In Google LLC v. Commission nationale de l'informatique et des libertés (CNIL), the Court of Justice of the European Union (CJEU or Court) held that the EU law only requires valid “right to be forgotten” de-referencing requests to be carried out by a search engine operator on search engine versions accessible in EU member states, as opposed to all versions of its search engine worldwide. While the ruling has been perceived as a “win” for Google and other interveners, such as Microsoft and the Wikimedia Foundation, who argued against worldwide de-referencing, the Court also made clear that that while the EU law does not currently require worldwide de-referencing, “it also does not prohibit such a practice” (para. 72). As a result, the CJEU found that an order by a national supervisory or judicial authority of an EU member state requiring worldwide de-referencing in accordance with its own national data protection laws would not be inconsistent with EU law where the data subject's right to privacy is adequately balanced against the right to freedom of information. By leaving the door to extraterritorial de-referencing wide open, the CJEU continues to pursue its post-Snowden hard-line stance on data privacy in a manner that is likely to transform the data privacy landscape.