The Right To Be Forgotten…In Certain Locations
In another key ruling on September 24th, 2019, the European Court of Justice ruled in favor of Google by limiting the “right to be forgotten” to EU member states. In the ruling on the case between Google, Inc. and Commission nationale de l’informatique et des libertés (CNIL, aka the French Data Protection Authority)(1), it was made clear that operators of search engines are not required to carry out “de-referencing” (i.e. removing links to websites that contain the personal data of an individual from the search results) on all versions of its search engines, but are required to de-reference results on its EU member domains under the General Data Protection Regulation (GDPR).
However, the European Court of Justice also highlighted that Google Inc.’s activities in France are inextricably linked to the processing of personal data for the purpose of operating the search engine, and operating the search engine could be considered as a single act of processing. As there are “gateways between various national versions,” this processing could fall under the scope of the GDPR, allowing the EU Member States’ data protection authorities to treat the recent ruling as a “floor,” or minimum requirement. Therefore, this precedent may not be the final word, as EU Member States may require the operators of search engines to apply the “right to be forgotten” on all domains globally.
A previous ruling on a case of the Spanish Data Protection Agency vs Google from 2014(2) already stated that operators of a search engine are required to remove links to websites that contain personal data of an individual if such a request is made, even if that data on the websites is lawful. This interpretation of the “right to be forgotten” (Article 17 of the GDPR(3)) is expansive. However, the European Court of Justice ruled that because search engines make it significantly easier to find information, they are fully responsible for the displayed search results. Yet, Google only applied to its national domains, and did so by using geolocation data to make sure users would not be able to see the de-referenced websites. Consequently, the CNIL wanted the ruling enforced globally on all domains and levied a fine of €100,000 on Google, Inc. for not complying — which the company appealed — leading to the new ruling in Google Inc’s favor.
Google has become a quasi-judicial authority and watchdog on the “right to be forgotten,” as it has been given the power to self-determine which de-referencing requests to honor and what constitutes private information under the GDPR(4). According to company figures, Google has received roughly 3.36 million requests to delete search results, removing the items in about 45% of cases, and either rejecting or fighting the remainder of the requests(5).
One of the key insights of the ruling was certainly that while Google, Inc. operates different national versions of its search engine, they are all considered to be part of a single act of processing data. With GDPR applying to the data processing of the search engine as a whole, and not just the EU versions, it allows the different national data regulators to do their own evaluations as to potentially requiring de-referencing data globally if the processing is inextricably linked. This potentially could also apply to companies outside of the search engine business, but that operate a service with a single act of processing of personal data within the EU, impacting data processing for the company globally. However, it remains to be seen if national regulators will enforce this globally; and given that the GDPR’s territoriality principle (Article 3 of the GDPR) should not be applied too broadly(6), it seems unlikely regulators will go for this. Yet, the continuous interpretation of personal data privacy laws by courts represents a challenge for companies to stay compliant and define a data strategy that accounts for unforeseen shifts in compliance requirements.Consumer PrivacyGDPR Regulatory Updates Industry Trends Data Misuse