Frederik Zuiderveen Borgesius, who praised the clarity of the thesis as the topic is very multi-layered and complex. He especially agreed with the proposed solution in the thesis to the pending Google CNIL case. In short, the thesis proposes that, if a delisting request is successful, Google should delist search results for the name search only for search engine users with an IP address from Europe.
He admits that this would not be a perfect compromise but it would take into account that countries outside of the EU might have legitimate reasons to resist delisting based on their valuing of freedom of expression (this is especially true for the US, where freedom of speech has a very high constitutional value).
He elaborated that such an approach could be potentially counter-argued by arguing that an EU fundamental rights perspective would prevent protected rights from being violated in third countries. Zuiderveen Borgesius feared however that the CJEU might take an activist approach and decide in favour of CNIL in the Google/CNIL case, and that the CJEU might leave such pragmatic compromises aside.
Before the debate with the audience, author Mistale Taylor was given an opportunity to react to remarks and questions received. She started by pointing out that the EU should be restrained when defining core data protection principles to be included in international agreements, to avoid a push-back on the grounds of sovereignty. These principles should include that processing is lawful, that there is purpose limitation and specification regarding the purposes data is being processed for, the need for a data subject to be informed about the purpose of processing ex ante and for the controller to show an additional legal basis if he or she plans to use the data for other purpose, data quality including limitations on the time period data can be retained for, and accountability and fairness as guiding principles for the whole processing. Other elements such as particular data subject rights, independent data protection authorities or protection of sensitive data, Taylor considered as very EU specific. They might not be of relevance or feasibly incorporated into all international agreements. In her opinion the CJEU in Opinion 1/15 was too detailed and technical, making the negotiation of meaningful international agreements more difficult as not all its suggestions could be incorporated into subsequent agreements.
Regarding the pending Google CNIL case, Taylor puts forward that the assessment developed in her thesis might lead to a better understanding of the issues at hand. Firstly, in respect of the permissive principles under public international law for jurisdiction, the EU could probably rely on its human rights obligations to justify a certain extraterritorial reach of the right to erasure.
Data protection as an EU fundamental right means that the EU is obliged to respect, protect and fulfil this right within a wide jurisdictional scope. To limit this wide scope, the public international law concept of jurisdiction based on territory can provide an important first step. In data protection such territory can be based on subjective (the territory where the action at hand was initiated) or objective grounds (the territory where an act is consummated). Additionally, personality-based anchors such as nationality or residence could play a role. In a nutshell, this could justify the EU exercising jurisdiction over their data subjects, with the limitations posed by the principles of personality and territoriality. Further mitigating factors will then be needed to restrain any overreach, such as reasonableness as a subset of comity and the balancing of state interests respecting the plurality of the legal order.
In Google CNIL, this means there needs to be a sufficient connection between the EU and the situation to justify EU jurisdiction. This should pose no problem as such link was found in Google Spain based on an EU establishment of a Google subsidiary whose activities are inextricably linked to Google Inc. After having established this territorial link, the different interests and fundamental rights at issue need to be balanced, such as freedom of expression, data protection, state sovereignty, or an interest in global information sharing. Within this balancing, Taylor argued that reasonableness needs to have a role. From such a reasonableness assessment, it would seem to go too far and encroach on US sovereignty and the principle of non-interference to ask Google to implement each successful delisting request on a global scale. Instead, to be within reasonableness, only people accessing search engine results from any country in the EU (as determined by geo-location technologies or IP address) should see redacted results according to the delisting request. Regarding the potential decision of the CJEU, Taylor puts forward that the European Commission seems to side with Google in the case fearing potential global consequences should the CJEU find such a wide application of the right to erasure. According to her, the CJEU might focus on guaranteeing an implementation of the right to erasure that would be effective in the whole EU.
Finally, she focused on the question of territory as a jurisdictional link. Recent formulations on territorial scope in data protection texts, such as the GDPR or the modernised Convention 108, refer to activities “in the Union” or “in the jurisdiction of the Member State”, these more abstract terms could translate to a looser concept of territory potentially showing a lessening of the importance of differentiating between extraterritorial and territorial jurisdiction.
The presentations were followed by a lively debate with the audience, discussing further potential limitations of the concept of territory, the implications of the Google CNIL proceedings and the need to allow different cultural valuation of fundamental rights to play a role.