Anne Klinefelter (University of North Carolina School of Law) and Sam Wrigley (University of Helsinki, Finland, Faculty of Law) have posted “Google LLC v. CNIL: The Location-Based Limits of the EU Right to Erasure and Lessons for U.S. Privacy Law” (North Carolina Journal of Law and Technology, Vol. 22, No. 4, 2021) on SSRN. Here is the abstract:
As the United States considers preemptive federal privacy law, the discussion can be enriched by a reassessment of the EU example as illustrated in a 2019 decision at the European Court of Justice. The General Data Protection Regulation that took effect in 2018 is often described as an important model for unifying and centralizing data protection law in order to provide consistent protections of rights. But the Google LLC v. CNIL decision highlights that the EU law did not in fact create a monolithic system without room for Member State variation.
This Article takes a close look at the way that the erasure right is articulated in the GDPR, examining how competing rights are balanced, how Member States’ different approaches to balancing rights are accommodated, and how related provisions in the law inform an understanding of the erasure provision in Article 17. The Article also examines the 2019 Google LLC v. CNIL decision, exploring the Court’s reasoning and the impact of the case on EU erasure rights and beyond.
This Article draws on these examinations of the erasure-related provisions of the GDPR and of the Google LLC v. CNIL decision to advance a better understanding of how the influential EU Regulation embraces the possibility of significant Member State variation and ongoing balancing of data protection with expression and information rights. Guiding principles of subsidiarity and proportionality that are foundational to the European Union, incorporated into the GDPR, and evident in the Google LLC v. CNIL decision provide the basis for this national deference and deferred balancing. Together, subsidiarity and proportionality principles caution against extensive consolidation of privacy law into a one-size-fits-all solution. The United States can learn from the European Union that a monolithic and inflexible federal law many not only be difficult to enact but also undesirable.