Google v CNIL (C-507/17) and Glawischnig-Piesczek v Facebook (C-18/18)
The General Data Protection Regulation (GDPR) is widely said to have exported the legislation of the European Union (EU) worldwide since it also applies (in certain instances) to controllers and processors of data which are established outside of the EU. Yet, in a preliminary ruling of the 24th of September the European Court of Justice (ECJ) ruled that Article 17 of the GDPR, which provides for the right to be forgotten, is only required to be applied in the EU internally and not worldwide (Case C-507/17 Google v Commission nationale de l’informatique et des libertés). That ruling was prompted by a fine imposed by the French data protection authority on Google because of that company’s refusal, when granting a de-referencing request, pursuant to the right to be forgotten, to apply it to all its search engine’s domain name extensions.
In another preliminary ruling of the 3rd of October, regarding Directive 2000/31/EC on electronic commerce (E-Commerce Directive) the ECJ seems to have reached the conclusion that measures granted by national courts to block access to or to remove illegal content online, in terms of Article 18 of the E-Commerce Directive, may be applied worldwide (Case C-18/18 Glawischnig-Piesczek v Facebook Ireland). In this case, an Austrian politician sought an order that Facebook remove and stop disseminating content (and identical or, subject to certain conditions, equivalent content) which was found to be defamatory, and thus illegal, by an Austrian court.
How come the E-Commerce Directive grants a worldwide remedy but the GDPR grants only an EU-wide remedy; and this decided upon by the ECJ in the space of just a few days? In truth, there is much more to be read into with respect to both preliminary rulings.
The ECJ’s consistent reasoning
In both cases the ECJ begins its reasoning by reading into the E-Commerce Directive and the GDPR, respectively, the wish of the EU legislature to strike a balance between the interests at stake (para 43 of the Facebook case and para 60 of the Google case). In the Facebook case the interest of the person seeking to have defamatory content taken down is balanced against the difficulty of the host provider to comply with a measure in respect of the E-Commerce Directive. In the Google case the interest of the person seeking to take down content infringing his data protection rights is balanced against the right to freedom of information which evidently is adversely affected by a de-referencing order in respect of the GDPR.
In the Google case the ECJ reasons that while EU legislature has struck a balance between the right to privacy and the right to freedom of information (see Article 17(3)(a) of the GDPR) as regards the application of the right to be forgotten within the EU, it has not struck such a balance as regards application outside the EU territory (para 61). This is because the rights arise from the EU Charter of Fundamental Rights. As a result, that balancing exercise inhabits a purely EU legal order and is necessarily an exercise in EU law which cannot be exported outside its territory to other regions of the world where the balance of the two rights at stake may vary significantly. The ECJ further holds that nowhere does the GDPR indicate that any of its provision should apply outside of the territory of the EU, therefore, it is only required to be given effect to within the territory of the EU (para 62 and 63).
However, this is not the end of it. The ECJ continues to argue that neither does the GDPR expressly prohibit its application worldwide (para 72). Therefore, the national data protection authorities and the national courts may decide to apply the de-referencing pursuant to the right to be forgotten worldwide but, given what has been said about the EU Charter, the balance should be struck in the light of national standards of protection of fundamental rights (para 72).
In the Facebook case the ECJ simply states the balance of the individual’s and the host provider’s interests must mean that the host provider cannot be burdened with an excessive obligation, that is, a host provider cannot be obliged to generally monitor for illegal activity (para 43). In fact the Member States are expressly prohibited from imposing such a general obligation by Article 15 of the E-Commerce Directive; therefore, a balance struck in this sense is purely made in terms of EU legislation and, by implication, cannot be applied to measure which have effect worldwide.
Yet, the ECJ rests on Recital 58 of the E-Commerce Directive which states that “in view of the global dimension of electronic commerce, it is, however, appropriate to ensure that the Community rules are consistent with international rules; this Directive is without prejudice to the results of discussions within international organisations (amongst others WTO, the OECD, Uncitral) on legal issues” to allow the application of measures worldwide made on a balance of interests made in terms of international rules to which the Member States subscribe. The ECJ further posits that nowhere does the E-Commerce Directive make any territorial limitation to the application of the measures permitted under Article 18, therefore, those measures may be given worldwide effect (para 49 and 50). Nevertheless, in the case that a Member State applies a measure with worldwide effect it must do so in a manner consistent with the framework of the relevant international law (para 51).
Conclusion: a converging territorial scope
Contrary to first impressions, the effect of the two cases is the convergence of the territorial scope of the GDPR and the E-Commerce Directive. That is, they can apply within the EU territory but also with global effect provided that a balance must then be struck between the interests at stake, in the case of the GDPR, in terms of national standards of protection of fundamental rights, and, in the case of the E-Commerce Directive, in terms of international law. Even this difference between striking a balance in terms of national standards and international law, respectively, seems superficial.
National standards for human rights protection necessarily derives from international law be it in the form of binding treaties like the European Convention on Human Rights, or soft law made in the fora of the United Nations or of regional organisations or their affiliated agencies and bodies, or even general principles. The ECJ clearly adopts a single strategy as to the territorial scope of EU rules in relation to online activity. That is, prudently deferring to apply EU law as such outside of the EU territory while leaving the Member States free to apply deriving or analogous rules worldwide.