The Right to be Forgotten: The Extraterritorial Reach of EU Data Protection Law with Special Regard to the Case of Google v CNIL

(1)

Department of Law

Spring Term 2018

Master’s Thesis in EU Law and Private International Law

30 ECTS

The Right to be Forgotten

- The Extraterritorial Reach of EU Data Protection Law with Special

Regard to the Case of Google v CNIL

Rätten att bli bortglömd

-

Den extraterritoriella räckvidden av EUs dataskyddslagstiftning med särskilt beaktande av målet Google mot CNIL

Author: Frida Almlöf

(2)

(3)

Foreword

Four and a half years of law school is almost completed and this thesis will be the end of what has been an incredible but tough journey. Without doubt, private international issues in data protection law have been the trickiest but also amongst the most interesting encounters during my time at law school. I would like to thank my conflict of laws teacher at the University of Auckland, who introduced me to the complexity of private international law issues arising in the Internet context, and for mentioning the case of Google v CNIL in one of our classes, which gave me the idea to this thesis. Furthermore, I would like to thank my supervisor Professor Maarit Jänterä-Jareborg at Uppsala University for her great support and help throughout the process of writing this thesis. And lastly, to my friends and family, thank you for being there for me during these years and for constantly reminding me what is really important in life.

(4)

Abbreviations

Brussels 1 bis Regulation Regulation No 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters

The Charter The Charter on Fundamental Rights and Freedoms

CJEU The Court of Justice of the European Union

CNIL La Commission national de l’informatique et des

libertés (the French Data Protection Authority)

The Data Protection Directive Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

ECHR The European Convention on Human Rights

ECHtR The European Court of Human Rights

GDPR Regulation 2016/679 on the protection of natural

persons with regard to the processing of personal data and on the free movement of such data

Rome I Regulation Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations.

Rome II Regulation Regulation no 864/2007 on the law applicable to non-contractual obligations

TEU The Treaty of the European Union

TFEU The Treaty on the Functioning of the European Union

U.S. The United States of America

(5)

Relevant Terminology

Article 29 Working Party The Article 29 Working Party was an independent European advisory body, which consisted of representative from the data protection authorities of each Member State, the European Data Protection Supervisor and the EU Commission. After the GDPR entered into force 25 May 2018, the Article 29 Working Party was replaced by the European Data Protection Board.

De-listing De-listing refers to the removal of links to web pages from a list of search results displayed when an Internet user makes a search on a search engine.

Domain name Websites generally have domain names that identify which country the website is associated with, such as “.se” for Sweden or “.dk” for Denmark.

IP-address IP-address stands for Internet Protocol address and is a way to determine a an Internet user physical location thorough the location of its device (computer, cell phone etc.) It contains a unique string of numbers, which can identify the location of the user to State, province, city, longitude and latitude.

Third country A third country is a country that is not a Member State of the European Union (EU).

Search engine A search engine enables Internet users to find existing information on the World Wide Web by searching on specific search terms. The search results are presented in a list of search results. The most used search engine in the world is Google Search operated by the U.S. company Google LCC.

(6)

VPN VPN stands for Virtual Private Network. A VPN makes it possible for a user to reroute its connection via an IP- address located somewhere else, making it appear as the computer is located in another country.

Web page The World Wide Web consists of billions of web pages.

Each web page has a unique address, a specific string of symbols also known as Uniform Resource Locator (URL), by which it can be found. A website usually consists of a collection of different web pages.

(7)

1. Introduction

1.1. Background

“Since the beginning of time, for us humans, forgetting has been the norm and remembering the exception. Because of digital technology and global networks, however, this balance has shifted. Today, with the help of widespread technology, forgetting has become the exception, and remembering the default.”1

In the preliminary ruling of Google Spain2 from 2014 the Court of Justice of the European Union (CJEU) established that there existed a right to be forgotten on the Internet to be respected by search engine operators under the Data Protection Directive3_.

The right obliges search engine operators to, under certain circumstances, de-list links to third party web pages appearing in the search results. This may be required when the web page contains personal data relating to an individual and is made available following a search made on the basis on the individual’s name. When an individual makes a request to a search engine operator, de-listing is required by the search engine operator when the information in question is inadequate, irrelevant or excessive in relation to the purpose for which the data is being processed. This is after considering the data subject’s fundamental right to privacy contra the search engine’s economic interest and the general public’s interest of accessing the information. The right to be forgotten is now clearly expressed in Article 17 of the General Data Protection Regulation4 (GDPR), which was applicable from 25 May 2018.

The CJEU’s ruling in Google Spain was without doubt a controversial one; it has led to an intense debate in legal doctrine and amongst organisations advocating for privacy, and on the contrary, freedom of expression and information online. The judgment has further lead to great implementation difficulties. How should a search engine operator

1_{Viktor Mayer-Schoenberger, Delete: The Virtue of Forgetting in the Digital Age, p 2.}

2_{Case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD)}

and Mario Costeja González.

3_{Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and}

on the free movement of such data.

4_{Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data}

and on the free movement of such data.

(10)

draw the balance between the right to privacy, its own economic interests and the general public’s interest in accessing the information? Moreover, how far does the right to be forgotten reach, from a geographical point of view?

The question of geographical width or “territorial reach” is relevant when search engines, as they generally do, operate from several different country specific versions. To give a concrete example: Google Search, operated by the American company Google LCC (Google), is the most used search engine in the world.5 Google Search operates from several different country specific versions of the search engine and the content shown on these different versions varies. For example, the language used, the search results and the advertisement shown are adapted to the preferences of Internet users of each specific country.6

Up until October 2017, the country specific version of the search engine, which an Internet user accessed, was determined by the domain name entered into the browser, such as “google.se” (Sweden) “google.fr” (France) and “google.co.nz” (New Zealand). After October 2017, Google has turned to an approach, which automatically determines the version of the search engine accessed by location. In practice and as will be shown later, this does not result in any major change as it is possible to access another country’s version of the search engine by changing the settings. For the sake of simplicity and in order to adopt the terminology of the preliminary ruling in Google V

CNIL7, I will in the foregoing use the term “domain name” when referring to the different country specific versions of the search engine.

After the ruling in Google Spain, Google has consequently removed search results from all the country specific domains within the EU, when the company has found a request on the right to be forgotten justified. Google has, in addition, blocked search results from showing on non-EU domains, if the searches are made within the EU through the user’s IP-address, so-called geo-blocking.8 The Article 29 Working Party (the Working Party), an independent European advisory body set up in order to give guidelines on EU data protection matters, argues that the de-listing needs to be global. According to the

5_{Curwen, "Google: A regular column on the information industries", p 191-194.} 6_{See Google, AdSense help, “How ads work”.}

7_{Case C-507/17 Google Inv. v Commission nationale d’informatique et des libertés.} 8_{Google Transparency Report, “Search removals under European privacy law”.}

(11)

Working Party, this is the only way to sufficiently protect the data subject’s right to be forgotten. The Working Party recognizes that an approach of limiting the de-listing to EU domains would allow circumvention of EU data protection law.9

The ambiguity concerning the “territorial reach” of the right to be forgotten has lead the French Court, le Conseil d’État, to request a preliminary ruling on the matter, the case of Google v CNIL. The request was filed in August of 2017. The French Court wants to know if the right to be forgotten requires the Court to order de-listing of search results on all of Google’s domains or if de-listing from the domains within the EU, potentially combined with geo-blocking techniques, is sufficient to ensure the effective protection of the right.

The case and the forthcoming preliminary ruling in Google v CNIL raise several interesting legal issues as several fundamental interests collide. No one can blame the EU for wanting to ensure an effective protection of its residents’ fundamental rights to privacy and protection of personal data, as guaranteed by the European Convention on Human Rights (ECHR) and the Charter on Fundamental Rights and Freedoms (the Charter). Yet, if content is to be removed on all of the search engine’s domains worldwide, it would undoubtedly limit what the rest of the countries of the world can access on the Internet. But can the guaranteed right to be forgotten be sufficiently protected if its reach is not global? And what would the potential implications be on the freedom of expression and information online if the right to be forgotten is given extraterritorial reach?

The question on how to divide jurisdiction between different States and which country’s law that applies to certain situations have long been subject to discussion in both private international law and public international law.10 The borderless nature of the Internet makes these issues more complex than ever. Litigation is increasingly directed against global players, such as search engines and social media platforms, as they have the

9_{Article 29 Working Party, “Guidelines on the implementation of the Court of Justice of the European}

Union judgment on “Google Span and Inc v. Agencia Española de Proteccíon de datos (AEPD) and Mario Costeja González” C-131/12”, p 3.

10_{Mills, The Confluence of Public and Private International Law: Justice, Pluralism and Subsidiarity in}

(12)

power to accomplish global removal of content placed online.11_{The forthcoming}

preliminary ruling in Google v CNIL displays some of the challenges for Internet regulation and some of the interests at stake.

1.2. Objectives

The main aim with this thesis is to identify and discuss relevant legal issues that the CJEU has to consider when delivering its forthcoming preliminary ruling in Google v

CNIL. In essence, the question is whether the right to be forgotten is to be implemented

on a global scale, only within the EU, or only within the Member State from which the request of a data subject is made. The parties to the proceedings are the French data protection authority La Commission national de l’informatique et des libertés (CNIL) and the United States (U.S.) company Google. However, the underlying dispute concerns two private parties, a data subject in the EU who wants “to be forgotten” and a search engine operator’s potential obligation to do so. The questions will hence primarily be evaluated from a private international law perspective.

In order to reach this aim it is necessary to first properly investigate the data protection law of the EU and how private international law issues relating to data protection are determined. What are the underlying principles of data protection law? Who is covered by its protection and who is covered by its obligations? How is jurisdiction and choice of law determined in data protection matters? What considerations might be necessary in relation to other countries when applying private international law rules that have effect outside the EU?

The preliminary ruling in Google Spain, where the CJEU established that data subjects had a right to be forgotten by search engine operators and the territorial scope of the Data Protection Directive, will be carefully examined as the ruling sets the legal background to the dispute in Google v CNIL. The referred questions from the French Court to the CJEU will be described as well as the argumentation of the parties in the national proceedings. I will further discuss the relevance of the new GDPR to the forthcoming preliminary ruling. Lastly, I will analyse potential answers that the CJEU might provide in the forthcoming ruling in light of the Google Spain judgment. In other

(13)

words, does Google Spain give any guidance as to how the questions might be approached in Google v CNIL?

After establishing the relevant EU law and examining the relevant cases, I will discuss legal issues appropriate for the CJEU to consider when delivering its forthcoming ruling. Firstly, can the effective protection of EU resident’s right to privacy and data protection, as reflected in the right to be forgotten, be guaranteed if the de-listing of search results is not global? Or would the protection still be sufficient if the de-listing of content made by search engines were limited to the EU, potentially combined with geo-blocking? Secondly, how might the right to be forgotten affect the freedom of expression and information as guaranteed by the ECHR and the Charter? And what could possible consequences be for third countries citizens right to freedom of expression and information be if the data protection law of the EU were given such extraterritorial reach? Issues of sovereignty and comity will be touched upon in this context.

Although the focus of the thesis is to evaluate the right to be forgotten in relation to the extraterritorial reach of EU’s data protection law, the thesis is relevant in a much broader context: how should countries go about when regulating content on the borderless Internet? In their eagerness to protect their own citizens, countries may overlook other interests, which are necessary to consider. Google v CNIL is, in my view, an excellent case to display the different interests involved when dealing with Internet regulation. Thus, some of the conclusions in this thesis may be relevant for other countries outside the EU and other areas of law as well.

1.3. Demarcations

The main focus of this thesis is to analyse the case and the forthcoming preliminary ruling of Google v CNIL. This is largely made in light of the previous preliminary ruling of Google Spain. Due to the limited scope of the thesis, only EU law directly relevant for the two cases will be analysed. Both cases concern processing of personal data in relation to the Data Protection Directive, carried out before the GDPR entered into force 25 May 2018. The thesis will thus focus on the Data Protection Directive, although relevant potential changes will naturally be discussed as all future right to be

(14)

forgotten-requests are to be evaluated under the GPDR. The GDPR has expanded the territorial scope of EU data protection law. The new territorial scope of the GDPR is both important and interesting to discuss. However, due to its complexity, it will only be evaluated to the extent that it is directly relevant for the assessment of Google v CNIL. EU data protection law has two principal aims – to protect natural persons with regard to the processing of personal data and to enable free movement of personal data within the union.12 This study focuses solely on the protection of natural persons with regard to the processing of personal data. Further, it should be emphasised that this is a study in EU law and private international law. Public international law aspects of Google v CNIL are nonetheless relevant, as EU law might come in conflict with the interests of other States. Public international law will be touched upon, but it is not the aim of this thesis to provide a comprehensive analysis of Google v CNIL from a public international law perspective. For an analysis from the perspective of public international law, I refer to previous works.13

In the case of Google Spain, the CJEU held that three potential interests might collide when search results were to be de-listed by search engine operators, namely, the data subject’s interest of privacy and data protection, the interest of individual’s wishing to access the search results and the economic interest of the search engine. I have chosen to focus on the first two interests, i.e. the right to privacy and data protection and freedom of expression and information. The demarcation is based on the limited weight that the CJEU gave to the search engine’s economic interest in the case. More specifically, the Court held that an interference with the data subject’s fundamental right to privacy and data protection could “not be justified by merely the economic interest which the operator of such an engine has in the processing”.14

Because of the limited scope of this thesis, I have further chosen to focus on search engine operators, and more specifically Google. This is done for several reasons. The two cases subject to analysis, Google Spain and Google v CNIL, concern the search

12_{See Article 1 of the GDPR and Article 1 of the Data Protection Directive.}

13_{See for example Van Alsenoy and Koekkoek “The Extraterritorial Reach of the Right to be Forgotten”,}

and, for a general analysis of the extraterritoriality in EU data protection law from a public international law perspective, see Ryngaert ”Symposium issue on extraterritoriality and EU data protection”.

(15)

engine operator Google. Google is the major search engine, with approximately 90% of the market shares within the European Economic Area.15 Moreover, search engine operators are global players that have the possibility to achieve global removal of online content; this is in contrast to most other controllers of personal data. Search engine operators play an especially important role in the information society. Hence, when regulating their activities, it might have serious implications on the freedom of expression and information on the Internet. Further, because of the important role search engines play for the information society, to not be able to effectively regulate them may, on the contrary, be especially harmful for individuals’ protection of privacy and personal data.

The EU legislation that will be in focus is the Data Protection Directive and the GDPR. National data protection laws will not be studied. Other private international law instruments, such as the Brussels I bis Regulation and the Rome II Regulation, will be mentioned but merely to display the particular role data protection law has received within EU private international law.

1.4. Method and Sources

The thesis is an analysis of the extraterritorial reach of data protection law of the EU with special regard to the case of Google v CNIL. The analysis is made from the perspective of EU law. I will hence adopt the EU legal method.

The EU is an international organization with its roots in public international law. It does, however, enjoy a particular position as an international organisation because of its supranational character.16_{EU law may thus be regarded as an autonomous legal system.}

The legal method of the EU can be described as how to approach the legal sources of the union, namely, how EU legal sources are to be interpreted and applied.17

15_{European Parliament,”Google antitrust proceedings: Digital Business and Competition”, Briefing on}

July 2015, p 1.

16_{Riensenhuber, European Legal Methodology, p 154, 155.} 17_{Reichel, Juridisk metodlära, p 109.}

(16)

The primary law of the EU consists of the Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU) and the Charter of Fundamental Rights of the European Union (the Charter). The treaties and the Charter all enjoy equal legal value and have been ratified by each Member State.18 The primary law is further normally considered to include the general principles of EU law. General principles are unwritten and developed by CJEU case law, although some of them have been codified in the Treaties.19 The secondary law is based on the primary law. It consists of, amongst others, Regulations and Directives.20 There is a hierarchical relationship between the primary law and the secondary law, meaning that adopted secondary law must comply with the treaties, the Charter and the general principles of EU law.21

The secondary law that will primarily be examined is the Data Protection Directive and the GDPR, which replaced the Data Protection Directive as of 25 May 2018. The two legal acts are largely similar. In Recital 9 of the GDPR it is stated that the objectives and the principles of the Data Protection Directive remain sound. When the GDPR contains identical or similar provisions, the case law developed in relation to the Data Protection Directive may thus be relevant in relation to the interpretation of the GDPR as well.22

Pursuant to Article 288 of the TFEU, a Directive is binding as to the result to be achieved, but leave the Member States the choice of form and method. Consequently, a Directive leaves the Member States some degree of discretion. The Member States further need to transpose a Directive into their national law in order to give effect to it, although Directives may under certain circumstances have direct effect.23 A Regulation, on the other hand, is directly applicable in all Member States in its entirety. Thus, no national measures are required in order to give effect to a Regulation.24

18_{Riensenhuber above n 16 p 153.}

19_{Cuyvers, General Principles of EU Law, p 218, 219.} 20_{Barnard and Peers European Union Law, p 99-103.} 21_{Barnard and Peers above p 103, 104.}

22_{See Jay, Guide to the General Data Protection Regulation: A Companion to Data Protection Law}

Practice, p 46.

23_{Barnard and Peers above p 100.} 24_{Barnard and Peers above n 20 p 100.}

(17)

The relationship between the EU and the Member States is governed by several central principles. These include the EU law’s primacy over the laws of the Member States, the principle of direct effect and the principle of sincere cooperation. The principle of direct effect means that a EU provision becomes an immediate source of law for the national courts and the administrator, without further implementation measures required.25 The principle of sincere cooperation obliges the Member States to take all necessary measures to ensure that the obligations imposed on them by EU law are fulfilled. It also obliges Member States to refrain from every measure that might jeopardize the fulfilment of the objective of the union and includes an obligation to interpret national law in light of EU law.26

The CJEU is the main judicial organ of the Union and has played an important role in the development of EU law. It consists of three judicial bodies: the Court of Justice, the General Court and the Civil Service Tribunal.27_{I will use the general term “CJEU”}

throughout this thesis without any distinction between the Courts.

The CJEU uses several legal methods when interpreting the legal acts of the union; the wording of the provisions, the legal context in which the provision appears and the teleological interpretation method based on the objective of the provision. The latter interpretation method is especially associated with the CJEU.28 The doctrine of effet

utile is used by the CJEU as part of the teleological interpretation and refers to the

practical effect of EU law. It means that EU law is to be interpreted in such a way that it is not deprived of its effectiveness. Furthermore, the Court may rely on the effet utile to make sure that a regulatory purpose is achieved to the greatest extent possible.29 Recitals are included in the preambles of both the Data Protection Directive and the GDPR. Recitals do not establish any right for individuals, as rights require a provision in the operative part of the act. Recitals may nevertheless be useful for the CJEU when analysing the legislator’s intention in relation to a legal act. 30

25_{Barnard and Peers above n 20 p 143.} 26_{Reichel above n 17 p 113.}

27_{Barnard and Peers above n 20 p 256.} 28_{Reichel above n 17 p 122.}

29_{Riensenhuber above n 16 p 252, 253.} 30_{Riensenhuber above n 16 p 248.}

(18)

Preliminary rulings are an important source of law in this thesis. Preliminary rulings are regulated in Article 267 TFEU. Pursuant to the Article national courts of the Member States may refer questions to the CJEU for a preliminary ruling when guidance on how to interpret EU law is desired. Preliminary rulings can clarify the interpretation of both primary and secondary law. In a preliminary ruling, the CJEU does not decide an actual case based on its merits but gives a ruling on the validity or interpretation of EU law. Thus, preliminary rulings may be regarded as an interim stage in the national proceedings, which continue after the ruling by the CJEU. The national court referring the questions is bound by the answers provided by the CJEU; failure to comply constitutes a breach of EU law. 31 The prevailing opinion is further that preliminary rulings also bind courts of other Member States. Preliminary rulings lay down how EU law must be interpreted, which make the interpretation by the CJEU an integral part of the EU provision in question. The view that the courts of all Member States are bound by a preliminary ruling is further supported by the fact that the CJEU itself attaches a general validity to its own preliminary rulings.32

This thesis is primarily concerned with the fundamental right to protection of personal data and freedom of expression and information, which are protected by the Charter and the ECHR. The Charter has status as primary law within the EU. Although the EU is not a member to the ECHR, the CJEU has declared that the articles of the ECHR are part of the general principles of EU law.33_{It is further stated in the Charter that when the}

Charter contains rights corresponding to rights guaranteed by the ECHR, the meaning and the scope of those rights shall be the same.34

Other legal sources that will be used in this thesis are legal doctrine and opinions by the Working Party. The Working Party was an independent European advisory body, which consisted of representative from the data protection authorities of each Member State, the European Data Protection Supervisor and the EU commission.35 After the GDPR was applicable from 25 May 2018, the European Data Protection Board replaced the

31_{Broberg and Fenger, Preliminary References to the European Court of Justice, p 441.} 32_{Broberg, and Fenger, above p 450, 451.}

33_{Ferraro and Carmona, “Fundamental Rights in the European Union: the role of the Charter after the}

Lisbon Treaty”, p 5.

34_{See Article 52.3 of the Charter.}

(19)

Working Party.36_{Statements by the Working Party only have advisory status but}

because of the Working Party’s composition, they are generally greatly respected.37

1.5. Outline

The study will initially introduce the data protection law of the EU in Chapter 2. This includes an explanation of the principles underlying data protection law and certain vital definitions. I will refer to both the Data Protection Directive and the GDPR when explaining the terms, as the definitions are in principle the same in the two legal frameworks. The introduction is followed by an overview of jurisdiction and choice of law issues in data protection law, both from the view of private international law and, to some extent, public international law in Chapter 3. This is essential in order to grasp the issues relating to extraterritorial reach of data protection law.

In Chapter 4, the CJEU’s judgment in Google Spain will be studied. In Chapter 5, the issues raised in the case of Google v CNIL are described. This includes an introduction to the procedural history as well as the questions referred to preliminary ruling by the French Court. Further, I will comment on the differences between the Data Protection Directive and the GDPR to the extent relevant to the case. In Chapter 6, I will analyse potential answers to the question referred to the CJEU in Google v CNIL in light of the judgment in Google Spain.

In Chapter 7, the effective protection of individuals within the EU’s right to privacy and data protection will be analysed in relation to the possible answers that may be provided by the CJEU in Google v CNIL. In Chapter 8, the potential limitations that the right to be forgotten has on the freedom of expression and information on the Internet will be discussed, first from a more general perspective, and secondly, from a third country perspective. The third country perspective also involves issues of sovereignty and comity. Lastly, Chapter 9 will contain some final remarks.

36_{Article 29 Working Party, “The Article 29 Working Party Ceased to exist as of May 25 2018”.} 37_{Carey, Data Protection: A Practical Guide to UK and EU Law, p 9.}

(20)

2. Data Protection in the EU

2.1. Introduction

Rapid technological developments pose new threats to the protection of privacy and personal data.38 Due to the global reach and exponential growth of the Internet personal data “can be collected, transmitted and stored easier than ever before”, Meier explains.39 And personal data is without doubt a valuable commodity; some of the world’s most profitable companies have no valuable assets besides the personal data of their customers.40 As a response to this development, data protection legislation has been adopted all around the world in the last three decades, the European Human Rights framework being the most comprehensive one.41 In the following section, I will start by presenting the history of the data protection law within the EU. Thereafter, I will describe the protection that privacy and personal data enjoys within the EU. Lastly, definitions related to the Data Protection Directive and the GDPR will be explained.

2.2. A History of Data Protection – From the ECHR to the GDPR

The development of a shared framework for data protection within Europe commenced with the European Convention on Human Rights (ECHR). The ECHR was adopted by the Council of Europe in 1950 and entered into force 1953. Today, the Council of Europe has 47 Member States, including all Member States of the EU. The ECHR includes a right to respect for privacy and family life in Article 8. The need for specific protection of personal data, alongside with the right to privacy, was addressed by the Council of Europe in the 1970s. This resulted in the adoption of the Convention for the Protection of Individuals with regard to Automatic Processing of personal data, which entered into force 1981.42 The Convention includes basic principles for the processing of personal data, such as rights for data subjects and requirements for data controllers.

38_{Witzleb et al, Emerging Challenges in Privacy Law, p 2.}

39_{Meier, “How Has the Law Attempted to Tackle the Borderless Nature of the Internet?”, p 156.} 40_{Meier above p 156.}

41_{Witzleb et al above p 4.}

42_{Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,}

ETS No 108.

(21)

In the Convention, data protection is defined as the protection of fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data.43

The EU legislature considered that the progress of information technology, and the national variations of data protection in the different Member States, required a more comprehensive and harmonized protection of personal data within the EU.44 Thus, the Data Protection Directive was adopted in 1995. The Data Protection Directive was based on the principles of the Convention but developed and specified the protection in many ways.45

In 2000, the EU adopted the Charter on the Fundamental Rights and Freedoms (the Charter). The Charter was based on the ECHR, but provided for a specific right to data protection in Article 8 parallel to the right to respect for privacy in Article 7. The Lisbon Treaty was adopted in 2009. The Treaty introduced a legal basis for legislation on data protection in Article 16 TFEU with the independent aim of the protection of personal data. This gave the right to the protection of personal data a particular – and horizontal – position in the primary law of the EU.46 On the legal basis of Article 16 TFEU, the EU legislature adopted the GDPR on 27April 2016. The GDPR was applicable from 25 May 2018. In the preamble to the GDPR it is particularly specified that: “rapid technologies developments and globalisation have brought new challenges for the protection of personal data”47 and that the developments “require a strong and more coherent data protection framework within the Union”.48 The GDPR has the same objectives as the Data Protection Directive but makes the data protection law of the EU directly applicable in the Member States without national variations, except when expressly allowing for such variations.49

43_{Witzleb et al above n 38 p 62, 63.}

44_{See Recitals 7-10 of the Data Protection Directive.} 45_{Witzleb et al above n 38 p 64.}

46_{Witzleb et al above n 38 p 65, 66.} 47_{Recital 6 of the GDPR.}

48_{Recital 7 of the GDPR.}

49_{See for example Article 8 of the GDPR, according to which the Member States may decide at what age}

(22)

2.3. The Right to Privacy and the Protection of Personal Data

The right to respect for privacy and family life is guaranteed by Article 8 of the ECHR and states, “everyone has the right to respect for his private and family life, his home and his correspondence”. The right to respect for privacy is also declared in the Charter with an identical wording. Article 8 of the Charter further provides for the specific protection of personal data, “[e]veryone has the right to the protection of personal data concerning him or her”. It is clear that the right to privacy and the protection of personal data are treated as two distinguished rights within the meaning of the Charter. This distinction is further emphasized by Recital 4 of the GDPR:

“This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data […]”50

But what are the real differences between the protection of personal data and the right to respect for privacy? In its case law, the The European Court of Human Rights (ECHtR) has interpreted the respect of private life as including a right to the protection of personal data.51_{The right to respect for private life also include a range of other rights,}

including the right to personhood and the right to be left alone and the right to personal integrity.52 The right to protection of personal data can thus be seen as a category under the much broader “right to privacy”.

Nevertheless, in Bavarian Lager53 the CJEU pointed out that:

“[T]he fact that the concept of ‘private life’ is a broad one, in accordance with the case-law of the European Court of Human Rights, and that the right to the protection of personal data may constitute one of the aspects of the right to respect for private life

50_{Recital 4 of the GDPR. My emphasis added.}

51_{Kokott and Sobotta, “The distinction between privacy and data protection in the jurisprudence of the}

CJEU and the ECtHR” p 222; see further Cameron, An Introduction to the European Convention on

Human Rights p 116.

52_{See Tzanou, “Data protection as a fundamental right next to privacy? ‘Reconstructing’ a not so new}

right” p 90.

(23)

does not mean that all personal data necessarily fall within the concept of ‘private life’.”54

In other words, it may be argued that the right to the protection has a different, to some extent wider, scope than the right to privacy. In this context, it can be noted that the right to protection of personal data includes additional safeguards in relation to the right to privacy, such as data security, data quality and the principle of non-discrimination.55 It may thus be concluded that the right to data protection can be seen as a distinguishable right to the right to respect for privacy. Yet, it must be emphasized that these rights are closely related. The Data Protection Directive expressly refers to the protection of privacy as one of its main aims, whereas the GDPR makes a more general reference that the Regulation respects the right to privacy in recital 4. Furthermore, the data protection law of the EU must comply with the right to privacy in ECHR as it constitutes a general principle of EU law. In its case law, the CJEU has further repeatedly conflated the two rights without clearly distinguishing between the two.56

2.4. The Scope of the Rights

Article 1 of the ECHR declares that parties to the Convention “shall secure to everyone within their jurisdiction the rights and freedoms defined in section 1 of this Convention”. The parties to the Convention are States. Furthermore, Article 51 of the Charter states that the provisions of the Charter are addressed to the institutions and bodies of the Union and to the Member States when they are implementing EU law. Thus, at a first glance, the Charter and the ECHR are only applicable in the relationship between States and individuals – not in the relationship between two private parties. For example, a private party cannot lodge an application to ECtHR and complain that another private party have breached its right under the Convention.57

54_{Bavarian Lager v. Commission above n 53 para 118.} 55_{Tzanou above n 52 p 88–99.}

56_{See Lynskey, “Deconstructing Data Protection: The ‘Added-Value’ of a Right to Data Protection in the}

EU Legal Order” p 574, 575; see further Google Spain above n 2, which is a clear example of when the CJEU does not distinguish between the right to privacy and the protection of personal data.

(24)

Arguably, the non-horizontal application of these fundamental rights instruments should not be exaggerated. In relation to the right to respect for privacy, the ECHR can be held to include a positive obligation for States to act to ensure individuals’ rights and freedoms even in the relation between two private parties.58 Individuals can further turn to the ECHtR and complain when States fail to sufficiently protect their rights against infringements by other individuals.59

Both the Charter and the ECHR, whose provisions are regarded as general principles of EU law, are included in the primary law of the EU. Secondary legislation needs comply with primary law. Case law of the CJEU further show the Court’s willingness to interpret EU legislation in light of the fundamental rights laid down in the Charter and the ECHR.60 The Data Protection Law of the EU – the Data Protection Directive and the GDPR – are both based on the principles of protection of privacy and personal data. They include provisions applicable in the relationship between private parties, such as the “right to be forgotten”. In other words, in data protection litigation between two private parties, it appears evident that the CJEU will consider the fundamental rights to privacy and protection of personal data as guaranteed by the ECHR and the Charter.

2.5. Not Absolute Rights

The right to privacy and data protection are not absolute rights. According to the ECHR, the right to respect for privacy and family life in Article 8 can be restricted if it is in accordance with the law and necessary in a democratic society and, inter alia, for the protection of the rights and freedoms of others. Limitations to the rights and freedoms recognized by the Charter must be provided for by law and respect the essence of those rights and freedoms, subject to the principle of proportionality and limitations may only be made if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.61 Both the Data Protection Directive and the GDPR also specify situations when the rights laid down in the respective legislative acts may be subject to restrictions. Article

58_{Cameron, above n 51 p 116.} 59_{Cameron, above n 51 p 50, 51.}

60_{See Hijmans, The European Union as Guardians of Internet Privacy: The Story of Art 16 TFEU, p 38.} 61_{Article 52.1 of the Charter.}

(25)

13 (g) of the Data Protection Directive states that Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in the Data Protection Directive when such restrictions constitute necessary measures to safeguard the protection of the data subject or of the rights and freedoms of others. The GDPR includes a similar provision to that of the Data Protection Directive in Article 23 (i). It provides that EU or Member State law may by legislative measure restrict the scope of obligations and rights provided for in the GDPR, when the restrictions respects the essence of fundamental rights and freedoms and is necessary and proportionate measure in a democratic society to safeguard the protection of the data subject or the rights and freedoms of others.

2.6. Data Subjects and Personal Data

One of the aims of the Data Protection Directive and the GDPR is to protect natural persons with regard to the processing of personal data.62 Legal persons are excluded from the scope of both the Data Protection Directive and the GDPR.63

The protection provided by the Directive and the Regulation grants rights to data

subjects. The meaning of data subject is found in the definition of personal data in

Article 4 (1) of the GDPR. Data subject is “an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. The Data Protection Directive contains an identical definition in Article 2 (a).

Pursuant to Article 4 (1) of the GDPR and Article 2 (a) of the Data Protection Directive,

personal data is further defined as “any information relating to an identified or

identifiable natural person”. It is clear from the wording that the definition is broad. The list of potential “identifiers”, with which the data subject can be identified, serves as guidance for what may constitute personal data but the wording “in particular”, suggest that the list is not exhaustive. The Working Party has noted that the concept of personal

62_{See Article 1 of the Data Protection Directive and Article 1 of the GDPR.} 63_{See Recital 24 of the Data Protection Directive and Rectial 14 of the GDPR.}

(26)

data includes any sort of information about a person, both objective “such as the presence of a certain substance in one’s blood” and subjective information such as “opinions or assessments”.64

Recital 2 of the GDPR makes clear that Regulation applies to the processing of personal data of natural persons “whatever their nationality or residence”.65 The Data Protection Directive includes a similar Recital.66 Consequently, if a natural person is considered as a data subject, he or she does neither have to be a resident nor a citizen of any of the EU Member States in order to be covered by the Data Protection Directive or the GDPR.67 In relation to data subjects’ right to be forgotten, the Working Party has stated that everyone has a right to be forgotten under EU law but that data protection authorities in practice “will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of a EU Member State”.68

2.7. Controllers, Processors and Processing

Under the GDPR, a controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.69 A processor is defined as a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller. The difference between a controller and a processor is that the

controller is the one determining why and how the data is being processed, while a processor only processes data on behalf of the controller without any additional

purposes.70 The Data Protection Directive generally only imposes direct obligations on

64_{Article 29 Working Party, “Opinion 4/2007 on the concept of personal data” p 6.}

65_{Recital 2 of the Data Protection Directive states: “whereas data-processing systems are designed to}

serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals”.

66_{See ITGP Privacy Team, EU General Data Protection Regulation (GDPR): An Implementation and}

Compliance Guide, p 22.

67_{ITGP Privacy Team, above p 22.} 68_{Article 29 Working Party, above n 9 p 3.}

69_{Article 4 (7) of the GDPR and Article 2 (d) of the Data Protection Directive.}

70_{See Article 29 Working Party, “Opinion 1/2010 on the concepts of “controller” and “processor””, p 7, 8}

(27)

behalf of the controller whereas the GDPR imposes direct obligations on both controllers and processors.71

Processing is defined in Article 4 (2) of the GDPR as “any operation or set of

operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring,

storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Only corporations are covered by the obligations of the GDPR. Processing that is carried out “in course of a purely personal or household activity” is excluded from its scope.72

71_{See Article 3 of the GDPR. See however Article 16 and 17 of the Data Protection Directive, which}

contains certain obligations directly imposed on a processor of personal data.

(28)

3. Data Protection, Jurisdiction and Choice of Law

3.1. Introduction

The issue of which country’s court that has jurisdiction and which country’s law that the court should apply is particularly interesting in the Internet context, and not least in data protection matters. While the Internet has increased the need for the protection of personal data, the borderless nature of the Internet has without doubt caused regulatory challenges. As Meier puts it, the Internet has the ability to “swiftly and effortlessly transcend national boarders and sovereign territories”.73 The Internet thus challenges the predominant territorial approach to jurisdiction and choice of law.74

A data subject’s right to be forgotten by a search engine operator is a dispute between two private parties. Litigation between two private parties involving a foreign element falls within the area of private international law. Private international law rules historically form a part of national law and countries are generally free to formulate their private international law rules as they please.75 In the last decades, the harmonization and unification of private international law of the Member States of the EU has increased immensely and it may be argued that private international law issues relating to data protection litigation has received a unique treatment by the adoption of the Data Protection Directive and the GDPR. Public international law is an international body of law regulating the relationship between States. This give rise to an interesting question: what happens when countries formulate their private international law rules in such a way that it conflicts with the interests of another State?

The purpose of the following sections is to describe the relationships between data protection law, private international law and public international law. Understanding these relationships is vital in order understand the legal issues at stake in the preliminary ruling of Google Spain and the case of Google v CNIL. This thesis is concerned with the extraterritorial reach of EU data protection law. The focus in the following sections will thus be to explain how jurisdiction and choice of law in data protection litigation is determined in relation to defendants based outside the EU.

73_{Meier, above n 39, p 142.} 74_{Svantesson above n 11 p 8, 9.}

(29)

3.2. Data Protection – Public or Private Law?

A national court faced with a dispute with an international element must first ask itself whether it has jurisdiction to determine the case. If yes, the second question would then be of choice of law. The question of choice of law is primarily relevant in relation to private law. Generally, courts do not apply public laws of foreign countries.76_{In order}

to determine applicable law pursuant to traditional private international law method, a court must first qualify to which area of law the legal issue belongs, for example, contracts or torts. After this qualification, the court must consult the relevant private international law rules providing one or several connecting factors between the dispute and the country, which law is to be applied77, such as the place where the damage occurred for torts or the place of performance for contracts.78

The qualification of data protection law into any traditional areas of the law is not an easy task – it “straddles the boundaries between public and private law, criminal law and civil law”.79 Data protection law comes from several legal sources; human rights law, consumer protection law and internal market law.80 As Bing points out, data protection law will thus typically contain provisions of both public and private nature.81 The Data Protection Directive and the GDPR apply both in the private law and the public law sector, without any distinction between the two. A systematic distinction was considered and rejected by the EU legislature before adopting the Data Protection Directive.82 As already noted, this thesis is concerned with the relationship between two private parties, a natural person who wants “to be forgotten” and a private company’s potential obligation to do so. Such a relationship falls under the category of private international law.

76_{See Bing,“Data Protection, Jurisdiction and the Choice of Law” p 2; see further Bogdan, Svensk}

internationell privat-och processrätt, p 74-75.

77_{See Bogdan, above p 33.}

78_{See Article 7.1 (a) and Article 7.2 of the Brussels I bis Regulation.}

79_{Kuner, “Data Protection Law and International Jurisdiction on the Internet (Part 1)”, p 182.} 80_{Kuner, above p 182.}

81_{Bing,“Data Protection, Jurisdiction and the Choice of Law”, p 2, 3.} 82_{Witzleb et al, above n 37 p 67.}

(30)

3.3. Traditional Private International Law Instruments

In order to determine jurisdiction in cross-boarder disputes in civil and commercial matters, the EU adopted the Brussels 1 bis Regulation83_{in 2012. The Regulation was}

preceded by the Brussels Convention84_{from 1968 and the Brussels I Regulation}85_from

2001. The Brussels 1 bis Regulation is applicable in “civil and commercial matters”, which raises the question of whether the Brussels 1 bis Regulation includes data protection litigation. As concluded above: data protection can be considered as both public and private law. However, litigation between individuals generally falls within the scope of the Regulation, if not expressly excluded from its scope.86 Claims based on data protection law between two private parties have thus historically fallen within the scope of the Brussels I bis Regulation and its predecessors.87

The Brussels I bis Regulation is with a few specified exceptions, such as litigation concerning immovable property and consumer contracts, only applicable when the defendant is domiciled in a Member State.88 A legal person is domiciled in the EU if it has it statutory seat, central administration or principle place of business in the union, according to Article 63 of the Regulation. When litigation concerns a foreign defendant, Member States consequently apply their national private international law rules of domestic origin for issues of jurisdiction.89 However, it should be noted that a foreign defendant could be subject to the jurisdiction of a court of a Member State due to a choice of court agreement pursuant to Article 25 or by appearing in front of a Member State’s court pursuant to Article 26 of the Brussels I bis Regulation.

When qualifying a violation of data protection law, it could be considered as both a contractual obligation if there is a contract between the parties or as tort if no contract exists. The two relevant legal frameworks concerning choice of law within the EU are

83_{Regulation No 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil}

and commercial matters.

84_{1968 Brussels Convention on jurisdiction and the enforcement of judgments in civil and commercial}

matters.

85_{Regulation No 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and}

commercial matters.

86_{Magnus and Manokowski, ECPIL: European commentaries on Private International Law,}_{p 64.} 87_{See Brkan, “Data protection and European private international law: observing a bull in a China shop”,}

p 257-278.

88_{See Articles 4-6 and Articles 18 (1), 21(2) and 24 of the Brussels I bis Regulation.} 89_{See Article 6 of the Brussels I bis Regulation.}

(31)

the Rome I Regulation on the law applicable to contractual obligations90_{and the Rome}

II Regulation on the law applicable to non-contractual obligations.91 The Regulations are, correspondingly the Brussels 1 bis Regulation, applicable in civil and commercial matters.92

In relation to a data subject’s right to be forgotten by a search engine operator, no contract between the parties exist. Consequently, a violation of a data subject’s right to be forgotten could be considered as tort and could then fall under the Rome II Regulation. However, Article 1 (g) of the Rome II Regulation explicitly excludes non-contractual obligations arising out of violations of privacy and rights relating to personality, including defamation, from the scope. Violations of data protection rights are not expressly mentioned in Article 1 (g). And as been discussed in above, it is not clear whether the right to privacy and data protection may be regarded as the same right. Nonetheless, it has been claimed that the provision also extends to civil claims concerning data protection.93_{Assuming that data protection rights are included in the}

exclusion of Article 1 (g), one may hence conclude that there is no traditional EU private international instrument regulating choice of law relating to data protection matters in tort.

3.4. Jurisdiction and Choice of Law in Data Protection Litigation

In relation to data protection, private international law issues have received a special treatment. The Data Protection Directive was adopted by the EU legislature in 1995. The principal aim with the Directive was not to function as a private international law instrument; it nevertheless contained a specific private international law provision. 94_In

relation to choice of law, Article 4.1 has the heading “national law applicable” and provides for several connecting factors when a Member State’s national data protection law, adopted pursuant to the Data Protection Directive, is to be applied.

90_{Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the}

law applicable to contractual obligations.

91_{Regulation no 864/2007 on the law applicable to non-contractual obligations.} 92_{See Article 1 of the Rome I Regulation and Article 1 of the Rome II Regulation.}

93_{See Dickinson, The Rome II Regulation: the Law Applicable to Non Contractual Obligations, p 240;}

see further Brkan, ”Data Protection and Conflict-of-laws: A Challenging Relationship”, p 331.

94_{See Revolidis, “Judicial Jurisdiction over Internet Privacy Violations and the GDPR: a Case of Privacy}