The Court of Justice of the European Union (the “CJEU”) has handed down a few intermediary-related judgments since September alone, and two are considered below. Although one relates to the E-Commerce Directive (the “ECD”) and the other to the Data Protection Direction (the “DPD”)/GDPR, a comparison of the judgments shows an apparently inconsistent approach of the CJEU to the territorial reach of injunctions against internet intermediaries.

 Google LLC v CNIL (Case C-507/17)

 The first judgment to be handed down was on 24 September 2019, in a reference from the French courts in a case between Google and the French data protection regulator, CNIL. The dispute between Google and CNIL was this: in 2015 CNIL had ordered Google to remove links to pages globally where the right to be forgotten had been triggered, i.e. it made a “de-referencing” request. In response, Google in 2016 introduced a geo-blocking feature that de-referenced, or de-linked, results on European Google domains only. It refused to apply the de-referencing to its global domains. CNIL imposed a fine of €100,000 on Google for such refusal.

The French courts asked the CJEU to answer three questions relating to the DPD (since the GDPR had not yet replaced it) which concerned the territorial scope of a de-referencing request, and – broadly – whether it applied only to the domain name corresponding to the Member State from which the right to be forgotten request was made, or to all EU domains, or to all global domains. In its judgment the CJEU considered the position under both the DPD and the GDPR.

The CJEU commented that by their recitals the objective of both the DPD and GDPR was to guarantee a “high level of protection of personal data throughout the European Union” and in a globalised world where the internet is a “global network without borders”, internet users’ access (including those outside the EU) to a link concerning EU-based persons is likely to have “immediate and substantial effects” on that person in the EU itself. The CJEU further commented that such considerations militate in favour of a “competence” for the EU legislature to oblige a search engine provider to apply a de-referencing request globally [54]-[58].

However, the CJEU ultimately found that the ‘right to be forgotten’ under the DPD and the GDPR did not require a search engine provider to carry out global de-referencing but only in respect of those versions of its search engine that correspond to EU Member States [73].

In support of that position, the CJEU made the following observations:

  • Several non-EU countries either do not recognise or have a different approach to the ‘right to be forgotten’ [59];
  • The right to protection of personal data is not absolute but is to be balanced against other fundamental rights [60];
  • The balance between privacy and freedom of information is likely to vary significantly around the world [60];
  • The EU has not struck a balance between those rights outside of the EU [61];
  • The wording of the relevant provisions in the DPD and GDPR do not make apparent that in order to make sure that the objective of granting a high level of protection data throughout the EU, the EU legislature intended for the scope of those provisions to go beyond EU Member State territory [62]; and
  • Since the GDPR lays down the rules concerning data protection which are directly applicable in all Member States, any de-referencing should in principle be carried out in respect of all Member States (rather than just on the search engine domain that corresponds to the Member State of the person making the request) [66].

However, the CJEU did expressly state that EU law did not prohibit global de-referencing and that it would therefore be possible for a Member State court or regulator to carry out the balancing exercise between a data subject’s rights to privacy and the protection of their personal data, and the right to freedom of information and, after weighing up those rights up against each other, order a global de-referencing exercise [72].

Glawischnig-Piesczek v Facebook Ireland Limited (Case C-18/18)

The finding of the CJEU in the Google v CNIL case bears some notable differences to the more recent judgment of the same court in Glawischnig v FB, which was handed down on 3 October 2019, little over a week after the Google case. Although on the one hand, these differences could be said to be expected given that the cases concerned different EU legislative instruments and different areas of substantive law, on the other both concern the territorial scope of injunctions against internet intermediaries requiring them to block or filter content accessible by end users, and take somewhat inconsistent approaches to this issue.

Firstly, the facts of this case were as follows: Eva Glawischnig-Piesczek is a member of the Austrian Green Party and was from 2008 to 2017 its federal spokesperson. In April 2016 a Facebook user shared a news article about welfare for refugees and included some disparaging comments concerning Ms Glawischnig-Piesczek, some of which would arguably be considered honest opinion and therefore not defamatory under English defamation law, but which were found to be defamatory under domestic Austrian law. Following judgment by the Austrian courts, Facebook disabled access in Austria to the relevant content and the Austrian Supreme Court asked the CJEU to consider whether Article 15 of the ECD (the anti-general monitoring obligation) allowed the injunction to be extended globally as well as to other identical statements and those with an “equivalent meaning”.

The AG’s opinion in this case advised the CJEU to find that the injunction could be extended globally but that while the injunction could be extended to identical statements by any user, that it should only be extended to equivalent statements/information by the user who published the original unlawful content [109]. Furthermore, the AG advised that the monitoring of ‘equivalent’ information be “clear, precise and foreseeable”, that it balances the fundamental rights involved and that it take into account the principle of proportionality (in a similar exercise to that advised by the CJEU in the context of the right to be forgotten in Google v CNIL [72]).

No such distinction is clear from the CJEU’s judgment, which appears to allow for monitoring for both identical and equivalent information across all users of an online platform (it states that the monitoring obligation for identical information applies “irrespective of who requested the storage of that information”, but does not include any qualification either way for equivalent information). Nor does the CJEU’s judgment mention the limitations advised by the AG, including the exercise of balancing the relevant fundamental rights. The CJEU instead directs that the monitoring of equivalent information be limited to “information conveying a message the content of which remains essentially unchanged compared with [unlawful content]”. There is no direction as to what “essentially unchanged” means, save that in complying with such a monitoring obligation the intermediary should not be required to “carry out an independent assessment of that content” [53]. When read with [46] of the judgment, this can be read as requiring an intermediary to use only “automated search tools and technologies”, that is, automated content filters. However, this still leaves open the key question of what the automated content filters should be programmed to search for and block. If it is right that the CJEU’s decision means that the obligation to monitor for equivalent information applies across all users of an online platform, that broad obligation combined with the lack of clarity as to what “essentially unchanged” means seems to create a difficult dilemma as to how automated content filters are to be applied in order to comply with such an obligation. This is before you get into the wider concerns regarding the use of automated content filters, such as the inadvertent removal of legal content and the encroachment on other fundamental rights (such as the freedom of expression). This finding by the CJEU appears to be part of a general trend in both the EU and the UK to put in place monitoring obligations that are framed as “specific”, rather than “general” monitoring obligations, so while they do not technically fall foul of Article 15 they seem to go towards its erosion (which is a topic that requires a separate article to do it justice).

However, the CJEU’s decision in Glawischnig does at least limit the monitoring obligation regarding identical and equivalent information only to circumstances where the court of a Member State has made an order against a host in respect of information that has been “previously declared” to be unlawful [53]. The implication is therefore that no monitoring obligation exists unless there is a specific court order requiring such monitoring and it is in respect of information that has already been found to be unlawful. In other words, it does not relate to content that is the subject of a notice and take down request under Article 19 ECR that is complied with, or content that is subject to out of court settlement.

The other key issue arising from the CJEU’s judgment in the Glawischnig case is the finding on the territorial scope of injunctions granted by Member States; in summary the CJEU held that Member States could issue filtering injunctions against intermediaries with worldwide effect “within the confines of public international law”. It is on this issue that the differences to Google v CNIL arise.

In Glawischnig, the CJEU relied on the following to find that a Member State court could issue an injunction with worldwide effect:

  • Recital 52 of the ECD, pursuant to which the ECD requested that Member States ensure that “appropriate court actions” are available to guarantee victims effective access to remedying damage arising in connection with “information society services”, which “is characterised both by its rapidity and its geographical extent”. Accordingly, the CJEU observed that when implementing Article 18(1) of the ECD (that provides for the availability of court actions under national law against information society services, allowing for “the rapid adoption of measures…designed to terminate any alleged infringement and prevent any further impairment of the interests involved”), Member States have a “particularly broad discretion in relation to the actions and procedures” for such measures [28]-[29].
  • Further, the CJEU found that given that such measures under Article 18(1) were expressly intended to terminate “any” alleged infringement and prevent “any” further impairment of the interested involved, no limitation could be presumed on the scope of such measures [30].
  • The CJEU also found that because the ECD did not limit the scope, territorial or otherwise, of the measures which a Member State could adopt under Article 18(1) or otherwise, the ECD does not prevent Member States from issuing injunctions with worldwide effect [49]-[50].

In qualifying this finding, the CJEU referred to recital 58 (which states that the ECD does not apply to non-EU Member States) and recital 60 (which states that the ECD must be consistent with international law) and cautioned that any worldwide injunctions issued by Member States need to take into account international rules [52]. The CJEU did not give any further consideration to what international rules might need to be taken into account, or engage at all with the Brussels Regulation on issues of jurisdiction within the EU.

The CJEU has (almost simultaneously) demonstrated different approaches to two EU instruments that are similar in that they both effectively require intermediaries to block or filter content accessible by end users. These differences and the inconsistencies they create are summarised below with reference to the findings in Google v CNIL since the equivalent issues were largely not considered in Glawischnig:

  • In Google v CNIL the CJEU commented that several non-EU countries either do not recognise or have a different approach to the ‘right to be forgotten’. The same can be said of defamation law.
  • In Google v CNIL the CJEU commented that the right to protection of personal data is not absolute but is to be balanced against other fundamental rights. That issue was addressed by the AG Glawischnig but is not part of the exercise mandated by the CJEU’s decision, which simply requires that “identical” or “essentially unchanged” information is removed.
  • In Google v CNIL the CJEU observed that the wording of the relevant provisions in the DPD and GDPR do not make apparent that in order to make sure that the objective of granting a high level of protection data throughout the EU, the EU legislature intended for the scope of those provisions to go beyond EU Member State territory. It is difficult to see how the combination of the GDPR objective of a “high level of protection” for a user’s personal data and the right in Article 17 for a data subject to “obtain from the controller the erasure of personal data concerning him” can be clearly distinguished from the wording of Article 18(1) of the ECD. The only difference appears to be that Article 17 does not expressly relate to “all” or “any” personal data (in the way that Article 18(1) of the ECD does), which makes sense in circumstances where a data subject may only require the deletion or some but not all personal data held by a data controller.
  • In Google v CNIL, the CJEU found the scope of a de-referencing request would extend to all Member States given the same data protection law applied across those states (that is, the GDPR). In contrast, in Glawischnig, even though defamation law is not harmonised across the EU, the CJEU nonetheless found that a Member State court could issue orders that not only extend across the EU but also globally (subject to the unspecified restrictions of international law). This seems to pave the way for forum shopping in EU Member States with more claimant-friendly defamation laws.

Despite the differences listed above, it could be said that there is no real inconsistency between the judgments – the CJEU in Google v CNIL did not rule out a global de-referencing order and accepted that it would be possible in the right circumstances [72]. Ultimately, the enforcement of any such orders in non-EU Member States would – as accepted by the CJEU in the Glawischnig case – be subject to the private international law in each country as well as the principles of international comity.

Cathryn Hopkins is a Senior Associate in the Litigation & Arbitration department at CMS