Privacy & Information Security Law Blog

On November 15, 2022, the Italian Supreme Court held that an Italian court or competent data protection authority has jurisdiction to issue a global delisting order. A delisting order requires a search engine to remove certain search results about individuals if the data subject’s privacy interests prevail over the general right to expression and information, and the economic interest of the search engine. The case was brought by an Italian individual, who requested a worldwide delisting order, concerning all versions of the search engine, due to potential damage to the applicant's professional interests outside of the European Union.

The territorial scope of delisting has been the subject of discussion in the context of the right to be forgotten, which was recognized in the Court of Justice of the European Union’s (“CJEU”) landmark decision in Costeja v Google Spain, and subsequently codified under Article 17 of the General Data Protection Regulation (“GDPR”). The CJEU clarified the territorial scope of delisting orders in another case, Google v. CNIL, where it held that there is no obligation under EU law for search engine operators to remove links on all version of its search engine worldwide. However, the CJEU also noted in Google v. CNIL that while EU law does not currently require a delisting to be carried out on all versions of a search engine, it also does not prohibit such a practice if ordered by a national judicial or data protection authority. Accordingly, EU Member States’ judicial or data protection authorities remain competent to weigh up conflicting interests and order global delisting where appropriate. The CJEU followed the same reasoning in Glawischnig-Piesczek v Facebook Ireland, where copyright was concerned, and held that a court in a Member State could issue injunctions with extraterritorial effect.

In this case, the Italian Supreme Court reiterated the findings of Google v. CNIL, that each Member State, including Italy, is free to permit delisting orders at a global level based on national standards of protection of fundamental rights. This assessment requires a balance between the right to protection of one’s private life and personal data, and the right to freedom of information. This means that individuals may request that the operator of a search engine remove results relating to an individual on all versions of its own search engines, including those outside the EU. In its judgment, the court refused to make any referral to the CJEU to seek clarification; instead, it found that the guidance from the CJEU on the competence of national authorities to issue global removal orders is clear.