Law, Borders, and Speech: Data Protection and the Right to Be Forgotten

This piece is exerpted from the Law, Borders, and Speech Conference Proceedings Volume. The conference, convened by Stanford's Center for Internet and Society, brought together experts from around the world to discuss conflicting national laws governing online speech -- and how courts, Internet platforms, and public interest advocates should respond to increasing demands for these laws to be enforced on the global Internet. For two weeks in January 2018, we will be posting these materials on the CIS Blog. The Proceedings Volume itself contains these and other resources, including reading lists, conference slides, and results of participant surveys. It is Creative Commons licensed for re-use in teaching materials and elsewhere.

Panel Summary by Joris van Hoboken


  • Bruce Brown - Executive Director, Reporters Committee for Freedom of the Press
  • Mathias Moulin - Deputy Director, Commission Nationale de L'Informatique et des Libertés
  • Luiz Moncau - Intermediary Liability Fellow, Stanford Center for Internet and Society
  • Joris van Hoboken - Senior Researcher, University of Amsterdam


One of the biggest Internet jurisdiction disputes of our time is Google’s disagreement with European Data Protection regulators over global removals of search results based on EU “Right to Be Forgotten” law. What will happen there, and what should happen? If courts in the EU or elsewhere find jurisdiction based on the unique territoriality and processing provisions of Data Protection law, what precedent does that set? How will it shape cross-border enforcement orders in “libel tourism” cases, copyright cases, or other claims outside the Data Protection framework?


This panel addressed the right to be forgotten (RTBF) from a global perspective, presenting points of view from relevant stakeholders and academic researchers from different regions. As established in the Court of Justice of the European Union’s 2014 Google Spain case, this is a right under data protection law for individuals to request that search engines de-list specified results appearing in response to a search for the individual’s name.[1] While search engines may decline to de-list results based on public interest considerations, the RTBF is still far broader than de-listing or removal rights in many countries, including the United States. This is especially the case since de-listing can also be requested for information that lawfully published online.

After a round of opening statements from the panelists, summarized below, a lively, and at times provocative, discussion with the audience took place about the conceptual boundaries of the RTBF, the legitimacy of extra-jurisdictional impacts on free speech, and the possibility of resistance in view of the RTBF’s impact on the free flow of information online and the right to freedom of expression of Internet users and publishers. The discussion clarified the potential of the RTBF to continue to cause principled conflicts over the extent to which national laws should be allowed to impact the free flow of information outside of national borders, and the difficulties of reconciling fundamental differences in value systems in practice if jurisdictional overlapping claims become more common.

Bruce Brown’s presentation opened up the question of stakeholder participation in the RTBF debate, specifically about the role of news organizations and organizations defending a free press in the debate about the legitimacy of a RTBF and its proper application. Brown clarified that press organizations until now had not taken a very leading role in the debate. In the debate about the RTBF, the news industry and press organizations cannot be seen as monolithic. At the moment, it appeared to him that they were more in an amicus role rather than in the driver seat when it comes to free speech norm creation on the Internet. Related to this, Brown also raised the question of which free speech rights to focus on in the RTBF debate. Should the focus be placed on the rights of Internet users and readers? Or should the emphasis be on the rights of speakers and publishers to reach an audience with their publications in different parts of the world, including through search engines? As the potential impact on the rights of speakers and publishers was put forward in this presentation, the presentation also raised the question of what news organizations know about the way in which the RTBF is impacting the dissemination of their materials to online readers. Would it be possible for news organizations to provide data on the impact of RTBF de-listings, as part of their readership analytics? Perhaps, news organizations could play a constructive role in the debate by offering statistics, complementing transparency reporting efforts in the online services industry.           

In the debate about the “Right to Be Forgotten,” the news industry and press organizations cannot be seen as monolithic.

Mathias Moulin presented the perspective of the French Data Protection Authority, the Commission Nationale de L'Informatique et des Libertés (CNIL), and defended the way in which the RTBF could be seen as the legitimate application of French data protection law. First, Moulin presented some figures (the absolute and relative number of requests, de-listings, removals for other reasons than the RTBF, and involvement of CNIL in enforcement of the RTBF), concluding that the effect of the RTBF in practice was rather limited. If anything, the discussion of these figures may have raised the question for the audience of how one would assess the importance of a particular website remaining accessible through a name search, and on what basis.

Second, Moulin clarified how the RTBF is the result of the application of long-standing principles of European data protection (national laws that have existed since the 1970s and were harmonized in the Data Protection Directive) and European fundamental rights law, in which freedom of expression has to be balanced with an equally important right to privacy. Moulin clarified that what may have been new about the RTBF, from the perspective of CNIL, was simply the result of regulators not having managed to apply existing laws to search engines before the RTBF ruling. (This argument is not convincing to the author of this summary, considering the conclusions reached by the Article 29 Working Party in 2008 on how to apply the Data Protection Directive to search engines).

Third, Moulin addressed the question of whether the RTBF should be considered a threat to freedom of expression. He answered this question in the negative, noting that the source of the content is not affected, and the de-listing only takes place for name queries. In addition, he pointed out that the RTBF can only be exercised by the affected individual in relation to his personal data and cannot affect historical events, and the application of the RTBF requires that the interests of Internet users in access to the information is properly taken into account, which should guarantee that if these interests should override the interests of the individual in de-listing, the request should not be granted.

Fourth, Moulin clarified the CNIL’s point of view with respect to the extraterritorial effect of de-listings, specifically its view that de-listings, when granted, should be granted on all global and local versions of a search engine service. He asserted that the purpose of European law is not to dictate which information Internet users outside of Europe can and cannot find on the Internet, but simply to ensure that the fundamental right to data protection is respected by companies falling under European jurisdiction. Because everything the Google search engine does with data should be considered a single “processing” under the law, individuals’ rights to prevent such processing cannot be limited to a single national version of the search service. Nor can a data subject’s fundamental rights vary depending on who is looking at the information.           

As French privacy regulators see it, an individual’s fundamental right to privacy cannot vary depending on who is looking at the information, or where the viewer is located.

In the discussion with the other panelists and the audience that followed, Moulin was asked whether the question of extraterritorial application might involve a more nuanced assessment, including for instance consideration of whether the information would have a potential international readership, where the speaker and his main audience were located, etc. In response to this question, Moulin suggested that it may not be CNIL’s primary aim to provide the most nuanced substantive interpretation of how to apply the RTBF. Instead, CNIL’s chief aim would be to establish, in court, that it has the power to require a global de-listing, when relevant, in its dealings with an international Internet company such as Google. Thus, for CNIL, the legal settlement of its global jurisdictional reach as regards internationally operating data controllers appears more important than the proper settlement of individual RTBF requests and balancing of privacy and freedom of expression, also in a global perspective. The RTBF context may simply present an attractive opportunity for CNIL to settle these matters under European law.

While this may come as no surprise to some, the respect for diverging regional norms, and the collateral damage for globally operating search engines and the free speech interests of Internet users, including in Europe, do seem to warrant a more careful approach to this question of extraterritorial reach. In addition, how workable is such an approach in practice? How can the principle of judicial restraint in cases of overlapping and competing jurisdictional claims re-inform the debate about the proper enforcement of data protection as regards search engines? It was clear during the panel, and remains clear today, that the last word has not yet been spoken about these issues.

As mentioned, the panel took a global perspective on the RTBF, representing the French perspective, discussed above, comparative perspectives from academic research, including from Luiz Moncau who also spoke about developments related to the RTBF in the Americas, specifically. Moncau furthered the point that a global discussion about the RTBF requires conceptual clarity and an understanding of the legal systems in which developments are emerging. Are RTBF claims data protection law related, or emerging in other areas of law? Is the RTBF a right with respect to the historical record? Is it a right to get certain information erased, or only to get information de-listed from search engines? From a legal perspective, what is put forward as the basis for a RTBF? A right to one’s personal information online? A right to the protection of one’s reputation and dignity as a person? Moncau discussed a number of RTBF related cases in the Americas, ranging from cases in Mexico and Peru that were similar to the cases in the EU targeting search engines on the basis of data protection law, to cases in Brazil, where no data protection exists and something like a RTBF exists in the context of republication of information about criminal convictions.

Moncau ended his presentation with his answer to the question of clashing jurisdictional approaches. Specifically, he argued that jurisdictional caution is warranted, as he does not see any growing acceptance of countries letting other countries restrict the free flow of information on the Internet in their territory. And indeed, a future in which a European global or extra-territorial application of their RTBF would affect access to information of Internet users in the United States clearly runs counter to commitments to freedom of expression in the US, including search companies operating from the US. Even if the CNIL were successful in convincing European courts that Google must de-list search results globally, instead of merely for localized versions in Europe, this could hardly be expected to settle the matter. One could even imagine those services affected seeking remedies in the United States to protect them against such jurisdictional overreach on the basis of the First Amendment.

Joris van Hoboken (responsible for preparing this report) discussed the RTBF from the perspective of different approaches to intermediary liability for online platforms. First, he clarified that the RTBF emerged in the void that was left by the Ecommerce Directive with respect to secondary liability for search engines, because the Directive establishes no specific safe harbor for information location tools. This void is important given the clear impact that search engines, and searches for people’s names in particular, can have on people’s privacy and reputation. As European intermediary liability law did not provide for a clear answer to the liability of search engines for such harms, data protection and data protection regulators were able to step into this void and address this legal (right to effective remedy) and societal demand.

Second, van Hoboken clarified that categorical approaches to intermediary liability, such as the absolute immunity provided for in US law under CDA 230, are not sustainable under fundamental rights requirements in Europe. He, apparently provocatively for some in the audience, put forward the argument that CDA 230’s absolute immunity would clearly violate the right to an effective remedy under the European Convention of Human Rights and the EU Charter. He also maintained that one typical argument—that certain types of obligations on intermediaries do not scale very well—does not carry the weight in European courts that some might want it to carry, as it runs counter to the general requirement that justice be done in individual cases, especially where the protection of fundamental rights is concerned. In view of these characteristics of the European legal environment, he recommended that relevant US-based services do much more to embrace the complexity (and diversity) of the European environment to arrive at a more sustainable model of intermediary liability for privacy and reputational harms.

Finally, van Hoboken raised some points with respect to the CNIL case about global de-listings. He argued that generally, in his view, CNIL does not have a very strong legal case, based on the CJEU ruling, the Data Protection Directive and the EU Charter of Fundamental Rights. A central argument for the global de-listing order is that otherwise, the de-listing is not effective. However, the question of what legal enforcement is appropriate should be answered in relation to the underlying goals of the enforcement, namely to prevent a disproportionate impact on the right to privacy through name searches. Thus, the goal of granting a RTBF request is not to prevent access to the material entirely. This implies that leaving certain channels open, including what could be considered extraterritorial channels, can be consistent with the EU RTBF itself, as long as those channels do not pose a disproportionate impact on the fundamental right to privacy.

[1] Google Spain SL v. Agencia Española de Protección de Datos (AEPD), Case C-131/12, May 13, 2014



Add new comment