Writing in the Harvard Law Review in 1890, leading American jurists Louis Brandeis and Samuel Warren outlined the contours of a new right to privacy conceived as the right to be let alone.Footnote 1 Yet, 130 years later – and with the advent of the digital age – privacy is leaving this perimeter and entering new dimensions, with challenges of their own.Footnote 2 As the international newspaper The New York Times put it in launching “The Privacy Project”, a comprehensive months-long endeavor to explore how technology is altering conceptions of individual privacy, the terminology of privacy itself is changing, and crucially new demands connected to privacy are emerging, especially in relation to the protection of personal data.Footnote 3
The European Union (EU) has been at the forefront of the protection of the right to data protection at the global level. The EU is currently endowed with an advanced constitutional and legislative framework for the protection of personal data, and this has allowed the European Court of Justice (ECJ) to take the lead as the most protective privacy court word-wide, developing a case law which has been taken as a model by courts also at the national level – including in Germany. Among the data privacy rights developed by the ECJ, and now explicitly codified in EU law, is also the right to be forgotten, namely the right of the data subject to request data controllers, including online digital platforms, the erasure of personal data concerning him or her.
However, the scope of EU data protection law in general – and of the right to be forgotten in particular – has been increasingly facing a question of jurisdictional boundaries. One of the most debated features of EU data protection law is its capacity to apply beyond the borders of the EU.Footnote 4 Moreover, the recent introduction of harsher fines has led many foreign companies to comply with EU data protection law not only in relation to their European business, but on a global scale.Footnote 5 However, it has been a matter of debate and conflicting ECJ judgments whether the right to be forgotten and other requests to delist online content could be enforced worldwide, or if rather reasons of international comity restricted their effects within the borders of the EU.
This article explores the challenges of the extraterritorial application of the right to be forgotten, in particular, and of EU data protection law, more broadly, in light of the recent case law of the ECJ. The paper explains that there are good arguments for the EU to apply its high data protection standards outside its borders. As data are un-territorial,Footnote 6 only a global application of EU data protection law can guarantee an effective enforcement of privacy rights. However, the paper also highlights how such an extraterritorial application of EU data protection law faces challenges, as it may clash with duties of international comity and the need to respect diversity of legal systems, and could ultimately be nullified by contrasting rulings delivered by other courts in other jurisdictions.
As the article points out from a comparative perspective, however, this challenge is not unique to the EU legal system. Rather, it emerges in other jurisdictions as well, such as Canada and Australia. In fact, the protection of privacy in the digital age increasingly exposes a tension between efforts by legal systems to impose their high standards of data protection outside their borders – a dynamic which could be regarded as ‘imperialist’Footnote 7 – and claims by other legal systems to assert their own power over data – a dynamic which one could name ‘sovereigntist’.Footnote 8 As the article suggests, navigating between the Scylla of imperialism and the Charybdis of sovereigntism will not be an easy task – particularly when claims to control the digital realm are made by authoritarian regimes, which are eager to exploit digital technology for their illiberal mission.Footnote 9 In this context, greater convergence in the data protection framework of liberal democratic systems worldwide appears as the preferable – albeit far from easy – path to secure privacy in the digital age.
The article is structured as follows. Section B presents the EU constitutional framework for data protection and the expanding case law of the ECJ in the field. Section C analyzes the right to be forgotten afforded to data subjects – originally developed by the ECJ and then codified in EU legislation. Section D illustrates how the EU framework for data protection has progressively extended its reach outside the jurisdiction of the EU, looking in particular at the recent case law of the ECJ in the field of the right to be forgotten and removal of content from online platforms. Section E, drawing a comparison with other jurisdictions, explores the rationale behind the extraterritorial application of EU data protection law and examines the challenges that this tendency poses. Section F finally concludes suggesting that transnational cooperation among liberal democratic jurisdictions appears as the preferable path to navigate the emerging tension between data protection imperialism and digital sovereignty and to guarantee an elevate standard of protection of data privacy in the digital age.
B. EU Data Protection Law and Jurisprudence
At the constitutional level, the EU abides by one of the most advanced standards for data privacy worldwide. The EU Charter of Fundamental Rights adopted in 2000 introduced a constitutional recognition of the right to data protection in the EU legal order.Footnote 10 Whereas Article 7 of the Charter (entitled “Respect for Private and Family Life”) re-affirmed the content of Article 8 of the European Convention on Human Rights, proclaiming that “Everyone has the right to respect for his or her private and family life, home and communications,” Article 8 of the Charter (entitled “Protection of Personal Data”) introduced a new explicit recognition of the rights to data privacy by stating that
“Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.”
With the entry into force of the Lisbon Treaty in 2009, the Charter has acquired full legal value.Footnote 11 Moreover, the Lisbon Treaty introduced another provision confirming the centrality that the rights to data protection now play in the constitutional order of the EU.Footnote 12 Pursuant to Article 16 of the Treaty on the Functioning of the EU (TFEU), “Everyone has the right to the protection of personal data concerning them.” The same provision empowers the European Parliament with the Council to
“lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.”
At the legislative level, then, the EU has been endowed with a comprehensive framework on data protection since the 1990s. The Data Protection Directive, adopted in 1995,Footnote 13 introduced a far-reaching obligation for the member states to “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data”Footnote 14 within their jurisdictions.Footnote 15 The principles codified in the Data Protection Directive were then expanded in 2001 to the EU institutions by a Regulation on the protection of individuals with regard to the processing of personal data by EU bodies, offices and agencies,Footnote 16 which also established the European Data Protection Supervisor (EDPS).Footnote 17 Moreover, selected pieces of EU legislation expanded the protection of data privacy in specific sectors, such as electronic communications,Footnote 18 and police and judicial cooperation in criminal matters.Footnote 19 Ultimately, in 2016, the European Parliament and the Council, on the basis of Article 16 TFEU, enacted the General Data Protection Regulation (GDPR),Footnote 20 and simultaneously adopted a Directive on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties.Footnote 21 The GDPR replaced the Data Protection Directive with measures directly and uniformly binding throughout the member states of the EU, with the aim to provide an even more advanced framework for data protection, updated to the challenges of globalization and rapid technological developments.Footnote 22
At the jurisprudential level, finally, the ECJ through its case law has championed the protection of data protection, wearing with confidence the role of a human rights court.Footnote 23 In particular, heavily drawing on the Charter of Fundamental Rights, the ECJ has expanded its prior jurisprudenceFootnote 24 and enforced a high standard of data privacy protections: 1) vertically, i.e. vis-à-vis the member states; 2) horizontally, i.e. vis-à-vis the EU political branches; as well as 3) diagonally, i.e. vis-à-vis private companies which withhold relevant power in the processing of personal data. First, the ECJ held that Article 8 of the Charter, and Article 16 TFEU, implied a need for data protection authorities to be fully independent and ruled against member states which had failed to secure this objective in their legislation,Footnote 25 and set aside national legislation introducing surveillance measures in breach of data protection rights.Footnote 26 Second, the ECJ found that Articles 7 and 8 of the Charter provided data subjects with a right to be protected from practices of systematic government surveillance and thus struck down as incompatible with EU primary law both the EU Data Retention Directive, which required the retention of personal data law enforcement purposes,Footnote 27 as well as an international agreement concluded between the EU and Canada, which foresaw the collection of passenger name record (PNR) data.Footnote 28 Third, the ECJ has also applied a high standard of data protection vis-à-vis tech companies, subjecting IT providers offering services within the EU internal market to EU data protection laws, and expanding the protections afforded to data subjects.Footnote 29 It is in this context that the ECJ has also recognized a right to be forgotten – which was later codified in the GDPR and taken on board by a number of other courts.
C. The Right to Be Forgotten
The ECJ took a major step toward the recognition of the right to be forgotten in May 2014, in Google Spain SL v. Agencia Española de Protección de Datos (AEPD).Footnote 30 The case concerned the interpretation of the Data Protection Directive, which was then applicable in domestic proceedings between Google and the AEPD, the Spanish data protection agency. Pursuant to the application by a Spanish national, the AEDP had required Google to remove from its search engine links to information relating to the applicant, on the account that data protection law applied to it. Google had challenged the administrative decision in Spanish courts, which decided to refer several questions to the ECJ. In its judgment, the ECJ recognized a new right for data subjects to request removal of on-line content, and, correspondingly, an obligation for the operator of a search engine to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person.Footnote 31 As a preliminary matter, the ECJ ruled that a search engine like Google must be classified as a processor and controller of personal data within the meaning of the Data Protection Directive.Footnote 32 On the substance, then, the ECJ – after recognizing that a name search through Google could provide a “more or less detailed profile of [the data subject]”Footnote 33 – held that the operator of a search engine “is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties […], also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”Footnote 34
The judgment of the ECJ in Google Spain opened the door to a full-fledged codification of the right to be forgotten in EU law. The GDPR, in fact, enshrined in Article 17 a “Right to erasure (right to be forgotten)”, stating that “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” The same provision clarifies that the right to erasure applies when: “(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based […]; (c) the data subject objects to the processing […] (d) the personal data have been unlawfully processed.” Moreover, pursuant to Article 17(2) GDPR, “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.” While Article 17(3) GDPR indicates that the right to erasure “shall not apply to the extent that processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with legal obligations […] in the public interest” and for a number of other selected reasons related to public health, scientific or historical research and legal defense, the GDPR seemed to follow the ECJ’s view that the data subject’s right to request the removal of on-line content “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name.”Footnote 35
The case law of the ECJ in the field of the right to be forgotten has also become a model national courts have looked at – including in Germany.Footnote 36 In November 2019, the Bundesverfassungsgericht, Germany’s federal constitutional court, delivered a judgment applying EU law on the right to be forgotten in a dispute between a private citizen and a broadcasting corporation regarding the request to delist links to online information on the applicant.Footnote 37 As the court pointed out, since the matter fell under legislation fully harmonized by EU law, the standards of EU fundamental rights protection applied and could be examined by the court.Footnote 38 Ultimately, the court rejected the constitutional complaint, ruling that the ordinary courts had correctly balanced competing rights.Footnote 39 In another judgment delivered on the same day,Footnote 40 however, the Bundesverfassungsgericht also articulated an autonomous, domestic standard of the right to be forgotten, holding that where EU law “allowed for different legislative designs at Member State level” German constitutional rights would be the standard used by the court in adjudicating constitutional complaints, unless it is exceptionally shown that EU law requires a uniform standard of fundamental rights protection, or that German constitutional rights do not meet the minimum standard of protection required by the Charter.Footnote 41 In the specific case, therefore, the court ruled that the request by a private citizen to obtain the erasure from the website of the newspaper Der Spiegel of articles concerning him had to be upheld in light of the constitutional right of personality, which includes a right to be forgotten. As the court clarified, the right to be forgotten had to be balanced with freedom of information and freedom of expressionFootnote 42 – yet “the realities of information technology and the dissemination of information on the internet attach a new legal dimension to the requirement that time be considered as a relevant contextual factor characterizing information.”Footnote 43 As such, the court concluded that the constitutional complaint was well founded, as “it would have been necessary to consider whether it was possible, and required, to impose an obligation on the media outlet sued before the ordinary courts to take reasonable precautions upon being notified by the complainant, to provide at least some protection against search engines retrieving the articles in question in the context of searches related to the complainant’s name, without unduly restricting the general retrievability and accessibility of the articles as such.”Footnote 44
D. Extraterritorial Application of EU Data Protection Law
Over the past few years, the EU framework for data protection has progressively extended its reach outside the jurisdiction of the EU. On the one hand, the ECJ has reviewed the standard of data protection existing in third countries to decide whether this was sufficient to authorize the transfer of personal data from the EU to such third country – essentially pressuring the latter to raise its domestic standards to meet the EU benchmark. In the Schrems judgment,Footnote 45 in particular, the ECJ reviewed the European Commission Safe Harbor decision – which recognized US data protection standards as providing an adequate level of protection, and therefore authorized private companies to transfer data across the AtlanticFootnote 46 – and struck that down, ruling that in light of the revelations of US mass surveillance, it appeared that law and practice in force in the US did not ensure an adequate protection of personal data.Footnote 47 The ECJ ruling, which was prompted by a Facebook user disgruntled with the limited protection that his data would receive in the US, forced the EU and the US to renegotiate further guarantees on the protection of personal data – including limitations on the access and use of personal data transferred for national security purposes as well as oversight and redress mechanisms that provide safeguards for those data to be effectively protected against unlawful interference and the risk of abuse – which were codified in a new Commission adequacy decision called Privacy Shield.Footnote 48 This has been challenged as insufficient,Footnote 49 but it likely represents a step forward compared to Safe Harbor, suggesting the EU data protection law can indeed create pressures in third countries to raise their standards through international negotiations.Footnote 50
On the other hand, the ECJ has directly subjected economic operators incorporated outside the EU to EU data protection rules when they deal with data collected within the EU. The point was already made in Google Spain: here the ECJ ruled that in light of the objective of EU data protection law “of ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, [the notion of establishment] cannot be interpreted restrictively”Footnote 51 – and therefore concluded that Google, despite being incorporated in the US, was subjected to the Data Protection Directive, also because it operated a subsidiary in Spain, which managed advertising on a Spanish-localized search engine. In fact, the GDPR has further expanded this state of affairs,Footnote 52 as Article 3(2) (entitled “Territorial Scope”) now foresees that “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The extraterritorial reach of EU data protection law has led to important challenges – notably with regard to the right to be forgotten, as the ECJ has attempted to work out the circumstances when requests to remove online content bound businesses established overseas, and with world-wide effect. In particular, the matter was at the heart of two recent ECJ judgments concerning Google and Facebook. In September 2019, in Google v. Commission Nationale de l’Informatique et des Libertés (CNIL),Footnote 53 the ECJ reviewed a sanction imposed on Google by the French data protection authority for failure to remove content worldwide, from all its website domains, in pursuance of a right to be forgotten request. Google had challenged the CNIL sanction claiming that the removal of online content exclusively on the French version of its search engine sufficed. In its ruling, the ECJ – also taking note of the geo-blocking technology put in place by GoogleFootnote 54 – upheld the challenge. The ECJ admitted that the GDPR objective is “is to guarantee a high level of protection of personal data throughout the [EU]”Footnote 55 – and that “a de-referencing carried out on all the versions of a search engine would meet that objective in full.”Footnote 56 However, the ECJ emphasized that “numerous third States do not recognise the right to de-referencing or have a different approach to that right,”Footnote 57 and claimed that it was not apparent from the GDPR that the intent of the EU legislator was “to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States and […] to impose on an operator […] like Google […] a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States.”Footnote 58 Hence, the ECJ concluded that
“where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.”Footnote 59
Yet, if Google v. CNIL seemed to draw a limit to the extraterritorial effects of the right to be forgotten, the ECJ decision in Eva Glawischnig-Piesczek v. Facebook – delivered just a week later, in October 2019Footnote 60 – counter-balanced that. Although this case did not explicitly concern the right to be forgotten, it dealt with an analogous problem – namely the question whether a digital platform could be forced to remove world-wide content posted online which was regarded as defamatory. Mrs Eva Glawischnig-Piesczek, an Austrian politician, had obtained a court order to remove insulting language against her posted on Facebook, but the latter had disabled access to the content initially published only in Austria, prompting the applicant to sue for breach of EU data protection law. In its judgment, the ECJ – after discussing the obligations of digital providers under the e-Commerce DirectiveFootnote 61 – examined whether EU law imposed “any limitation, including a territorial limitation, on the scope of the measures which Member States are entitled to adopt” vis-à-vis information society services,Footnote 62 and ruled that EU law “does not preclude those injunction measures from producing effects worldwide.”Footnote 63 While the ECJ cautioned that “in view of the global dimension of electronic commerce, the EU legislature considered it necessary to ensure that EU rules in that area are consistent with the rules applicable at international level”Footnote 64 – and that therefore “[i]t is up to Member States to ensure that the measures which they adopt and which produce effects worldwide take due account of those rules”Footnote 65 – the ECJ judgment’s consequence was to open the door to Austrian courts to imposing on Facebook obligations “to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law.”Footnote 66
E. The Challenges of Extraterritoriality in Comparative Perspective
The problem of extraterritorial application of domestic laws in the digital realm is not exclusive of the EU. In fact, as Jennifer Daskal has pointed out, there are now an increasing number of cases adjudicated by courts world-wide which raised “critically important questions about the appropriate scope of global injunctions, the future of free speech on the internet and the prospect for harmonization (or not) of rules regulating online content across borders.”Footnote 67 In particular, other recent disputes involving US technology companies and decided in the jurisdictions of Canada and Australia have vividly exposed the challenges of an extraterritorial effect of data protection law.
In 2017, in the case Google Inc. v. Equustek Solutions Inc., the Canadian Supreme Court ordered Google to remove worldwide from its search engine the links to a company’s website violating intellectual property rights.Footnote 68 Equustek, a Canadian IT company, had sued Google claiming that the search engine had failed to de-list from its browser the websites of a competitor, which had breached Equustek intellectual property rights by misappropriating its trademarks. In June 2017, the Canadian Supreme Court, deciding on the matter on appeal, ruled in favour of Equustek and granted it the sought injunction, ordering Google to delist from its browser worldwide all the websites that harmed Equustek. According to the Court, a global enforcement of the delisting request was necessary to prevent harm to the plaintiff.Footnote 69 However, Google subsequently sought an injunction before the US District Court for Northern California to prevent enforcement in the US of the Canadian Supreme Court order as incompatible, among others, with the US First Amendment guaranteeing freedom of speech and principles of international comity. In November 2017, the US District Court granted Google the injunction sought, effectively nullifying the effects of the Canadian Supreme Court ruling in the US.Footnote 70 However, despite the favourable ruling of the Californian court, in April 2018, Google was eventually unsuccessful in its claims before the Supreme Court of British Columbia. The Canadian court was adamant about its refusal to consider Google’s demand to limit the scope of its delisting order.Footnote 71
Similarly, also in 2017, in the case X v. Twitter, the Supreme Court of New South Wales in Australia ordered the Californian company and its Irish subsidiary to remove at global level a series of confidential information posted by a troll.Footnote 72 The applicant X lamented the publication of confidential financial information leaked on Twitter by an anonymous troll from various accounts, including one that used the name of the company’s CEO. Twitter was initially reluctant to suspend the incriminated accounts, but was eventually ordered by the court to provide the identity of the troll and to remove all illegal contents published online. In contrast to the Canadian Supreme Court in the Google Inc. v. Equustek Solutions Inc. case, the Australian court did not consider principles of international comity nor did it carry out a comparative analysis of foreign law on breach of confidence.Footnote 73 Yet, in this case too, the Supreme Court of New South Wales did not hesitate to serve an extraterritorial injunction to remedy the detrimental situation of the domestic applicant.
Similarly to the Canadian and Australian courts, both the recent ECJ cases Google v. CNIL and Glawischnig-Piesczek v. Facebook at first sight leave the door open to a worldwide application of EU law. In Glawischnig-Piesczek v. Facebook, such a global effect represented the primary solution proposed by the ECJ, only subject to the respect of international law.Footnote 74 In Google v. CNIL, as seen in the previous section, the ECJ affirmed that an EU-only form of delisting would suffice. However, espousing the nuanced approach proposed by Advocate General Szpunar,Footnote 75 the ECJ also clarified that nothing prevents Member States to allow for global dereferencing, if the protection of individual privacy and personal data outweighs the safeguard of other competing rights.Footnote 76
From an EU perspective, such an extraterritorial application of EU law can be explained by the need to ensure an effective protection of fundamental rights and limit the risk of circumvention.Footnote 77 The enforcement of the right to be forgotten is exemplary. We now live in a global digital society, which overtakes national boundaries. One’s right to data protection may be violated even where a search engine shows a specific result in a country, which is not that of residence of the data subject concerned. In principle, enforcing that right exclusively within the territory of the EU would not make any sense, given the ease with which data can be accessed world-wide. A violation of such right would occur if an individual, for example residing in France, after lawfully requesting to delist specific search results, discovered that those links are still referenced not only in France, but – say – also in Germany or in the US, with no difference. And this consideration implies that – as much as uniform standards of data protection should apply within the EU – EU data protection rights should also have extraterritorial effects outside the EU.
Nevertheless, the extraterritorial application of EU data protection law poses a series of challenges – which were vividly exposed in the Google Inc. v. Equustek Solutions Inc. case. Asserting domestic data protection standards outside a jurisdiction’s borders may clash with duties of international comity and the need to respect diversity of legal systems. In fact, the balance between the right to be forgotten, freedom of information and free speech is struck differently in jurisdictions around the world – including states that share the same belief in democracy, the rule of law and human rights. Moreover, as the recent judgments of the Canadian and US courts point out, the enforcement of data protection standards outside a jurisdiction’s borders may ultimately be nullified by opposite claims. In the Canadian Google litigation, in particular, the US federal district court blocked the application of the Canadian Supreme Court ruling – de facto limiting the application of the Canadian writ in the US jurisdiction.
In light of these risks, the recent judgments of the ECJ in Google v. CNIL and Glawischnig-Piesczek v. Facebook can be seen as a pragmatic solution, which tries to navigate between the Scylla of data protection imperialism and the Charybdis of digital sovereignty. In fact, it is clear that tensions between these opposing trends are only likely to increase. While criticism have been raised at the ‘imperialist’ attitude of EU data protection law,Footnote 78 other recent developments, including efforts by countries around the world to claim sovereign control over data, expose the risk of a fragmentation of the digital world. Different claims to digital sovereignty are emerging not only in the USFootnote 79 or the EU for that matterFootnote 80 – but also in illiberal regimes around the world,Footnote 81 potentially generating a progressive erosion of fundamental rights online. In this context, the development of transnational legal frameworks – at least among democratic regimes – seems to be the necessary path to preserve data protection rights beyond borders.
The EU is at the forefront of data protection worldwide. The GDPR represents the most comprehensive and advanced regulatory framework for data privacy to date – and the ECJ has developed a progressive case law to protect human rights in the digital age, including outlining a right to be forgotten. These EU law principles are increasingly being taken as comparative example, including by national courts. For example, the German Bundesverfassungsgericht, as we have seen, recently introduced in German law a right to be forgotten modelled on the EU template, recognizing in this way – at least in principle – the role of EU law as leading paradigm in the field of data protection. Yet, EU data protection law generally – and the right to be forgotten specifically – are increasingly facing a question of jurisdictional boundaries. From an EU perspective, the extraterritorial enforcement of EU fundamental rights is regarded as a way to guarantee a full and effective protection and prevent the risk of circumvention. However, the reach of EU data protection law beyond the EU borders also raises a series of challenges, clashing with the principles of international comity and respect for global diversity.
The issue of extraterritorial application of EU data protection law was at the heart of two recent judgments decided by the ECJ: in Google v. CNIL and Glawischnig-Piesczek v. Facebook, the ECJ dealt with the question of whether the right to be forgotten and the obligation to remove defamatory content applied worldwide or not. In the first case, the ECJ ruled that the removal was restricted to EU member states only, while in the second it imposed a world-wide injunction. In both cases, however, the ECJ showed awareness for the cross-borders implications of its decisions and for the need to recognize transnational diversity and international comity, thus finding pragmatic solutions to modulate the effects of EU data protection law beyond the EU borders.
As this article has shown, the challenges that the ECJ was facing were not unique to Europe. Other jurisdictions such as Australia and Canada were also confronted with the dilemma of how to protect digital rights across borders. Theoretically, contemporary digital society, being global, would require worldwide rules. However, the extraterritorial application of data protection standards raises significant challenges. In fact, the protection of privacy in the digital age increasingly exposes a tension between efforts by legal systems to impose their high standards of data protection outside their borders – and thus potentially regarded as a form of ‘imperialism’ –and sovereigntist claims by other legal systems to assert their own power over data.
In this context, states should seek to develop common international law frameworks, which promote transnational standards of data protection. Admittedly, this will not be an easy task. However, this is something that should be explored, particularly among liberal democracies, and at least in the transatlantic context.Footnote 82 Despite differences, jurisdictions such as the EU, Canada and Australia – but also the US – share a similar concern for the need to protect privacy, which puts them at odds with developments in other countries, such as China or Russia. Developing transnational rules for the protection of digital privacy, including outlining mutually acceptable claims to the right to be forgotten, represents therefore the best road forward to make sure that privacy remains a protected right, also in the digital era.