Hostname: page-component-78c5997874-j824f Total loading time: 0 Render date: 2024-11-18T01:08:09.874Z Has data issue: false hasContentIssue false

Google LLC v. Commission Nationale de l'Informatique et des Libertés (CNIL) and Eva Glawischnig-Piesczek v. Facebook Ireland Ltd. (C.J.E.U.)

Published online by Cambridge University Press:  30 June 2020

Kenneth Propp*
Affiliation:
Kenneth Propp teaches European Union law at Georgetown University Law Center and is a Fellow with the Atlantic Council's Future Europe Initiative.

Extract

During the fall of 2019, the European Court of Justice (hereinafter the ECJ or the Court) delivered judgments in two cases addressing the responsibility of internet platform companies for the personal information they control. In Google LLC v. Commission Nationale de l'Informatique et des Libertés (CNIL), the ECJ considered the geographic scope of its notable recent jurisprudence on the obligations of search engines to implement the “right to be forgotten” set forth in European Union (EU) data protection law. In Eva Glawischnig-Piesczek v. Facebook Ireland Limited, the Court examined whether Facebook was obliged under EU law to remove information available on the social network that previously had been found under Austrian law to defame an Austrian politician.

Type
International Legal Documents
Copyright
Copyright © 2020 by The American Society of International Law

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

ENDNOTES

1 Case C-507/17 Google LLC v. Commission Nationale de l'Informatique et des Libertés (CNIL) (Sept. 24, 2019) [hereinafter Google v. CNIL], http://curia.europa.eu/juris/document/document.jsf?text=&docid=218105&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=329422.

2 The “right to be forgotten” is the popular expression for what is officially known as the “right to erasure,” set forth in Article 17 of the EU's General Data Protection Regulation (GDPR). Regulation 2016/679/EU of the European Parliament and of the Council of Apr. 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, 2016 O.J. (L119) 1.

3 Case C-18/18 Eva Glawischnig-Piesczek v. Facebook Ireland Limited (Oct. 3, 2019) [hereinafter Glawischnig-Piesczek], http://curia.europa.eu/juris/document/document.jsf?text=&docid=218621&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=329468.

4 Case C-131/12 Google Inc. Spain SL and Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzales (May 13, 2014) [hereinafter Google Spain], http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=329550. The Google Spain judgment interpreted Articles 12 and 14 of the EU's Data Protection Directive, Directive 95/46, 1995 O.J. (L 281) [hereinafter 95 Directive]. Article 17 of the GDPR, which came into force later in 2016, combined the content of these articles of the 95 Directive with the ECJ's holding in Google Spain.

5 In this case the judgment was issued by the ECJ's Grand Chamber, consisting of thirteen judges. The Court utilizes this larger configuration in the most important cases to come before it.

6 Google v. CNIL, supra note 1, ¶ 60. The right to protection of personal data is set forth in Article 8 of the Charter of Fundamental Rights of the European Union, 2007 O.J. (C 303), and the rights relating to information are addressed in Article 11.

7 Id.

8 Google v. CNIL, supra note 1, ¶ 62. Because this case was initiated when the predecessor data protection legislation to the GDPR, the 95 Directive, was still in force, the ECJ's holding addresses Articles 12 and 14 of that legislation, as well as Article 17 of the GDPR.

9 Id. ¶ 64. In a curious passage at the end of the judgment, however, the ECJ suggested that even though the GDPR did not require global deletion of offending search results, an EU member state data protection authority nevertheless would be competent to impose such a requirement in a particular case on the basis of national standards of data protection. Id. ¶ 72.

10 Id. ¶ 66.

11 Id. ¶ 68.

12 The Court took note of Google's implementation of a new search architecture, instituted during the course of the proceeding, under which an individual is automatically redirected to the national domain of the place where they are ascertained to be, even if the user initiated the search via another member state's domain. Id. ¶ 42.

13 Since the ECJ first enunciated the right to be forgotten in relation to search engines in the Google Spain case, courts in a number of other countries around the world, including Canada, Japan, Turkey, and Russia, have begun to incorporate it into their own data protection jurisprudence as well.

14 Directive 2000/31/EC of the European Parliament and of the Council of June 8, 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, 2000 O.J. (L 178) [hereinafter the e-Commerce Directive].

15 This provision of EU law is similar in effect to section 230 of the U.S. Communications Decency Act of 1996.

16 Glawischnig-Piesczek, supra note 3, ¶ 37.

17 Id. ¶ 45.

18 Id. ¶ 46.

19 e-Commerce Directive, supra note 14, art. 18(1).

20 Glawischnig-Piesczek, supra note 3, ¶¶ 49–50.