CYIL vol. 12 (2021)

Ondrej Hamuľák – Lusine Vardanyan – Hovsep Kocharyan CYIL 12 (2021) Besides, the Court subordinates the processing of data by Google on all its domains to the GDPR jurisdiction, ruling that Google should be considered as performing a single act of processing personal data. 63 Despite the Court’s considerations that EU law does not provide for an obligation to implement the revocation of reference on a global scale, the Court nevertheless points out that the EU legislature has the competence to establish an obligation if it chooses to do so. 64 Such a view is probably based on the possibility of extending EU law outside the EU when extraterritorial application of the EU law may be warranted by the necessity of properly defending the Union’s values. 65 The Court also noted that while EU law does not require the abolition of reference on a global scale, it also does not prohibit such practices. Therefore the CJEU itself in its subsequent case law gave a positive answer to the question whether an order to a host provider to delete unlawful content pursuant to article 15(1) of the Directive 2000/31/EC 66 may have a worldwide effect. 67 In the Google v. CNIL case, the Court is of the opinion that a national supervisory or judicial authority may, after balancing the rights and interests of the subjects involved in the light of national standards for the protection of fundamental rights, order the search engine operator to remove the link to all versions of the search engine. 68 The CNIL, in a press release issued after the Court’s judgment in the case under consideration, highlighted this competence, but recognized that it was only competent to order worldwide renaming “in some cases”. 69 The Court leaves space for the possibility of a global application of the right to be forgotten, as defined by national Data Protection Authorities (hereinafter – “DPA”) or national courts of the EU member states. In doing so, it provided national DPA and national courts with some space for manoeuvre so that they could respond to the circumstances of a particular case. However, deviation from the EU-wide dereferencing standard is only possible in exceptional cases. But the most visible drawback of the judgment is that the Court does not give any indication in which exceptional cases a deviation from the local application of the right to be forgotten is possible. Nor does it provide the criteria by which national DPA or national courts should be guided in determining or evaluating these cases or their circumstances. The Court’s above-mentioned assertions point to its continued efforts to preserve the possibility for Member States to apply the right to be forgotten globally by allowing the adoption of national laws that provide the basis for effective regulation of privacy and data protection. 70 65 Art. 2 and 3(1) of the Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union 2012/C 326/01. Available at: https://eur-lex.europa.eu/legal-content/EN/ TXT/?uri=celex%3A12012M%2FTXT. 66 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) OJ L 178, 17.7.2000, p. 1–16. 67 Case C507/17 Google LLC v CNIL , p. 49–53. 68 Ibid., para. 72. 69 CNIL, ‘“Right to be forgotten”: the CJEU ruled on the issue’ (Commission Nationale de l’Informatique et des Libertés, 24 September 2019). 70 To the limits of national measures interfering with privacy see also: VARDANYAN, L., STEHLÍK, V.: Is the Case Law of ECtHR Ready to Prevent the Expansion of Mass Surveillance in the Post-Covid Europe? European Studies – the Review of European Law, Economics and Politics , 2020, vol. 7, pp. 253–272. 63 Ibid, p. 37. 64 Ibid, p. 58.

206