The EU Court of Justice has ruled that Google is not required to wipe sensitive personal data worldwide from its search engine, only in the EU states, according to Telecompaper. The French data protection regulator Cnil had fined the company for not applying the ‘right to be forgotten’ across all versions of its search engine, but the court found that EU law in this regard does not extend beyond the 28 member states.
Cnil ordered Google in 2015 to extend the de-referencing of sensitive personal data from its search engine across its global operations. Prior to that, Google had only removed such data within the EU after a request from an individual. In 2016, Cnil fined Google EUR 100,000 for failure to apply the order.
Google appealed to France’s highest court, the Council of State, and the latter asked the EU court for an interpretation of EU law and its geographic application in such cases. The court found that EU law did not extend elsewhere in the world where the ‘right to be forgotten’ is not always recognised and a sufficient balance with the right to information could not be guaranteed. The law also did not suggest any intention to require de-referencing worldwide, nor did it provide for any coordination between the EU and other jurisdictions on the matter.
While the court found no basis in EU law for a global application of the provision, it noted that it was also not excluded under EU law. As such, national member states could add such a requirement for a search engine to remove personal data at the subject’s request across all versions of the search platform.