Written by: Hunter Hamm

Research and Writing Editor, American Journal of Trial Advocacy

---

“The Internet has no borders – its natural habitat is global.”[1]

In this technological age, can any one country dictate what the rest of the world should believe about the Internet and the law? In contrast, should a foreign company be able to hide behind the walls of another nation’s laws to justify its infringement upon foreign citizens’ rights?  More to the point, however, can the European Union impose a competing doctrine of privacy law on the United States through the secondary effects of regulating private companies internationally? All of these questions stem from a current appeal by Google to reverse the judgement of a French court ordering Google to follow European privacy law on a global scale.[2]

The issues present in this case before the European Union’s Court of Justice (“ECJ”) is a result of the competing Western conceptions of the right to privacy. The differences between the right to privacy in the United States and the European Union can be summarized (though very roughly) to be the difference between the “Right to Liberty” versus the “Right to Dignity.”[3] The United States has long valued, not only the right to the freedom of speech, but also the right to privacy, and our laws have continually attempted to balance such opposing concepts.[4] The American right to privacy stems from fear of governmental intrusion, specifically intrusion into the home.[5] As such, our case law seems to care less about privacy in terms of the public’s perception of the individual; rather, privacy law protects the individual’s sovereignty, or “the Right to Liberty,” from Government oppression.[6]

Although the difference in American and European privacy rights are not absolute,[7] the European concepts constituting privacy rights seem to center around the idea of “informational self-determination,”[8] i.e., the ability to personally supervise the “commercialization of one’s image.”[9] In controlling one’s own image, an individual can control the public’s perception of himself by reducing his exposure and, subsequently, elevating his perceived “dignity.”[10] By extension, the natural enemy to the ability to control one’s own narrative is, of course, the media, whose primary purpose is to uncover the truth and publicize it widely for public knowledge.[11] Accordingly, any other entity that circumvents the individual in order to disseminate private information is equally as dangerous as the media, if not more so. This struggle between the need to publish truthful information and to protect the apparent right to personal dignity is the crux of the privacy debate between Anglo-American case law and European jurisprudence.[12] Wedged in the middle of this international war of laws, Google has recently found itself in front of the ECJ in Luxembourg to appeal an order from a European privacy regulator compelling Google to conform to the European variety of privacy law.[13]

This is not the first time that Google has made such an appearance in Europe for perceived violations of privacy rights. Recently in London, a court granted one man’s request to remove information concerning his past criminal conviction from Google’s search results.[14] But, more significantly in 2014, the European Union ordered Google to remove information from its servers concerning a request for removal originating in Spain.[15] In Google v. AEPD,[16] Costeja González filed a complaint with Spain’s privacy regulator, the AEPD, against Google requesting that Google remove a newspaper article referencing González’s past financial troubles in Google Spain’s search results.[17] The court found that even though Google may not be subject to the European Union privacy laws, Google is still “obliged to remove from the list of results . . . links to web pages . . . following a search made on the basis of a person’s name . . . even, as the case may be, when its publication in itself on those pages is lawful.”[18] Such removal, however, is subject to (among other factors)[19] the “economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name.”[20]

The right for a European Union citizen to request removal of information instituted what the European Union calls the “Right to Be Forgotten.”[21] This right requires search engine companies, such as Google, to remove search results about specific individuals when those individuals request that their information be “forgotten.”[22] Though United States courts have yet to decide the issue of whether search engine results are considered “publications,”[23] Google has created procedures to balance its assumed U.S. Constitutional right to publish information against the more restrictive protections found in Europe. For example, Google has created many foreign subsidiary companies that generate searches for the country in which the subsidiary is located.[24] When searching for information using foreign search engines, Google only allows Internet users to access the information that is legally available in the country where the subsidiary is located.[25] Accordingly, in America, we have the search engine “google.com;” however, if one were to access Google’s search engine in France, the domain name would be “google.fr.” Though it would seem as if Google has attempted to conform to Europe’s laws, France’s privacy regulator, the CNIL, does not think that Google has done enough.[26]

In 2015, the CNIL ordered that Google comply globally with the EU’s “Right to Be Forgotten” regardless of the laws of other countries, including the United States.[27] The CNIL issued this order after Google refused to extend its policies to all domain names for its search engines, including Google.com, which is the domain name for the searching in the United States.[28] The CNIL contended that Google’s precautions were not adequate because Internet users were still able to access the information from other versions of Google’s search engine.[29] Google’s responsive argument noted that it has already been complying with the European Union’s demands because by the time the CNIL gave Google the order to comply, Google had already removed almost one million links in response to requests to remove information under the “Right to Be Forgotten.”[30] Now the French courts have removed the Google appeal to the highest court in the European Union to determine whether the “Right to Be Forgotten” should extend beyond the borders of the European Union to the rest of the world.[31]

This 2015 order has ignited an intense battle between U.S. tech firms and European privacy regulators.[32] Google, along with freedom of speech advocates, fears that such monitoring from foreign countries will not only lead to precedents for dictatorial censorship, but also the ability for a single country to legislate the entire world’s Internet access.[33] French privacy regulators, however, contend that an adverse ruling will render the “Right to Be Forgotten” meaningless.[34] Currently, the United States has implemented legislation which protects content providers, such as Google, from such sweeping applications of privacy law.[35] In passing Section 230 of the Communications Decency Act, Congress placed great weight on the need for free access to the Internet.[36] The Act states “[t]he rapidly developing array of Internet and other interactive computer services available to Americans represent an extraordinary advance in the availability of educational and information resources to [Americans].”[37] Additionally, because the United States has an interest in “promot[ing] the continued development of the Internet” and “preserv[ing] the vibrant and competitive free market that presently exists for the Internet . . . unfettered by Federal or State Regulation,”[38] Congress has granted “broad immunity to online intermediaries” like Google.[39] Effectually, this Act refuses to categorize Google as a publisher of information in order to remove liability from tort-based lawsuits.[40]

Surprisingly, France is not the only country that is ordering Google to comprehensively extend rights similar to the European Union’s “Right to Be Forgotten.”[41] In June 2017, the Supreme Court of Canada ordered Google to internationally delist certain information about pirated products through a global injunction.[42] In Google Inc. v. Equustek Solutions Inc.,[43] the Canadian Supreme Court justified its international injunction noting “there is no realistic assertion that the [injunction] will offend the sensibilities of any other nation.”[44] The Court further concluded that “[e]ven if it could be said that the injunction engages freedom of expression issues, this is far outweighed by the need to prevent the irreparable harm that would result from [Google refusing to delist the websites in question].”[45] Though the Canadian Supreme Court found ample reasons to enforce delisting, a district court in California concluded that the worldwide injunction did in fact breach United States law under Section 230 of the Communications Decency Act.[46] The court found that an extraterritorial order forcing tech companies to comply with the regulations of foreign countries would severely restrict free speech, and moreover, it would eradicate Section 230 immunity and its policies protecting Internet access.[47]

It is clear that the ruling of the ECJ in the next few months will have broad effects on privacy law felt around the world. Though the ECJ could try to force United States Tech companies to globally acknowledge the “Right to Be Forgotten,” current United States statutes and case law indicate that the United States is not currently willing to restrict access to the Internet more than what is absolutely necessary.[48] This unwillingness, however, could indeed have the opposite effect of Congress’s intention to protect free speech as the “[f]ear or suspicion that one’s speech is being monitored by a stranger, even without the reality of such activity, can have a seriously inhibiting effect upon the willingness to voice critical and constructive ideas.”[49] Surely deterring the willingness to voice critical and constructive ideas is inapposite to “preserving the vibrant and competitive free market”[50] of the Internet.

Conclusion

Currently, 88% of Americans would like to see some form of the “Right to Be Forgotten” be instituted in our laws as the fear of disclosure of private information is increasingly relevant.[51] This fear is well-grounded as the Supreme Court has not hesitated to allow the publication of information, even when it is obtained illegally.[52] The more technology advances, the more it encroaches on other areas of the law beyond just privacy and the right to free speech.[53] Because furthering the right to privacy inherently has the effect of promoting the freedom of speech, maybe it is time for Congress to revisit laws protecting Google’s immunity if only to cure secondary, yet stifling, effects on the Right to Liberty.[54]

[1]Google, Inc. v. Equustek Solutions, Inc., [2017] S.C.R. 824, para. 41 (Can.).

[2]C-507/17, Request for a Preliminary Ruling from the Conseil d’État, Google Inc. v. Commission nationale de I’informatique et des libertés, 2018 http://curia.europa.eu. (“Must the ‘right to de-referencing’ . . . be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted, and even if it is conducted from a place outside the territorial scope of Directive [95/46/EC] of 24 October 1995?”).

[3]See, e.g., James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151, 1160-61 (2004) (citing Robert C. Post, Three Concepts of Privacy, 89 Geo. L.J. 2087, 2087 (2001)) (“[The difference between European and American privacy law] is the contrast . . . between privacy as an aspect of dignity and privacy as an aspect of liberty.”).

[4] See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 533-34 (2001) (“[F]ear of public disclosure of private conversations might well have a chilling effect on private speech[;] . . . [however,] privacy concerns give way when balanced against the interest in publishing matters of public importance.”).

[5] Whitman, supra note 3, at 1162-63.

[6] Id.

[7] See Bartnicki, 532 U.S. at 553 (Rehnquist, C.J., Scalia & Thomas, JJ., dissenting) (quoting Tuner Broadcasting Sys., Inc. v. FCC, 512 U.S. 622, 641 (1994)) (discussing a strikingly parallel concept to Europe’s “Right to Dignity” and self-determination found “[a]t the heart of the First Amendment,” which allows individuals to choose “the ideas and beliefs deserving of expression, consideration, and adherence”).

[8] Whitman, supra note 3, at 1161.

[9] Id. at 1161 n.44.

[10] Whitman, supra note 3, at 1161.

[11] Id.

[12] Id. at 1153.

[13] Sam Schechner & Jacob Gershman, Google Case Asks: Can Europe Export Privacy Rules World-Wide?, Wall St. J. (Sept. 9, 2018, 7:00 AM), https://www.wsj.com/articles/local-internet-laws-threaten-to-go-global-1536490801.

[14] James Grierson & Ben Quinn, Google Loses Landmark ‘Right to Be Forgotten’ Case, Guardian (Apr. 13, 2018), https://www.theguardian.com/technology/2018/apr/13/google-loses-right-to-be-forgotten-case.

[15] C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (May 13, 2014), http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=201588 [hereinafter AEPD].

[16] Id.

[17] Id.

[18] Id.

[19] See id. (“Therefore, if it is found, following a request by the data subject pursuant to Article 12(b) of Directive 95/46, that the inclusion in the list of results displayed following a search made on the basis of his name of the links to web pages published lawfully by third parties and containing true information relating to him personally is, at this point in time, incompatible with Article 6(1)(c) to (e) of the directive because that information appears, having regard to all the circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine, the information and links concerned in the list of results must be erased.”)

[20] Id.

[21] AEPD, supra note 15; e.g., Schechner & Gershman, supra note 13; Steven C. Bennett, Is America Ready for the Right to Be Forgotten?, 88 N.Y. St. Bus. J. 10, 11 (2016).

[22] Schechner & Gershman, supra note 13.

[23] See 47 U.S.C. § 230(c)(1) (2018) (“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”); see also Eugene Volokh & Donald M. Falk, Google: First Amendment Protection for Search Engine Search Results, 8 J.L. Econ. & Pol’y 883, 884 (2012) (arguing that Google’s search results are protected by the First Amendment). But see Langdon v. Google, Inc., 474 F. Supp. 2d 622, 630 (D. Del. 2007) (first citing Miami Herald Pub. Co. v. Tornillo, 418 U.S. 241, 256 (1974); then citing Sinn v. The Daily Nebraskan, 829 F.2d 662 (8th Cir. 1987); and then citing Associates & Aldrich Co. v. Times Mirror Co., 440 F.2d 133 (9th Cir. 1971)) (dismissing claims against Google supported by case law protecting publishers and editors).

[24] See AEPD, supra note 15.

[25] Alex Hern, ECJ to Rule on Whether ‘Right to Be Forgotten’ Can Stretch Beyond EU, Guardian (July 20, 2017), https://www.theguardian.com/technology/2017/jul/20/ecj-ruling-google-right-to-be-forgotten-beyond-eu-france-data-removed.

[26] Id.

[27]See Schechner & Gershman, supra note 13 (“France’s privacy regulator, CNIL, [ordered Google] to extend the EU’s ‘right to be forgotten’ to all of its websites, no matter where they are accessed.”).

[28]Sam Schechner, French Privacy Watchdog Orders Google to Expand ‘Right to Be Forgotten,’ Wall St. J. (June 12, 2015), https://www.wsj.com/articles/french-privacy-watchdog-orders-google-to-expand-right-to-be-forgotten-1434098033?mod=article_inline.

[29] French Court Refers ‘Right to Be Forgotten’ Dispute to top EU Court, Reuters (July 19, 2017), https://www.reuters.com/article/us-google-litigation/french-court-refers-right-to-be-forgotten-dispute-to-top-eu-court-idUSKBN1A41AS.

[30] Rebecca Heilweil, How Close is An American Right-To-Be-Forgotten?, Forbes (Mar. 4, 2018), https://www.forbes.com/sites/rebeccaheilweil1/2018/03/04/how-close-is-an-american-right-to-be-forgotten/#5bf983d2626e (noting that 43% of 2.4 million URL right to be forgotten request have already been removed); Schechner, supra note 28.

[31] Supra note 29.

[32] Schechner, supra note 28.

[33] Mark Scott, French Court Refers Google Privacy Case to ECJ, Politico (July 19, 2017), https://www.politico.eu/article/french-court-refers-google-privacy-case-to-ecj/; accord Hern, supra note 25 (“Thailand for instance, might attempt to force Google to apply its lèse-majesté laws, banning insults against its king, worldwide.”).

[34] Hern, supra note 25.

[35] 47 U.S.C. § 230 (2012); Google LLC v. Equustek Solutions Inc., No. 5:17-CV-04207-EJD, 2017 WL 5000834, at *2-3 (N. D. Cal. Nov. 2, 2017).

[36] See 47 U.S.C § 230 (listing policy reasons in passing the Act).

[37] Id. at § 230(a)(2).

[38] Id. at § 230(b)(1), (2)

[39] Equustek Solutions Inc., 2017 WL 5000834, at *3 (citing Batzel v. Smith, 333 F.3d 1018, 1027 (9th Cir. 2003)).

[40] Id. at *2.

[41] Google Inc. v. Equustek Solutions Inc., [2017] 1 S.C.R. 824 (Can.); Jeff Roberts, Google Must Delete Search Results Worldwide, Supreme Court of Canada Rules, Fortune (June 28, 2017), http://fortune.com/2017/06/28/canada-supreme-court-google/; Jeff Roberts, Google Can Fight Canadian Censorship Ruling, Court Says, Fortune (February 22, 2016), http://fortune.com/2016/02/22/google-canada-supreme-court/.

[42] Equustek Solutions, [2017] 1 S.C.R. 824, para. 53.

[43] [2017] 1 S.C.R. 824.

[44] Id. at para. 45 (quoting Google Inc. v. Equustek Solutions Inc., 386 D.L.R. 4th 224, paras. 93-94).

[45] Id. at para. 49.

[46] Equustek Solutions Inc., 2017 WL 5000834, at *2.

[47] Id. at *4.

[48] See 47 U.S.C. § 230(b)(5) (“it is the policy of the United States . . . to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer.”); id. at § 230(d) (“A provider of interactive computer service shall, at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors. Such notice shall identify, or provide the customer with access to information identifying, current providers of such protections.”); Equustek Solutions Inc., 2017 WL 5000834 *3-4.

[49] Bartnicki, 532 U.S. at 543 (Rehnquist, C.J., Scalia & Thomas, JJ., dissenting) (quoting President’s Commission on Law Enforcement and Administration of Justice, The Challenge of Crime in a Free Society 202 (1967)).

[50] 47 U.S.C. § 230(b)(2).

[51]Heilweil, supra note 30. While American privacy law is greatly concerned with the government’s intrusion into the home, supra note 7, it has also protected citizens from unwelcomed private intrusion. See Frisby v. Schultz, 487 U.S. 474, 484 (1988) (citing e.g., FCC v. Pacifica Foundation, 438 U.S. 726, 748–49 (1978)) (“[A] special benefit of the privacy all citizens enjoy within their own walls, which the State may legislate to protect, is an ability to avoid intrusions [from the unwelcomed activity of private citizens].”). As more Americans welcome to technology in their homes, they might not be aware of the unwelcomed consequences that arise when inviting technology into the home. For a more comprehensive discussion about technology in the home, see Woodrow Hartzog, Privacy’s Blueprint: The Battle to Control the Design of New Technologies 261-75 (2018).

[52] See Bartnicki, 532 U.S. at 535 (concluding that even when information is obtained illegally and subsequently published, “illegal conduct does not suffice to remove the First Amendment shield from speech” when the publication is a truthful “matter of public concern”).

[53] See Hartzog, supra note 51, at 276 (“Privacy law has become more than just the law of media intrusion, government surveillance, and consumer protection.”)

[54] See Bartnicki, 532 U.S. at 553 (Rehnquist, C.J., Scalia & Thomas, JJ., dissenting) (citing Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 196 (1890) (emphasizing the compelling government interest to “deter[] clandestine invasions of privacy and preventing the involuntary broadcast of private [information],” which “concomitantly . . . further[s] the First Amendment rights of [citizens of the United States]”).