders & Burak Haylamaz

On the 10th of January 2019, AG-Szpunar concluded in Google v. CNIL that a removal request based on the Google Spain v. Costeja judgement should not have a worldwide effect. However, on the 4th of June, the same AG concluded that an EU national court can, in fact, order an internet service provider to remove information worldwide in the case of Ewa Glawishnig v. Facebook Ireland.[1] In this post, we will analyze these seemingly contradictory opinions.

 

Both cases regard the right to privacy. The right to privacy is not an absolute but a relative right so that its scope must be balanced with competing rights, e.g. the right to freedom of expression and the right to access information of public. If there is a conflict between the right to privacy and the competing rights, a balancing test determines which right has primacy in a specific case.

Such balancing test is difficult -hence being queried- to accomplish if information is distributed over multiple countries as some countries tend to value privacy higher than the freedom of expression and vice versa. It is also questioned whether a national European court can effectively strike a balance on a worldwide level. These concerns, in turn, raise a legal question that whether European courts should extend their jurisdiction beyond European territories and order the removal of information in a global scale.

The First Opinion: Google v. CNIL

The main question discussed in Google v. CNIL case stems from the legal findings on the Google Spain v. Costeja.[2] In Google Spain v. Costeja, the CJEU created the right to be forgotten. According to the CJEU a data subject, in principle, has the right to request a search engine provider not to display certain websites as search results when is searched for the name of the data subject. The search engine has to fulfill the request unless there is a public interest in receiving this information. The right to be forgotten became an instant hit. Up until now, more than 3 million requests where filed within the EU and 25% of which where delisted accordingly.[3]

In Google Spain v. Costeja judgment, the CJEU did not elaborate on the territorial reach of the right to be forgotten. Should search results be removed on a national level? Within the EU? Or, even worldwide? Google takes the middle ground and only applies the right to be forgotten within the EU. This means that the search results are still visible from countries outside the EU, such as the USA or by circumventing geo-blocking through the use of a VPN within the EU.

In 2015, CNIL, the French Data Protection Authority, ordered Google to apply the right to be forgotten globally. Google was fined € 100.000, – when it refused to comply to this order. Google objected to this fine to the French Judge, which asked the CJEU for clarity on the reach of the right to be forgotten.

The opinion of AG Szpunar has not been received favorable in the literature. Basically, the AG argues that the territorial scope of EU law is in general limited by Article 52 (1) TEU.[4] From this starting point, the AG investigates whether the Data Protection Directive (EC/95/46, hereinafter DPD), for exceptional reasons, should be interpreted sufficiently and broadly as to have effects beyond the European borders, especially with regards to the right to be forgotten. The AG claims that EU law applies within the EU territory and does not create rights and obligations outside of its boundaries save in the areas of trademark and competition law.[5] Therefore, the AG suggest the against opinion on the global application of the right to be forgotten. However, the A-G does not exclude that there may be situations in which a global right to be forgotten could be necessary but he does not elaborate on which situations such as worldwide application is required.[6] Furthermore, the AG strengthens his opinion by arguing against the unwanted effects of a worldwide right to be forgotten. He argues that it is not possible to ensure the proper balance test worldwide between the right to privacy and public’s right to access information because these competing rights are weighed differently within and outside of the EU. Besides, the AG claims that a possible worldwide implementation of delisting from the EU would encourage third countries to require search engine operators to comply with their restrictive domestic policies which has a global consequence on the freedom of expression. In other words, the European-based worldwide delisting order may subsequently hinder European internet users to access certain information delisted by third countries as a retaliation.

The authors beg to differ with the A-G in this statement. As stated by Alberto Miglio, the AG bases his argument on a false premise.[7] Article 52 TEU is meant to define the territories on which EU Law applies.[8] However, the provision does not stipulate a limitation on the extraterritorial effects of the EU law.[9] Whether EU law has extraterritorial effects depends on multiple factors and requires the analysis of the recognized principles of extraterritorial jurisdiction under  public international law, e.g. the active and passive personality, the nationality, the universal, and the protective principles. For instance, the brand-new data protection regulation, the GDPR, addresses the extraterritoriality in Article 3(1) and (2) by justifying the European jurisdiction beyond its borders relying on the nationality and passive personality principles respectively.[10]

Moreover, the AG is wrong when stating that EU law has extraterritorial effect only in exceptional cases. As Miglio argues, there are countless examples of EU law with extraterritorial effects.[11] For instance: financial regulation[12], fisheries[13], trade restrictions[14], animal welfare[15] and governance of climate change.[16] Apart from these examples, the argument of the AG also suffers from another false premise, which is the fact that the DPD was already interpreted broadly by the CJEU in Google Spain v. Costeja case. The CJEU ruled that the DPD has an extraterritorial effect in the sense that it applies to the Google search engine operator, which is owned by an American company. Therefore, it is not likely to conclude that the DPD should be interpreted exceptionally when it comes to determine whether information should be removed on a global level.

The AG further argues that national courts will not be able to strike an effective balance on a worldwide level and is therefore not capable to order removal of information.[17] While this argument is valid, it is not convincing. After all, the argument implicitly assumes that the balance in other countries will always go against the removal of information.

Lastly, the AG warns that the worldwide removal of information might lead other countries to also require multinationals to remove information on a global level. This slippery slope scenario is at the least empirically rebuttable. In 2014, the Supreme Court of British Columbia ordered Google to delist search results globally in Equustek Solutions Inc. v. Jack.[18] Since then, it has not been seen a torrent of judges ordering the global removal of information. Furthermore, other countries are not willing to limit the freedom of expression, for instance any possible law concerning the limitation on the freedom of press is not likely to enacted in the USA because of its contradiction with the First Amendment.

The second opinion: Pieczek v. Facebook Ireland

Miss Piesczek is an Austrian politician. In 2016 someone placed a picture of her on Facebook with a text in which she is accused of being a traitor of the people and member of a fascist party. The national court of first instance found the information to be defamatory and ordered Facebook to remove the information. Facebook removed the information locally. In appeal, the question arose whether Facebook should remove the information on a global level and if Facebook could be obliged to prevent similar posts from appearing on its network. The supreme court asked to a preliminary judgement from the CJEU.

Facebook argues that the obligation to prevent similar information to appear on Facebook would de facto oblige Facebook to monitor their network. Article 15(1) of Directive 2000/31 prohibits member states from imposing such general monitoring obligations. The AG points out that while Directive 2000/31 prohibits general monitoring obligations, it does not prohibit specific monitoring obligations. The present case involves the obligation to scan for specific unlawful information. A national court may even order Facebook to prevent “similar”, reproduced or any further defamatory information to be posted on its network, as long as the order is specific enough.

Regarding the territorial effect of an order, the AG argues that the territorial effects of such order are dependent on national law, as the Directive 2000/31 does not cope with extraterritoriality and the applicant did not base her arguments on the protection of personal data, which was harmonized at EU level.[19]

The AG must have felt that this conclusion might be viewed as contradictorily with his former opinion on the Google vs. CNIL case. Therefore, he explicitly mentions this case and explains that these cases are not comparable because his opinion in the CNIL case was based on the fact that the DPD harmonizes data protection on an EU level.[20] This means that the scope of the DPD is limited by the scope of EU law in general. Having said that, the AG again specifically points out that there might be situations in which the interests of the Union requires the application of that DPD beyond the territory of the EU and order delisting worldwide.[21]

Conclusion

Both Google v. CNIL and the Facebook Ireland cases tackle the same legal question, namely the territorial effect of removal of information. However, the legal frameworks of these cases were presented differently. This means that the AG does not contradicts himself in these opinions.

However, in the Facebook Ireland case, the AG nuances his opinion on the Google v. CNIL case twice. First, he mentions explicitly that the DPD does not preclude the worldwide removal of information per se by acknowledging the fact that some situations might lead the EU to extend its jurisdiction and allows to order a global removal although he argues that there is no need for such a worldwide removal decision in the present case. Second, the AG states “additionally” that a national court may order a worldwide removal, however, it should consider and weight the right of access to information of people all over the world.[22] With this second argument, the AG seems to reconsider his argument in the Google Spain v. CNIL case that a national court cannot decide on the right of access to information on a worldwide level.

On the eve of the judgments by the CJEU, two non-binding opinions by the AG reveals the complexity of the legal question at hand. Nevertheless, it is important for the CJEU to provide a clarity on the territorial extent of removal requests and to ensure the effective protection of personal data at the same time. It would not be preferable for the Court to create a general rule because such rule does not fit in the system of the balancing test. A general rule to remove information on a worldwide level will -in some cases- disproportionally harm the freedom of access to information of people outside the EU. On the other hand, a general rule that information only has to be removed within the EU -hence geographical restricted- will not protect the privacy of data subjects in certain cases. To compromise, it might be better to dictate that the extraterritorial effect of removal should be incorporated in the balancing test. By doing so, a national judge has the freedom to decide on a case level whether specific information should be removed globally or locally by considering the dynamics of inside and outside of the EU.

 

 

[1] Case C-18/18, Ewa Glawisching v Facebook Ireland Limited.

[2] Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, [2014], ECLI:EU:C:2014:317.

[3] Google Transparency Report, Search Removals Under European Privacy Law, accessible via https://transparencyreport.google.com/eu-privacy/overview, last accessed on June 16th, 2019. Please also see Michele Finck, “Google v. CNIL: Defining the Territorial Scope the European Data Protection Law”, Oxford Business Law Blog, November 16th, 2018.

[4] Opinion of Advocate General Szpunar, Case C-507/17 Google v/ CNIL, January 10th, 2019, para 79.

[5] Ibid, paras 47, 51 and 52.

[6] Ibid, para 62.

[7] Alberto Miglio, “Setting Borders to Forgetfulness: AG Suggests Limiting the Scope of the Search Engine Operators’ Obligation to Dereference Personal Data”, EDPL 1/2019, pages 136-141.

[8] See Violeta Moreno-Lax and Catherine Costello, ‘The Extraterritorial Application of the Charter: From Territoriality to Facticity, the Effectiveness Model’ in Steve Peers et al (eds), The EU Charter of Fundamental Rights: A Commentary (Hart 2014) 1664.

[9] Jacques Ziller, ‘Flexibility in the Geographical Scope of EU Law: Diversity and Differentiation in the Application of Substantive Law on Member States’ Territories’ in Gráinne De Búrca and Joanne Scott, Constitutional Change in the EU: From Uniformity to Flexibility? (Hart 2000) 115.

[10] Dan Jerker Svantesson, ‘The extraterritoriality of EU data privacy law its theoretical justification and its practical effect on US businesses’ (2014) Stanford Journal of International Law 50(1), 53-102.

[11] Examples are taken from: Alberto Miglio, “Setting Borders to Forgetfulness: AG Suggests Limiting the Scope of the Search Engine Operators’ Obligation to Dereference Personal Data”, EDPL 1/2019, pages 136-141.

[12] See Joanne Scott, ‘The New EU “Extraterritoriality”’ (2014) 51 CMLR 1343.

[13] Joined cases 3, 4 and 6-76 Cornelis Kramer and Others [1976] ECLI:EU:C:1976:114.

[14] Case C-177/95 Ebony Maritime and Loten Navigation [1997] ECLI:EU:C:1997:89.

[15] Case C-424/13 Zuchtvieh-Export [2015] ECLI:EU:C:2015:259.

[16] Case C-366/10 Air Transport Association of America and Others [2011] ECLI:EU:C:2011:864.

[17] Opinion of Advocate General Szpunar, Case C-507/17 Google v/ CNIL, January 10th, 2019, paras 75 and 76.

[18] Supreme Court of British Columbia, Equustek Solutions Inc. v. Jack, [2014] BCSC 1063, para 159, retrieved via http://www.courts.gov.bc.ca/jdb-txt/SC/14/10/2014BCSC1063.htm, last accessed on February 8th, 2019.

[19]Opinion of Advocate General Szpunar, Case C-18/18 Eva Glawischnig v Facebook Ireland Limited,June 4th, 2019, paras 78, 88 and 90.

[20] Ibid, para 79

[21] Ibid, para 79. Also Opinion of Advocate General Szpunar, Case C-507/17 Google v/ CNIL, January 10th, 2019,

para 62.

[22] Ibid, para 100.