TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Does the EU's Right To Be Forgotten Pose a Threat to Companies in the U.S.? Related reading: "Right To Be Forgotten" Tested in Court, Questioned

rss_feed

Even observed from across the pond, the right of EU consumers to compel an Internet search engine to de-link specific personal information of the consumer from certain search results, the right to be forgotten (RTBF), has garnered considerable attention in the U.S. Until recently, it seemed to be a concept that arose solely in the EU. However, late last year a French court, relying on the RTBF, issued an injunction requiring Google to remove allegedly defamatory material linked to a Danish lawyer employed in France from its search engine worldwide. The French court’s order raises a significant question of whether a U.S. court would enforce an RTBF order.

The Right To Be Forgotten

Last May, the Court of Justice of the European Union (CJEU) ruled in Google Spain v. AEPD and Mario Costeja Gonzalez that EU data subjects have a privacy right to request that Internet search engines such as Google remove certain search results linking to third-party websites containing personal information deemed “inadequate, irrelevant or no longer relevant,” absent an overriding public interest in the information. The decision has become synonymous with a RTBF and is based on an action by a Spanish citizen, Mario Gonzalez, to force Google to remove links in its search engine to an old article reporting that Gonzalez’s home was repossessed to pay off Social Security debts.

Since the decision in Google Spain, Google has received more than 201,194 requests to de-link information and has removed the search results in 42 percent of cases. When Google grants a removal request, it typically only removes the personal data from the servers facing the specific EU country. The information may still be visible in other EU countries and in the U.S. It is this practice that likely led to the dispute in the French case last year.

French Court Places RTBF Demand on Google’s U.S. Operations

 In August 2013, Dan Shefat filed a lawsuit seeking to de-link materials that were used in a “defamation campaign” by an unknown individual against his law firm on blogs and websites. A French court granted Shefat’s request, under the RTBF and ordered both Google France and Google, Inc., the U.S.-based operator of Google’s search engine, to de-link the material from search results involving Shefat’s name worldwide. Google complied with the court’s order by removing the link on its Google France search engine but refused to de-link the materials on its Google, Inc., search engine. In September 2014, on Shefat’s request, the Paris Tribunal de Grande Instance issued an injunction requiring Google Inc. to remove links to the materials worldwide and imposed a fine of 1,000 euros per day on Google France until Google, Inc., complies. Google recently confirmed that it would only remove search results from European websites but reserved the right to re-review its policy in the future.

Notably, while very little guidance on applying the RTBF directive existed at the time the French court issued its ruling, it appears to be consistent with guidelines published by the Article 29 Working Party shortly after the decision. Those guidelines allow EU courts to broadly extend their jurisdiction by requiring companies to remove contested links from all domains, not just those in the EU. Under these guidelines, the search results and content on a U.S.-facing search engine that also operates an EU-facing search engine would be subject to a de-linking request pursuant to the RTBF. The Article 29 Working Party recently issued letters to several search engines reminding them of this policy.

Data Privacy in the EU and U.S.

Predicting whether a U.S. court would enforce a RTBF order should begin with an understanding of the differences between the privacy regimes of the two sovereigns. Both regimes are based on principles of freedom of expression, access to information, fairness, notice and consent.

As the Google Spain case illustrates, the EU data privacy regime favors consumer privacy. Data privacy in the EU is generally governed by Directive 95/46/EC, a comprehensive statute that regulates the processing and transfer of personal data in EU member states. The Data Protection Directive is enforced by data protection authorities in each EU member state who also implement and enforce their own national data protection laws. While the directive has been the law of the land for nearly 20 years, the General Data Privacy Regulation, approved by the European Commission on March 12, 2014, is set to supersede the directive.

On the other hand, the U.S. data privacy regime encourages access to information and free expression. U.S. privacy laws are a medley of state and federal laws and administrative decisions, targeting specific data for protection including personal, financial, health and children’s data. Although U.S. privacy laws also consider consumer privacy, there is equal if not overriding concern with ensuring these laws do not inhibit the right to free speech and freedom of expression established by the First Amendment of the U.S. Constitution. In fact, with regard to search engine search results, U.S. courts have held that search engine results are constitutionally protected activity under the First Amendment.

Nonetheless, some U.S. laws extend protections similar to those under the EU’s RTBF, at least with regard to children and minors. U.S. federal law, such as the Children’s Online Privacy Protection Act, proposed amendments and state law, such as the Privacy Rights for California Minors in the Digital World that went into effect this month, generally allow the removal of certain online personal information about children or minors. In addition, although the regulatory focus in the U.S. is currently on minors, there does appear to be a general interest by the U.S. public for a RTBF law.

Is the RTBF Enforceable in the U.S.?

Putting aside issues of international comity, ultimately, a U.S. court’s willingness to enforce the RTBF directive could depend on whether there are similarities between the privacy protection sought by the EU court and the protections provided by analogous privacy laws in the U.S.

Given the First Amendment implications of censoring online content and the search results of an Internet search engine, a U.S. court may be hesitant to enforce the order issued by the French court requiring Google Inc. to de-link the defamatory material from the search results in its U.S. search engine. The French court’s decision is consistent with EU privacy principles that focus on the privacy rights of the consumer but gives little regard to the principle of freedom of expression, a principle a U.S. court is likely to find overriding. In addition, adopting a RTBF principle is inconsistent with U.S. public policy of transparency and accuracy in information about citizens. Practically, however, Google may have no choice but to comply with the RTBF order in an effort to preserve its business operations in EU countries.

This does not mean that a U.S. court is likely to decline to enforce a RTBF directive in all situations. A U.S. court might be willing to enforce such a directive in situations where an EU member country seeks to enforce the directive against a U.S. company’s U.S. operations with regard to materials concerning children or minors. The current and proposed legislation in the U.S. allowing the removal of online information relating to children and minors suggests that U.S. courts may be willing to provide such relief, especially where it is consistent with these laws.

Needless to say, the question will only be answered if an EU member state entity petitions a U.S. court to enforce a RTBF order. Any such case should be closely followed as it could have a significant impact on the jurisdictional reach of the EU over U.S. companies operating in their countries as well as provide some insight on how U.S. court’s perceive the right to be forgotten.

2 Comments

If you want to comment on this post, you need to login.

  • comment John • Feb 25, 2015
    Thanks John and Freggie for presenting a useful analysis of a fascinating issue.  Simplifying here but it seems there are two issues: 1/ questions of international jurisdiction and extraterritoriality and 2/ what is the right thing to do from a privacy standpoint.  From the first issue---I try to imagine what would happen if every region or country asserted its own privacy law and ruling globally.  The end point would be a massive conflict of laws creating clash of values (e.g., freedom of speech vs. privacy).  My sense is that countries will need exercise greater restraint in how they assert their privacy laws globally.     Great article.
  • comment Patrick • Feb 27, 2015
    This is a very interesting analysis on this difficult question, tied to different cultures on both sides.
    Viewed from Europe, there seem to be a similar, but differently solved, question when European branches of US Companies are asked to provide personal data to the US agencies, under the Patriot Act.
    Providing such data should not be allowed by European laws and Directive 95/46/EC. However, in that situation US Companies comply with US law, even though the subsidiary, and the Data Subject, are in Europe.