On January 21, 2019, the French National Data Protection Commission (CNIL) fined Google Euros 50 million for not complying with the General Data Protection Regulation (GDPR).   There will be a legal challenge, but this blog focuses on the policy considerations surrounding the decision.  There are at least three initial takeaways from the CNIL decision.  First, this enforcement action demonstrates that the GDPR should not be replicated word for word in a possible U.S. federal privacy law.  Some notion of consumer harm should enter the calculation when a fine is considered.  Second, DPAs should be more forthcoming with guidance on how to comply with the GDPR, especially when companies are making a good faith effort to comply with the law.  Third, there is a risk that the one-stop-shop is going to become effectively meaningless.  As U.S. policymakers consider a federal privacy law, this should be a key co ...

Does the EU’s right to be forgotten extend to the whole world?  The French data protection authority, CNIL, says yes and wants search engines to delist search results which contain information that violates the European Union’s right to be forgotten – not just for French users, not just for European users, but for all users everywhere. Google is prepared to remove offending search results for European users, but balks at removing material globally just because European courts find that it violates European privacy rules. 

Just as everyone was headed out of Washington for the Memorial Day weekend, CNBC did a report on Google’s Two Years of Forgetting Europeans. It was a useful summary of the material Google publishes in its transparency report on European privacy requests for search removals.  It noted such interesting facts as that Google has removed 43% of the URLs they have reviewed and processed and that Facebook was the most frequently removed URL. But the report strangely missed a major legal development that threatens a stable international understanding about the limits of domestic law in age of global communications networks. This stable understanding is that national governments have control over the Internet within their own borders.  They have right and the obligation to make the rules of the road for Internet conduct occurring within their own borders. But they don’t have the right to extend their local laws to Internet conduct within the jurisdiction of other cou ...