CNIL also rejected Google's accusation that it was going beyond its jurisdiction, saying that it just wants non-European companies to respect European laws when offering their services in Europe.
There seems to be little pressure on Google to comply: It took CNIL a year after the CJEU ruling to ask Google extend the right to be forgotten to google.com and now, four months later, it is merely threatening to appoint someone to report to its sanctions committee "with a view of obtaining a ruling on this matter."
This case shows how little power the multiplicity of national privacy regulators have to defend the European Union's 500 million citizens, and highlights the tangle of different legal regimes that hamper multinational companies hoping to serve them.
Those are two of the problems the European Commission hopes to solve with the introduction of the General Data Protection Regulation, the first update of the EU's common legislation on privacy since 1995. The Commission, European Parliament and European Council could agree by the end of this year on a final legislative text, which would take effect by the end of 2017.
For companies like Google, the legislation would be a mixed blessing: On the one hand, it would only have to deal with a single European privacy regulator, but on the other it could face fines of up to 5 percent of its worldwide revenue for breaking the rules, rather than the derisory tens of thousands of euros it could be ordered to pay today.
Sign up for CIO Asia eNewsletters.