[T]he right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.... Furthermore, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.
While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679 [GDPR], struck a balance between that right and that freedom so far as the Union is concerned ... it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.
"Proportionality" is a core principle of EU human rights law when regulation collides with individual rights, or, as here, state power is implicated to favor one individual's rights over those of others. The same principle also constrains supra-national authority over member states.
Google complied with the CNIL order only for European domains, such as "google.fr" for France, and not across Google domains worldwide. Google employs geo-blocking to prevent European users from subverting de-listing simply by searching at "google.com" (United States) or "google.com.br" (Brazil). Determined users still can beat geo-blocking with sly technocraft, so CNIL was dissatisfied with the efficacy of Google's solution. Undoubtedly, a dispute will arise yet in which the CNIL or another European data protection authority tests its might with a more persuasive case for global de-listing.
The case is Google, LLC v. Commission Nationale de L’informatique et des Libertés (CNIL), No. C-507/17 (E.C.J.), Sept. 24, 2019. Several free speech and digital rights NGOs intervened on behalf of Google, including Article 19, the Internet Freedom Foundation, the Reporters Committee for Freedom of the Press, and the Wikimedia Foundation, as well as Microsoft Corp. The case arose initially under the 1995 EU Data Protection Directive, but carries over to the new regime of the General Data Protection Regulation (GDPR).