The right to be forgotten, a hollow shell? : A look at the jurisdictional aspects of article 17 of the European General Data Protection Regulation.

(1)

The right to be forgotten,

a hollow shell?

A look at the jurisdictional aspects of article 17 of the

European General Data Protection Regulation.

Thesis of Nick Hannaart

Master: Public International Law Supervisor: dr. mr. T. Staal Submission date: 26July 2018

(2)

Table of contents

Chapter 1. Introduction 1

Chapter 2. The General Data Protection Regulation in the light of the Costeja case 6

2.1. Google Spain and Google Inc. v. AEPD and Mario Costeja 6

2.2. Material scope 8

2.2.1. Processing of personal data 8

2.2.2. Controller 9

2.3. The right to be forgotten: the extent of the responsibility of the operator 10

2.3.1. The data that needs to be deleted 11

2.4. Territorial scope 12

2.4.1. Establishment 13

2.4.2. Carried out in the activities of the establishment 14

Chapter 3. The EU right to be forgotten and jurisdiction under international law 17

3.1. Ascertaining jurisdiction over a foreign company 19

3.2. Legislative jurisdiction – permissive principles applicable to the internet 20

3.2.1. Territoriality principle: subjective- and objective territoriality 21

3.2.2. Effects doctrine 22

3.2.3. Personality principle: active- and passive personality 23

3.2.4. A genuine connection 24

3.3. Jurisdiction to enforce 26

Chapter 4. Enforcement on the territory of the United States 28

4.1. Test of reasonableness 29

4.2. The right to be forgotten in the USA 31

4.3. A similar situation: Yahoo! Inc. v. La Ligue Contre Le Racisme 32

(3)

1

Chapter 1. Introduction

Loela de Vries, a twenty-two year old art student from the Netherlands, travels to Rome in the summer of 2015 to take part in a year-long art history programme.1_{When in Rome, she}

meets the twenty-five year old Nell Silver, an ambitious young photographer from New York City. Nell Silver, obsessed by the blond hair of Loela, photographs his new friend in what can be called adventurous and challenging behaviour. He bundles all the photographs in one book, called The Art of the Human Body, and hides this book under his bed.

After six months, Loela meets an Italian young man, called Mario Canaglia, and they become romantically involved. Loela and Mario, overwhelmed by their love and romance for each other, voluntarily pose nude for Nell on several occasions. Unfortunately, their relationship was not meant to last forever, and not long after their photos were taken they break up.

When the art history programme ends, Loela returns to Amsterdam and Nell returns to his hometown in the United States. Nell has high hopes that he will now find a decent job and get his well-deserved breakthrough in the art scene. Sadly enough, no publishers want to publish Nell his photos in their magazines, and Nell decides that his last shot at fame will be that he publishes the photos of Loela and Mario, including the photos in which they are in their so-called ‘birthday suits’, online. After he has done this, he gets the idea of writing a descriptive caption below the photos, mentioning both Loela and Mario their first- and surnames.

A couple of days later, Mario – still upset about his break-up with Loela – visits the website of Nell and sees the pictures of himself and Loela. Still looking for revenge, he decides to post the pictures of Loela online on the website myexgirlfriend.com. That will teach her a lesson, he thinks.

March 2017, more than a year after she returned from Rome, Loela finally hands in her thesis and graduates cum laude from university. As one of the best of her class, she thinks it

1_{The following story is based on the introduction of Robert Kirk Walker in his article ‘The Right to Be}

Forgotten’, Hasting Law Journal, Vol. 64:101, December 2012. The names have been changed and the authenticity of the original story has not been checked by the author of this essay.

(4)

2 will not be that hard to find a job, even though the job market for art students is very tough. While writing her cv, she decides to google herself to find out whether no bad information of her can be found by potential employees on the internet. To her horror, the first page with results shows nothing else than links to sexually explicit photos taken in Italy.

This story of Loela is not a unique story. Nowadays, it is quite common that users of the internet post content online or – maybe even worse – have information posted about them online, which they wished to have remained unrevealed. It was not in this case – but in a case with comparable circumstances - that the European Court of Justice (CJEU) ruled on the 13th_{of May 2014 for the first time in history that persons living in the EU have a ‘right to be}

forgotten’. This new concept entails that the ‘operator of a search engine is obliged to

remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful’.2_{Unfortunately, soon after the ruling problems started to}

arise, because it created an internet-related right which also applies to companies situated outside of the EU.

When Loela finds out about this ‘right to be forgotten’ she is relieved at first. At least she can now go to court and get those pictures of her removed from the list of search results. She calls her lawyer, but unfortunately he has a different message. At that time the policy of Google was to only alter the national search engines of the persons requesting to remove certain data about them.3_{However, searches using Google’s other domains, including the US}

domain google.com, remained unaltered. Although her photos can now be removed from the Dutch Google webpage (i.e. google.nl), it is not unimaginable that the pictures of Loela are also made available from a server located outside of the European Union (i.e.

Google.com). Her lawyer thinks that it would be impossible to get those photos removed from the Google.com search-engine. The problem Loela now faces is whether she can also

2_{ECJ, Google Spain and Google Inc. v. AEPD and Mario Costeja, p. 88.} 3_{Gibbs, 2016; Arstechnica, 2016.}

(5)

3 get the photos of her removed that are made available from servers outside of the EU.

In public international law states are obliged to limit the way they apply their jurisdiction extraterritorially. To tackle this problem, the EU developed a new data protection law, which has become law on the 25th_{of May (2018). This new EU’s ‘General Data Protection}

Regulation’ (in hereafter also: ‘GDPR’)4_{– which codifies the right to be forgotten into}

EU-legislation – has far-reaching and great effect beyond the territory of the EU. This essay takes a closer look at the way the General Data Protection Regulation applies beyond the territory of the EU and particularly whether the European right to be forgotten can be enforced on the territory of the United States.5_{The main question this thesis poses is: ‘can the European}

“right to be forgotten” be adequately enforced in the United States of America by a US court?

The emphasis is on enforcement on the territory of the USA, because this country hosts the worldwide .com-server and most internet-related companies storing much personal data (for example Google and Facebook) are based over there.

This essay has been written on the basis of a literature review. The structure of this thesis is as follows. Firstly, this essay will go further into the material and territorial scope of the right to be forgotten. The CJEU based the ‘right to be forgotten’ on provisions of the “old” Data Protection Directive6_{. However, because since the 25}th_{of May 2018 the “new” General Data}

Protection Regulation came to replace to “old” Directive, this regulation will be the main subject of this essay. It must however be noted that many provisions and definitions laid down in the DPD and GDPR are very similar, especially regarding the material scope. That is why the findings of the CJEU in the ‘Google Spain v. Costeja’- case also apply to the

provisions of the GDPR, although those findings were initially based on the Data Protection Directive. The most important difference between the DPD and GDPR is related to the territorial scope. As noted above, the GDPR has a bigger territorial scope. It is important to

4_{Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of}

natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

5_{In this essay the European Union will be considered as a whole. Differences in the implementation and}

interpretation of the relevant directives and regulations between the member states will not be taken into account.

6_{Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of}

individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)

(6)

4 see why the GDPR has a bigger territorial scope to see whether this scope can be accounted under international law.

Secondly, the rules of international law regarding jurisdiction will be explained. The ‘right to be forgotten’ is an internet-related right, and because the internet crosses borders many difficulties arise in relation with the traditional concept of ascertaining legislative

jurisdiction. The territorial scope of EU-law – including the right to be forgotten - is limited by rules of international law regarding (extraterritorial) jurisdiction. It is important to take a closer look at those rules, because the enforcement of the right to be forgotten on US territory cannot be discussed if the conclusion would be that the European Union does not have the right to ascertain legislative jurisdiction over that right at all. Meanwhile these jurisdiction rules will be applied to the territorial scope of the ‘right to be forgotten’ as described in the GDPR and by the Court of Justice in the Costeja- case. After this, the rules regarding (extraterritorial) executive jurisdiction will be explained. States are limited for exercising their power by the principles of ‘state sovereignty’ and ‘non-intervention’.

After the rules on jurisdiction of international law have been explained, the ability of the European Union to enforce the right to be forgotten in the United States will be discussed. This will happen by taking a closer look at Third Restatement of Foreign Relations Law. This legislative document contains the rules which most US courts apply when determining whether another State has legislative and executive jurisdiction on US territory. It is hereby important to research whether the United States has a comparable right as the European right to be forgotten, and if it does not have such a right, whether the US courts are likely to enforce judgements based on the GDPR - including the right to be forgotten - on the

territory of the USA.

In the case of Loela, the policy of Google was still to not alter the search results of

Google.com, even if this website would be accessed by someone within the European Union. Recently, Google has altered its policy, which now entails that search results will not be shown to anyone conducting name-based searches from the same European country as the

(7)

5 original request, regardless of which domain of the search engine the browser is using.7_It

will use geolocation signals (such as IP addresses) to restrict access to certain websites.8_So,

when a European citizen uses the .com search engine, he or she will not be shown the deleted information. But still: searches outside Europe using the US domain will not be altered. At first, this seems to provide for a solution to the jurisdictional problems regarding the European right to be forgotten. However, whereas Google became willing to adhere to EU data protection law, other search engines may however not be that willing to alter their policy. Furthermore, IP addresses can be faked very easily in a way that the right to be forgotten could still be circumvented.

Because of these technical abilities of Google, and in order to get a clear picture of the possibilities of someone to make sure the right to be forgotten will be effectively enforced, two different scenarios are addressed throughout this essay. The first scenario addresses the issue if the European Union can make sure that certain personal data will be removed from a list of results of a search engine when accessed from both in- and outside the EU. This would for example mean that also a US citizen accessing the Google.com search engine from within the US would not be shown the deleted search results. In this way the right to be forgotten cannot be circumvented by faking an IP address. The second scenario poses the question whether someone can also demand a American judge to order a search engine operator to remove certain search results from the international search engine (i.e. ‘com-website’) if a person accesses that search engine from within the European Union (by using geolocation signals).

7_{Gibbs, 2016; Arstechnica, 2016.} 8_Idem.

(8)

6

Chapter 2. The General Data Protection Regulation in the light of the Costeja case

As noted in the previous chapter, on the 25th_{of May 2018 the General Data Protection}

Regulation came into force. It aims to ‘harmonize privacy laws in the EU by providing the same strong data protections for the entire region’.9_{It came to replace its predecessor: the}

Data Protection Directive. It had inter alia as its aim make sure that ‘the principles of, and rules on the protection of natural persons with regard to the processing of their personal data should […] respect their fundamental rights and freedoms, in particular their right to the protection of personal data’.10_{It was based on the Data Protection Directive that the}

European Court of Justice developed a new right – the right to be forgotten - on the 13th_of

May 2014. In its judgement in the Costeja- case the Court established a new right in order to protect people and their online data. This right had never been heard of before, and

nowadays is still a part of a huge debate. The European Union and Argentina are - so far - the only countries in the world that have actually acknowledged this right on their territories.11

In this chapter, the provisions of the GDPR – regarding the right to be forgotten - are addressed and explained in the light of Costeja.

Because the General Data Protection Regulation has replaced the Data Protection Directive, this regulation will be the leading document to be examined in this chapter. However, both this regulation and the directive contain similar provisions and definitions, and can therefore not be seen apart from each other. It is important to examine the material and territorial scope of the right to be forgotten – as laid down in article 17 of the GDPR – in the light of the explanation the CJEU gave to certain terms in the Costeja case in order to fully understand the right to be forgotten as it is under the GDPR.

2.1. Google Spain and Google Inc. v. AEPD and Mario Costeja

The Costeja case was about a Spanish national, Mr. Costeja Gonzalez, who lodged a

complaint against a Spanish newspaper, La Vanguardia Ediciones SL before the AEPD12_{. His}

complaint was about the fact that if someone would put his name in the search engine of

9_{Wimmer, 2017, p. 16.}

10_{General Data Protection Regulation, preamble, par. 2.} 11_{Corvalán, 2017.}

(9)

7 ‘Google Group’ (containing both the Google.es and Google.com search engines), he or she would be shown two links to pages of La Vanguardia’s newspapers of 19 January and 9 March 1998.13_{In these two links, containing two newspaper articles, there were}

announcements in which Mr. Costeja his name appeared for a real-estate auction connected with attachment proceedings for the recovery of social security debts.14_{In his complaint, Mr.}

Costeja demanded (1) that La Vanguardia would be obliged to remove those pages so that the personal data mentioning his name would no longer appear when ‘Googling’ his name, and (2) that Google Spain and/or Google Inc. would be required to remove his personal data from their search engine.

The AEPD rejected the first claim, stating that the information regarding Mr. Costeja was legally justified and La Vanguardia therefore had the right to publish the articles online. On the other hand, the complaint against Google was upheld, considering that operators of search engines were obliged to follow the rules of EU data protection legislation and subsequently were obliged to delete those two links to the articles of La Vanguardia from their list of search results.

In response, Google Spain and Google Inc. brought two separate actions against that decision to the National High Court in Spain (Audiencia Nacional). This court – being

confronted with a very new development - wanted more information on certain provisions of the Data Protection Directive, and forwarded four preliminary questions to the Court of Justice of the European Union. The CJEU addressed these four different questions in what would become the well-known Costeja- case. Firstly, the Court assessed the scope of application ratione materiae of the Data Protection Directive. Secondly, it explained the territorial scope of that Directive. Thirdly, it explained the precise responsibility of a search engine operator relating to the processing of data, and fourthly - which is of lesser

importance to this thesis - it assessed whether the data subject had the right to ask for the erasure of search results.

13_{Google Spain and Google Inc. v. AEPD and Mario Costeja, para. 14.} 14_Idem.

(10)

8

2.2. Material scope

The GDPR is the first legislative document that explicitly mentions the right to be forgotten, to be precise: in article 17. This provisions says:

‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies15_{[…] (italics, NH)’.}

Furthermore, article 2 of the Regulation says that:

‘[The] Regulation [including the right to be forgotten] applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data […]’.

Although interpreting the Data Protection Directive, the CJEU also started by first asking itself whether this directive was materially applicable and therefore started by determining whether ‘the activity of a search engine as a provider of content which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users’ was actually the ‘processing of personal data’.16_{After that, continuing on this question, it answered the}

question whether Google Spain and/or Google Inc. could be seen as the ‘controller[s]’ of that particular data.

2.2.1. Processing of personal data

The definition of the GDPR and DPD of what is to be seen as the ‘processing of personal data’ is mostly similar, and defined as ‘any operation or set of operations which is performed

upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,

15_{What grounds can apply will be discussed at the end of this chapter.} 16_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 21.}

(11)

9

blocking, erasure or destruction’.17_{According to the Court of Justice, the activity of a search}

engine – the automatic, constant and systematic exploring of the internet in search of information which it wishes to publish – can be seen as the ‘processing of personal data’.18

The Court came to this conclusion by reasoning that the activities of a search engine – namely: retrieving, recording, organising, storing, disclosing and the making available of information – were all referred to in article 2(b) of the Directive.19

2.2.2 Controller

After establishing the fact that the operations of a search engine can be seen as the

‘processing of personal data’, the Court continued by assessing if Google (as a whole) could be defined as the ‘controller’ of this personal data. Before continuing it is important to note that the CJEU does not make a clear distinction between Google Inc. or Google.es when determining who should be regarded as a ‘controller’, but merely refers to Google as one entity, namely the ‘search engine operator’.

A ‘controller’ is defined as ‘the natural or legal person, public authority, agency or any other

body which alone or jointly with others determines the purposes and means of the processing of personal data […]’.20_{According to the Court, a search engine operator - like Google - is the}

one that determines the ‘purposes and means’ of the data processing.21_{Consequently, the}

Court concludes that it is also the search engine operator who can be defined as a ‘controller’ in respect of that processing pursuant to Article 2(d). This is in line with the objective of the Data Protective Directive, which is ‘to ensure effective and complete

protection of data subject’.22_{If one was to argue that the operators of search engines should}

be excluded from the definition of ‘controller’ - by saying that the operators do not exercise control over the actual data processing, but are merely the ones that are the middlepersons between the searcher and the web pages of third parties – would be contrary to the

objective of the DPD. Search engines play a crucial role in the dissemination of information,

17_{Article 2(b) of the Data Protection Directive; article 4(2) of the General Data Protection Regulation.} 18_{Google Spain and Google Inc. v. AEPD and Mario Costeja, para. 28.}

19_{Idem., para. 28.}

20_{Article 2(d) of the Data Protection Directive; article 4(7) of the General Data Protection Regulation.} 21_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 33.}

(12)

10 including personal data, among its users. Facilitating user’s access to that information may result in them obtaining a comprehensive overview of the information relating to persons that can be found on the internet by only typing in their names in the search engine. By denying the responsibilities of search-engine operators, the right to online privacy, including the right to be forgotten, would be undermined.23

If these findings would be applied to the case of Loela, Google would also be bound by the GDPR in her case. The making available of pictures of her by listing those in a list of search-results, can be seen as the ‘processing of personal data’ and Google is the ‘controller’ of this data.

2.3. The right to be forgotten: the extent of the responsibility of the operator

Up to this point, the CJEU determined that Google is the controller of the processing of personal data of mr. Costeja. Whereas in its judgement of 13 May 2014 the CJEU continues by assessing the territorial scope of EU data protection law, this essay will first research what the precise responsibility of a controller of personal data is.

Article 17 of the GDPR merely says that the ‘data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her’.24_{But what is meant with}

the ‘erasure of personal data’? Does this mean that Loela can demand a court to oblige Google to stop listing her photos in its search-results? Or does this mean that she can ask Nell Silver to delete the photos from his website?

In its whole judgement the Court has said the Data Protection Directive ‘seeks to ensure a high level of protection of the fundamental rights and freedom of natural persons’.25_This

also becomes apparent in the conclusion on what the right to be forgotten exactly entails for Google. The Court says that the principle of proportionality is not unbalanced if it would demand Google to delete personal data from their list of search results. The ‘economic interest’ of Google alone could not justify the ‘potential seriousness of that interference’

23_{Taylor, 2016, p. 8.}

24_{Article 17 of the General Data Protection Regulation.}

(13)

11 with someone’s privacy.26_{Therefore, an operator of a search engine is obliged to ‘remove}

from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or

simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful’.27

The Court does however not say in its judgement that the right to be forgotten is of greater importance than other fundamental rights, such as the freedom of the media and freedom of expression. It is therefore necessary to determine on a case-by-case basis whether someone can actually refer to the right to be forgotten in order to have certain personal data about him or her deleted from the list of results of the search engine. A constant balancing test must be done. In the end, the CJEU did not say that La Vanguardia had to delete the articles about Mr. Costeja, but only said that it should not be listed in the results of the search engine.

2.3.1. The data that needs to be deleted

The question that now remains is: what kind of information needs to be removed by

Google? Article 17 of the GDPR provides for certain grounds that need to apply before one’s personal data can be removed. These grounds are:

(a) the personal data are no longer necessary in relation to the purposes for which there were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of article 6(1), or point (a) of article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to article 21(1) and there is no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

26_{Idem., par. 81.}

(14)

12

(f) the personal data have been collected in relation to the offer of information society services referred to in article 8(1).

According to the Court, personal data may however still be processed when the controller or third party have ‘legitimate interests’ that the data is being disclosed. The exception to this is when – by disclosing this particular data – someone’s right to privacy is violated.28_The

operator of a search engine must therefore balance and take into account the opposing rights and interests concerned. Only when there is a ‘justified objection’ against the disclosure of certain information, the processor must remove the data from its search engine.29_{Certain data – although initially lawful - must definitely be removed from the}

results of the search engine. This is when the data is ‘inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed’, and are therefore ‘no longer necessary in the light of the purposes for which they were collected or processed’.30

For Loela this would mean that the photos on the website of Nell Silver would still be available, but his website would not be displayed anymore by the Google search-engine in its list of search-results when looking up the name of Loela, because the processing of her photos was unlawful (see article 17(d) GDPR). The only problem in her case is that those pictures are made available from a server located in the United States (i.e. the Google.com search engine). The question that arises is whether the Court of Justice does have the jurisdiction to oblige Google that it should also make sure that the photos listed in the results of the .com-search-engine should not be displayed (both in- and outside the EU).

2.4. Territorial scope

The CJEU only has jurisdiction when there is a link between the Google.com- search engine and Europe, because it would otherwise ascertain jurisdiction on a company seated in the USA. The exact requirements for ascertaining jurisdiction abroad will be discussed in the next chapter. For now, it is clear that one of the hardest things with the right to be forgotten

28_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 74.} 29_{Idem., par. 76.}

(15)

13 is that it is an internet related right. The ‘place’ on which the right is to be exercised, is

difficult to link to a State’s territory. This must also have been a struggle for the drafters of the GDPR and DPD. In the end, they chose to give the GDPR a big territorial scope. Also the European Court of Justice found that the right to be forgotten had to have a big territorial scope in order for it to not be easily circumvented.31_{Article 3 of the GDPR establishes the}

territorial scope of inter alia the right to be forgotten. This article says:

‘1. This regulation applies to the processing of personal data in the context of the activities of an

establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (italics, NH)’.

The interpretation to certain words of this provision can be found in the Costeja case.

The main issues that was raised there was concerned with the notion of ‘establishment’. The first question the Court answered is whether Google Spain could be regarded as an

‘establishment’ of Google Inc. If the answer would be yes, then the Court could ascertain jurisdiction over the case and come to a ruling.

2.4.1. Establishment

In the Costeja- case the facts at hand were – and still are - that Google Inc. is seated in the United States, and its subsidiary, Google Spain, is situated in Madrid. Both companies are united under the name ‘the Google Group’.32_{Google offers its public worldwide access to}

the website ‘www.google.com’. It also has a website called ‘www.google.es’, which has as its main purpose to give the Spanish audience access to the search engine. Google Spain

possesses a separate legal personality. The main purpose of Google Spain is to ‘promote, facilitate and effect the sale of on-line advertising products and services to third parties and the marketing of that advertisement’.33_{Could Google Spain be seen as an ‘establishment’ of}

Google Inc.?

Recital 19 in the preamble says that an ‘establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangement’, and that ‘the

31_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 54.} 32_{Idem., par. 43.}

(16)

14 legal form of such an establishment […] is not the determining factor’.34_{The main task of}

Google Spain is merely advertising, and prima facie one could say that this is not a ‘real and effective activity’ regarding the processing of personal data of Google Inc.

The Spanish court, referring the case to the CJEU, stated that the Google search-engine is controlled and operated by Google Inc., and therefore it could in principle not be established that Google Spain was the one carrying out activities that could be directly linked to the processing of internet data. The Spanish court considered further that Google Spain was a very important part in the commercial activity of Google Inc. in Spain and could therefore be regarded as having a close link the Google Search engine.35

Before concluding that Google Spain could be considered an ‘establishment’ of Google Inc., the CJEU first had to zoom in on the precise activities that Google Spain undertook in relation to the operating of the actual search engine. Or in other words: whether the activities of Google Spain were ‘carried out in the context of the activities of an establishment of the controller’.

2.4.2. Carried out in the activities of the establishment

According to article 4(1)a of the DPD European data protection law can only apply when a data controller has its main establishment on the territory of a third State (so, a non-EU State), but it processes data in the context of the activities of an establishment of the main controller on the territory of a Member State. In other words, the CJEU could declare the data protection law applicable to the Google search-engine if the activities of Google Spain were an ‘effective and real exercise of activity’ in the data processing context.36

The Court concluded in Costeja that the ‘activities of the operators of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the

34_{Data Protection Directive, preamble, recital 19.}

35_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 46.} 36_{Data Protection Directive, preamble, recital 19.}

(17)

15 means enabling those activities to be performed’.37

The Court knew that it had established a very broad territorial scope by determining that Google Spain could be seen as an ‘establishment’ of Google Inc. This broad definition was however considered justified if one would take a closer look to the object and purpose of the Data Protection Directive. Recitals 18 to 20 in the preamble of the Directive says that it is the main goal of the directive to ensure that individuals cannot be deprived from the protection of their right to privacy online. The Court could not accept the fact that ‘the processing of personal data carried out for the purpose of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would

compromise the directive's effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure’.38

In practice, this means that the list of search results of an international .com-domain should also be altered in order for the right to be forgotten to be effective.39

The protection of European citizens could easily be circumvented if one would have assessed that the term ‘establishment’ had to be read narrowly.40_{In that case a Spanish citizen could}

not complain about his right being violated by Google Inc., because he could only press charges against Google Spain (because of the jurisdictional limits), which could not be seen as an establishment of the company that effectively controls the search engine. In the end, his personal data would have been deleted from the google.es- server, but would still be accessible in Spain from the google.com- server. In that way, the complaint of the Spanish national could not be dealt with effectively, and his personal data could not be protected properly online. Since then, all EU Member States seem to have adopted the same rules regarding the territorial scope of the right to be forgotten in order to ‘guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented’.41

37_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 56 (italics, NH).} 38_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 58.}

39_{Art. 29 WP, 2014, p. 9.}

40_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 54.} 41_{Art. 29 WP, 2014, p. 3.}

(18)

16 This far-reaching territorial scope of the GDPR and the Costeja case has been heavily

criticized, and some authors even argue that it is unacceptable.42_{Even the ‘Article 29}

Working Party’ has said that the broad scope can have some negative effects, but still justifies it by saying that it is necessary in order to protect the fundamental rights of the citizens of the EU.43_{The critique on the far-stretching territorial scope is mostly based on the}

fact that the link between the right to be forgotten and the foreign company is not very strong. The Court of Justice of the European Union already affirmed in the well-known

Lindqvist case that EU law does not apply to the whole internet.44_{However, it did rule in the}

Costeja case that – in order for the right to be forgotten not to be easily circumvented – also companies that have their main headquarters elsewhere can be obliged to remove personal data. The ‘Article 29 Working Party’ was of the opinion that an extra requirement had to be met in order for the GDPR to apply. This extra requirement – the targeting requirement – determines that there must be an ‘effective link between the individual and a specific EU country’ when a data processing act is aimed at targeting specific individuals.45

In conclusion, the CJEU determined that EU citizens have a right to have certain personal data about them removed from the list of search results of a search engine (such as Google). In order for this right to not be easily circumvented the Court assessed that the right had to have a big territorial scope. According to the Article 29 Working Party this would mean in practice that also the search results of an international domain (i.e. a .com-domain) should be altered. This issue has recently been addressed by a French court in a preliminary question to the European Court of Justice.46_{The case – which is still pending – will answer}

the question whether the right to be forgotten can and should stretch beyond EU borders.47

The CJEU did however come to the conclusion that the European data protection regulation – incorporating the right to be forgotten – has a big territorial scope in order for it to not be easily circumvented. This brings us to the next subject of this thesis. Namely, what principles

42_{See for instance: Moerel & Lokke, ‘The Long Arm of EU Data Protection Law: Does the Data Protection}

Directive Apply to the Processing of Personal Data of EU Citizens by Websites Worldwide?’, International Data

Privacy Law, Vol. 1, No. 1, 2011; Wolf, C., ‘White Paper Overextended: Jurisdiction and Applicable Law under

the EU General Data Protection Regulation, Omer Tene, January 2013.

43_{Article 29 WP, 2010, p. 24.}

44_{See Taylor, 2016, p. 10; referring to: CJEU, Lindqvist, para. 71} 45_{Art. 29 WP, 2010, p. 31; Taylor, 2016, p. 17.}

46_{Hern, 2017; Scott, 2017.} 47_{Hern, 2017.}

(19)

17 of public international law are there for establishing jurisdiction on certain (foreign) acts or persons. Is the territorial scope of the GDPR in line with these principles, or is it perhaps too broad?

Chapter 3. The EU right to be forgotten and jurisdiction under international law

In the previous chapter it was established that the right to be forgotten has a big territorial scope in order for it to become effective and not to be easily circumvented. In this chapter this essay will explain the principles and rules States need to adhere to before they can exercise jurisdiction over certain matters. The CJEU did not discuss the territorial scope of the right to be forgotten at the hand of jurisdictional rules of international law, and merely seemed to interpret the provisions laid down in EU data protection law. It did however establish a big territorial scope, and it is therefore also important to assess whether this scope is not too broad. As noted before, this chapter will provide for two different scenarios. The first poses the question whether the territorial scope can be based on rules of

international law if someone would demand a US court to remove certain information from the list of search results from Google.com when accessed from both in- and outside the EU, and the second will pose the question whether that same data can be removed from a server of Google.com in the US when accessed by someone from within the EU.

Due to technical progress the world gets smaller by the year. Especially the explosion of the internet has originated the ability to connect with remote individuals. Information can be moved faster and more cheaply than ever before, and it has become harder for states to control the whole flow of information.48_{While having many advantages, this process has}

also caused increasing numbers of internet-related jurisdictional disputes between States.49

Tensions may occur when the EU wants to apply its data protection laws – including the right to be forgotten - to foreign based companies in order to protect its citizens online. Most companies processing data have their main-establishments in the USA. The EU has a big interest in guaranteeing the effectiveness of the right to be forgotten by ensuring that these US companies stick to the rules laid down in the General Data Protection Regulation and be held responsible if they do not. Even though the GDPR aspires to global jurisdiction, that

48_{Morris, 2002, p. 2018-2020.} 49_{Kuner, 2010, p. 177.}

(20)

18 aspiration does not answer the question of whether an EU regulation is allowed to have extraterritorial effect outside the boundaries of the EU.50_{As Kuner noted: ‘the gap between}

compliance and enforcement of European data protection law [both in- and outside the EU] is certainly large’.51_{This gap brings with it the risk that respect of the data protection law will}

be diminished, because companies know that it cannot be properly enforced.

Before diving deeper into the material content of this chapter a few distinctions must be made. First, the concept of jurisdiction in international law is just one of the three

subdivisions that have to do with a ‘conflicts of law’, the other two being: the ‘choice of law’- principle and the ‘recognition of foreign judgements’- principle.52_{Jurisdiction is defined as a}

‘the power of the state under international law to regulate or otherwise impact upon people, property and circumstances’.53_{Jurisdiction must be differentiated from the ‘choice}

of law’- principle, which applies in disputes between private parties and ‘deals with the question whether the merits of the dispute will be resolved under the substantive law of the state of adjudication (lex fori) or under the law of another involved state’.54_{The difference}

between the two is quite vague in the area of data protection law55_{, and national data}

protection authorities often equate both terms.56_{The third principle is the ‘recognition of}

foreign judgements’, which ‘deals with the requirements under which the courts of one state will recognize and enforce a judgement rendered in another state’.57_{This thesis will not be}

about the choice of law principle, and merely focusses on the jurisdictional aspects and issues of the right to be forgotten. The principle of recognition of foreign judgements will be further explained in the second half of this chapter, which is on the rules of executive jurisdiction.

Second, it is important to note that in public international law a distinction is made between 50_{Wimmer, 2017, 16.} 51_{Kuner, 2010, p. 235.} 52_{Symeonides, 2016, p. 1.} 53_{Shaw, 2014, p. 469.} 54_{Symeonides, 2016, p. 1.}

55_{For example, article 4 of the Data Protection Directive has the heading ‘national law applicable’, which seems}

to refer to a choice of law provision. However, when looking at the provision itself one sees that the provision also includes certain rules regarding jurisdiction.

56_{Kuner, 2010, p. 180.} 57_{Symeonides, 2016, p. 1.}

(21)

19 three forms of jurisdiction. These are the legislative (or prescriptive), judicial (or

adjudicative) and executive (or enforcement) jurisdiction. Legislative jurisdiction, is concerned with ‘the supremacy of the constitutionally recognised organs of the state to make binding laws within its territory; such acts of legislation may extend abroad in certain circumstances’.58_{An example of this can be found in article 3 of the General Data Protection}

Regulation, which says that the application of the regulation also applies to companies outside the EU that use cookies to process personal data of persons living in the EU. The second form is judicial jurisdiction, meaning ‘the power of courts of a particular country to try cases in which a foreign factor is present’.59_{This could for instance concern a data}

protection authority that decides about a complaint brought by an European citizen based on the processing of their personal information by a company outside the EU. Finally, there is executive jurisdiction. This form of jurisdiction concerns ‘the capacity of the state to act within the borders of another state’.60_{The legality of executive jurisdiction has much to do}

with the other two forms of jurisdiction, because a state cannot enforce a certain rule when it was not capable of prescribing (and adjudicating) that rule at all.61

In this thesis the emphasis will therefore be on legislative- and executive jurisdiction. After all, this thesis is concerned with the question if the right to be forgotten can be enforced extraterritorially, and – since having judicial jurisdiction is not a requirement for exercising executive jurisdiction - only those two forms of jurisdiction are relevant for answering this question.

3.1. Ascertaining jurisdiction over a foreign based company

Google.com – based in the USA – was bound by the judgement of the CJEU in the Costeja case. Unfortunately, the Court did not assess whether it could, and how it could, ascertain jurisdiction on the basis of international law over this foreign based company. The question of whether there are limits to the application of jurisdiction under international law, and especially regarding acts that take place on the internet, is controversial.62_{Most of the time}

58_{Shaw, 2014, p. 472.} 59_Idem.

60_Idem.

61_{Kohl, 2007, p. 224; see for example: Restatement of the Law Third, The Foreign Relations Law of the United}

States, par. 7.

(22)

20 no problems will arise, but when two or more States want to exercise jurisdiction over the same matter, disputes start to exist. In 1927 the Permanent Court of International Justice ruled in the famous Lotus case that States are in principle free to ascertain (legislative) jurisdiction over a certain matter, unless a prohibitive rule to the contrary existed.63

However, recently a trend can be seen in international law in which many States follow another approach that says that a State can only exercise its jurisdiction when there is a positive rule in international law that permits that State to do so.64_{It seems nowadays that}

the latter approach is dominant in customary international law, because most States follow this approach and seem to accept this approach as law.65_{Also the Permanent Court of}

Arbitration ruled in the Island of Palmas case that one has got to start with the fact that a State has exclusive legislative jurisdiction on its own territory when answering the question of inter-State relations.66_{Only when there is a permissive principle allowing a State to}

exercise jurisdiction, this State is allowed to do so.67_{This line was continued by the}

International Court of Justice in the Barcelona Traction case. Here the ICJ acknowledged that a State’s sovereignty and the principle of non-interference can be - and sometimes even require - that the exercise of jurisdiction in cases with foreign elements must be limited by rules of international law.68_{In short: States can only exercise jurisdiction when they adhere}

to certain permissive principles. In the next paragraph the different permissive principles are explained.

3.2. Legislative jurisdiction – permissive principles applicable to the internet

In the previous chapter the territorial scope of the Data Protection Directive and General Data Protection Regulation were given. Now it will be assessed whether this scope can be lawfully based on one of the permissive principles, or if the scope is too wide to be

accounted for under international law. Under international law, there are several principles that permit States to exercise jurisdiction over certain acts. These principles extend to the place where an act is initiated or consummated (subjective and objective territoriality

63_{PCIJ, SS Lotus, 1927, p. 18-19.} 64_{Taylor, 2016, p. 6.}

65_Idem.

66_{PCA, Island of Palmas, par. 838.}

67_{Ryngaert, 2008, p. 3-4; Taylor, 2016, p. 6-7.} 68_{ICJ, Barcelona Traction, par. 70.}

(23)

21 principle), a person’s nationality (personality or nationality principle), the protection of a State’s vital interests (protective principle), and to the ramifications of an act felt within a State (effects doctrine).

3.2.1. Territoriality principle: subjective- and objective territoriality

The territoriality principle says that a State in which a person or goods are situated or in which the event in question took place, can ascertain jurisdiction over that matter. It is widely regarded as the ‘normal basis for the exercise of jurisdiction to prescribe’.69_{In the}

Woodpulp case the European Court of Justice held that the territoriality principle can be divided in two different principles, namely the subjective- and the objective territoriality principle.70_{The subjective territoriality principle covers situations in which an action is}

initiated in one country and ends in another. Under this principle, the country in which the action was initiated, could exercise jurisdiction over this particular action. The objective territoriality principle covers the situation in which the consequences of an act can be felt in the State that wants to exercise its jurisdiction over that act.

In the case of Loela, one could say that the objective territoriality principle applies. The act – the making available of the photos from the servers of Google.com in its list of search results – was initiated in the USA. However, the consequences of that act – the showing of these photos in the list of search results and therefore making them accessible on European territory – can be felt in the EU.

As explained before, the right to be forgotten has a broad territorial scope in order to ‘prevent individuals from being deprived of the protection guaranteed by the directive and that protection from being circumvented’.71_{The Court could not accept that ‘the processing}

of personal data carried out for the purpose of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would

compromise the directive’s effectiveness and the effective and complete protection of the

69_{Spang-Hanssen, 2004, p. 247.} 70_{ECJ, Woodpulp case, 1988.}

(24)

22 fundamental rights and freedoms of natural persons which the directive seeks to ensure’.72

Therefore the Court reasons that - although the actual data processing took place in the United States, by Google Inc. - the selling of advertisement space by Google Spain was an activity that was ‘inextricably linked’ with the activities of Google Inc., including the actual data processing, and therefore Google Spain was an ‘establishment’ of Google.73

This resembles the applicability of the objective territoriality principle. The location of the establishment was crucial for establishing legislative jurisdiction over the controller of the search engine (i.e. Google). Even if the controller is not established within the EU, the Court could still exercise its jurisdiction in case the establishment is seated within the EU. The GDPR even broadens the possibility of an extraterritorial link, because it applies to an establishment of both a controller and a processor in the European Union, rather than simply an establishment of the controller, as in the DPD.74_{This principle seems to be the}

most relevant for the right to be forgotten.

3.2.2. Effects doctrine

The effects doctrine is sometimes viewed as a ‘distinct category’.75_{It determines that a State}

can exercise its jurisdiction if an act is initiated and consummated elsewhere, but the effects of that act can still be felt by that particular State. This principle looks very much like the territoriality principle, but with the big difference that ‘no constituent element of the offence takes place within the territory of the prescribing State’.76_{The effects doctrine is}

mostly maintained by the United States in the area of antitrust law.77_{The US claims that it}

can ascertain legislative jurisdiction over a certain matter in case two companies – which are both seated outside the US – make an agreement which has economic consequences on US territory. A classic example of the application of this ‘effects doctrine’ can be found in US v.

Aluminum Co. of America, in which a US Court of Appeals ruled that: ‘any state may impose

liabilities, even upon persons not within its allegiance, for conduct outside its borders that

72_{Idem., par. 58.}

73_{Google Spain and Google Inc. v. AEPD and Mario Costeja, par. 56.} 74_{Taylor, 2016, p. 15.}

75_{Spang-Hanssen, 2004, p. 247.} 76_{O’Keefe, 2004, at 739.} 77_{Shaw, 2014, p. 499.}

(25)

23 has consequences within its border which the state reprehends’.78

The effects doctrine provides for a controversial basis for ascertaining jurisdiction, because there is no direct territorial link between the act and the State. Especially regarding online conduct, States have difficulties with establishing jurisdiction based on the ‘traditional’ permissive principles, such as territoriality. Nowadays, an increasing movement towards exercising jurisdiction based on the objective territoriality test and the effects doctrine can be seen.79_{In this context, the effects doctrine can be seen as a last attempt to assert}

jurisdiction on a certain matter.

The problem with the relation between the effects doctrine and the internet is that it became too easy to establish a relation between the two. Schultz argues that in cyberspace there must be a higher threshold in order for States to claim that there is a genuine link between an act committed in a third State and the effects in another.80_{This is because in}

cyberspace potentially everybody with internet access could access every website,

establishing this act-effect link. In other words, it would mean that any information put on the internet would provide every state where that information is accessible with jurisdiction based on the effects doctrine. Schultz even goes further and claims that the effects doctrine ‘should a fortiori be rejected entirely on the internet’.81

3.2.3. Personality principle: active- and passive personality.

The protection of personal data and an individual person have always been closely connected. In the end, the rights of that particular individual are being violated if his personal data is not properly protected. Therefore, the full titles of the DPD and the GDPR contain the words ‘the protection of individuals with regard to the processing of personal data’. The personality principle is based on the relationship between an individual and the State. It can be divided into two separate categories: the active- and the passive personality principle. In the first, the State owes duties to individuals as a subject, and in the latter as an

78_{US v. Aluminum Co., 1964, p. 443.} 79_{Wimmer, 2017, p. 17.}

80_{Schultz, 2008, p. 815.} 81_Idem.

(26)

24 object.

The active personality-based jurisdiction is - just as an individual’s personal data - closely related to a person’s individuality, personality and nationality. It says that a State can ascertain jurisdiction over a certain matter if that matter affects one of that state’s own citizens.82_{The passive personality principle covers situations in which a State exercises its}

jurisdiction in order to protect its nationals abroad. Just like the effects doctrine, it is heavily criticized because it would go too far and give States too much jurisdictional power.

Especially when relating the passive personality principle to the internet, extraterritorial jurisdiction (to prescribe) is quickly established, because for example the google.com search-engine is accessible everywhere in the world.

For Loela this would mean that the EU could have legislative jurisdiction in her case, because Loela – due to her Dutch passport – is a EU citizen. The active personality principle is highly relevant for internet-related jurisdictional disputes, because someone’s data is often controlled, processed and stored in different locations and jurisdictions, much more than a physical person might be involved in. However, if the pictures of Loela would be listed in the list of search-results of a search engine, the EU could ascertain extraterritorial (legislative) jurisdiction in all other States anywhere in the world. This might be a step too far. The downside of this movement towards personality-based jurisdiction with regard to the right to be forgotten, is that it could also cause a territorial scope which is far too broad, and which can collide with other jurisdictions. This overreach could lead to jurisdictional tensions.

3.2.4. A genuine connection

The abovementioned grounds of jurisdiction are all based on a link or contract with a state.83_{This system does however not exclude that two different states might have a link to}

a certain matter. If both the EU and the US would try to exercise legislative jurisdiction over the same case, this would cause a collision of jurisdictions. In order to solve questions like these there is a second requirement under international law in order for a State to exercise

82_{Spang-Hanssen, 2004, p. 251.} 83_{Ryngaert, 2008, p. 135.}

(27)

25 jurisdiction extraterritorially. This requirement entails that a State should have a ‘genuine

connection’ with the situation it wants to exercise its powers over.84_{This genuine connection}

requirement is well-established under international law.85_{It is closely related to the}

‘principle of comity’, which is the most well-known rule internationally among nations in ascertaining legislative jurisdiction.86_{In jurisdictional context, this rule says that ‘States limit}

the reach of their laws, and defer to other States that may have a stronger, often territorial nexus to a situation’.87_{A State can exercise jurisdiction beyond its border if it does not}

interfere with another States, more closely connected, interests.88

In two cases the International Court of Justice expanded on this genuine connection

requirement. In 1955 – in the Nottebohm case – the ICJ determined that in order for a State to exercise diplomatic protection over an individual ‘the legal bond of nationality [had to] accord with [that] individual’s genuine connection with the State which assumes the defence’.89_{It thereby recognized the genuine connection requirement under international}

law, but did not elaborate on what the principle precisely entails. In 1970 the ICJ refined this doctrine in the context of diplomatic protection over foreign based companies and claimed that ‘no absolute test of the “genuine connection” has found general acceptance. Such tests as have been applied are of a relative nature, and sometimes links with one State have had to be weighed against those with another’.90_{It has to be determined on a case by case bases}

whether a state has a more genuine connection over a certain matter. The relevance of this requirement becomes more clear when taken together the two scenarios that were posed in the introduction.

In the first scenario someone tries to demand – for example – Google.com (which has a server in the US) to remove certain data from the list of search results when someone accesses that website from both in- and outside the EU. The reason for this could be that IP-addresses can be easily faked, so that someone pretends to be in the US, but is actually in 84_{Taylor, 2016, p. 6-7.} 85_{Svantesson, 2017, p. 63} 86_{Michaels, 2009, p. 2.} 87_{Ryngaert, 2008, p. 137.} 88_{Taylor, 2016, p. 6-7.} 89_{ICJ, Nottebohm, p. 23.} 90_{ICJ, Barcelona Traction, p. 42.}

(28)

26 Europe and thereby circumvents the rights to be forgotten. In this case the connection of the US to the matter must be compared to the connection of the EU. It could be argued that the US has a stronger connection to the matter at hand, because both the server is on US

territory and the consequences will be felt on US territory as well. In this case the EU cannot ascertain prescriptive jurisdiction.

This lies different with the second scenario. This scenario poses the question whether someone can also demand a American judge to order Google Inc. to remove certain search results from the Google.com website (for example by using geolocation signals) if that person accesses that search engine from within the European Union. In this case the

consequences will only be felt on EU territory. It could therefore be argued that the EU has a closer connection to the matter, and thus can establish prescriptive jurisdiction.

In conclusion, the CJEU did not discuss the rules of international law regarding jurisdiction in the Costeja case, but the strongest argument for the EU to gain legislative jurisdiction over a case which concerns the right to be forgotten, would be to base its jurisdiction on the objective territoriality principle.91_{This is also the permissive principle that mostly resembles}

the reasoning of the CJEU in the Costeja- case. At first, this principle seems to provide for a sufficient basis for establishing legislative jurisdiction. However, because of a second requirement for establishing legislative jurisdiction under international law – namely the ‘genuine connection’ requirement – it is unlikely that the EU has legislative jurisdiction over a matter in which someone wants a US court to remove information from the list of search results from Google.com when accessed from both in- and outside the EU.

3.3. Jurisdiction to enforce

Where legislative jurisdiction for the right to be forgotten can at least be based on the objective territoriality principle, the problem is with enforcing this right. In 1648 the Treaty of Westphalia was signed, ending all the European religious wars of that time. The Treaty also meant the start of modern-day nation-states. From that point on, the nation state (or the prince) had ‘the supreme power over subjects in [that] particular territory’ and ‘enjoy[ed] freedom from interference by other states’. 92_{By these principles of}

91_{Wimmer, 2017, p. 18.} 92_{Detter De Lupis, 1987, p. 3.}

(29)

27 sovereignty and non-intervention the European Union is limited in the ways it can enforce the right to be forgotten on the territory of non-EU States. No state, including its organs and individuals, can act on behalf of that state to enforce its laws on the territory of another state.93_{Kohl calls this limited ability to enforce certain internet-related rights the ‘Achilles’}

heel’ of international law regarding jurisdiction.94_{This is because ‘one State’s greater}

enforcement power is another State’s loss of territorial control’.95_{Scassa and Currie argue}

that ‘because the internet is borderless, states are faced with the need to regulate conduct or subject matter in contexts where the territorial nexus is only partial and in some cases uncertain. This immediately represents a challenge to the Westphalian model of exclusive territorial state sovereignty under international law’.96

Pursuant to the principle of non-intervention, states are prohibited from intervening in the internal legal orders of other states.97_{International law does however offer a solution to the}

problem of extraterritorial executive jurisdiction. This solution lays in the principle of recognition of foreign judgements. There are no agreed principles on recognition and enforcement of foreign judgements,98_{apart from the fact that ‘no state recognizes or}

enforces the judgments of another state rendered without jurisdiction over the judgement debtor’.99_{The only reason why all States decline to recognize a foreign judgement is because}

that judgment would be in ‘conflict with their public policy or ordre public’, but the

interpretation of these terms vary from state to state.100_{This is where the biggest problem is}

with enforcing the right to be forgotten on the territory of the United States.

In short, enforcing the right to be forgotten abroad is limited by the principles of ‘state sovereignty’ and ‘non-intervention’. Only with the consent of a third state can a state enforce its judgements on that third state’s territory. However, states are most of the time reluctant in enforcing foreign judgements. Especially when these judgements are in conflict

93_{Kohl, 2007, p. 200.} 94_{Kohl, 2007, p. 26.} 95_{Idem., p. 200.}

96_{Scassa & Currie, 2010.} 97_{Ryngaert, 2008, p. 144.} 98_{Spang-Hanssen, 2004, p. 281.} 99_Idem.

(30)

28 with their public policy. In the next chapter the possibilities of having a European judgement (on the right to be forgotten) enforced by a American court on the territory of the US will be examined.

Chapter 4. Enforcement on the territory of the United States

In the previous chapter this essay described the contemporary rules of international law regarding jurisdiction. In this chapter it will be assessed whether the EU can enforce the right to be forgotten on the territory of the United States. It is therefore important to first take a closer look at the rules regarding enforcement and recognition of foreign judgments in the United States.

In 1979 the American Law Institute started a project to clarify and actualise the rules

regarding extraterritorial jurisdiction of the United States abroad, and vice versa. This led to the Third Restatement of US Foreign Relations Law, nowadays an authority on

extraterritorial jurisdiction and enforcement. Although the Third Restatement is not a binding source of law, it is widely consulted by courts all over the United States to clarify the rules on enforcement of foreign laws.101

According to the Third Restatement, ‘jurisdiction’ is defined as ‘the capacity of a state under international law to prescribe or to enforce a rule of law’.102_{So contrary to the earlier used}

definition of jurisdiction – which separated three forms of jurisdiction - here it contains both the ability to prescribe and to enforce law. The relationship between the two is elaborated on in paragraph 7, which says:

‘(1) A state having jurisdiction to prescribe a rule of law does not necessarily have jurisdiction to enforce it in all cases.

(2) A state does not have jurisdiction to enforce a rule of law prescribed by it unless it had jurisdiction to prescribe that rule’.103

101_{Hixson, 1988, p. 137.}

102_{Restatement of the Law Third, The Foreign Relations Law of the United States, par. 6.} 103_{Idem., par. 7.}