Right to be forgotten applies to all Google domains, rules French privacy authority

Search results should also be delisted on the .com domain, the French authority said

Google must respect the European Union's 'right to be forgotten' court ruling on all its sites, not just those it says target EU countries, the French data protection authority has ruled, giving the company 15 days to comply.

The French National Commission on Computing and Liberty (CNIL) ordered Google to remove the affected search results on all its domains, including google.com, or face a fine of up to €300,000 (about $337,000). So far, Google has only removed such results from those of its sites it says target EU users, including google.fr or google.de. French residents need only click the "Use Google.com" link on the google.fr homepage to have access to unfiltered search results.

The dispute began over a year ago, when the Court of Justice of the EU (CJEU) gave people the right to request removal of search results for queries including their names, if the results are inadequate or irrelevant.

This means that E.U. residents who want to remove a search result displayed on a search of their name can ask a search engine to delist it. The search engine must review the request and grant it if the proper conditions are met. If the search engine does not comply, they can lodge a complaint with their local data protection authority.

In France that authority is the CNIL, which has received hundreds of complaints from people who were denied a delisting by Google, the authority said Friday. After assessing the complaints, Google was ordered to delist several search results and was expressly told to do so on all its domains, not just on European domains such as google.fr or google.de, the CNIL said.

So far, Google has received over 55,000 requests from France to remove over 168,000 URLs, of which it removed almost 48 percent.

"In accordance with the CJEU judgement, the CNIL considers that in order to be effective, delisting must be carried out on all extensions of the search engine and that the service provided by Google search constitutes a single processing," the CNIL said, adding that the results should for instance also be delisted on the .com domain.

Search results should be delisted for French citizens using Google wherever they are and whatever the extension is, a CNIL spokeswoman said.

Google has been delisting search results only on its European domains and not on google.com, arguing that the ruling should apply to European searches and not worldwide.

"The ruling focused on services directed to European users, and that's the approach we are taking in complying with it," the company said, adding that it aims to strike the right balance in implementing the ruling and has been working closely with data protection authorities. The company has said that over 95 percent of queries originating in Europe are on local versions of its search engine.

Google can determine if a query on the .com domain comes from a European IP address, and already uses this technique to redirects users to local search engines -- although it offers users that are not logged in to a Google account a link on the local page to return to the Google.com domain.

Google did not immediately respond to questions about why it doesn't delist search results if the .com domain is accessed from a European IP-address.

Meanwhile, Google appears to block search results made on European search domains made from abroad. From Japan for instance, searches made on .fr and .de domains showed a message that some results may have been removed under data protection law in Europe.

If Google does not comply with CNIL's order, the authority will draft a report recommending the CNIL's committee in charge of imposing sanctions for violations of the French data protection law to impose a sanction. The highest possible sanction for the first step ins such a procedure is €150,000, which later can climb to €300,000, the CNIL spokeswoman said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritylegaldata protectionprivacy

More about EUGoogleIDGNewsTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place