Google Wins landmark privacy case on right to be forgotten

Google Wins landmark privacy case on right to be forgotten

Judges at the Court of Justice of the European Union this week ruled that Google does not have to apply the GDPRs right to be forgotten globally.

 

On Tuesday September 24th, in what is being lauded as a landmark privacy case, Luxembourg-based judges said operators of a search engine are not required to carry out a de-referencing on all versions of its search engine. This means that firms like Google—when acting on an individuals request to remove personal data; i.e their right to be forgotten,—only need to remove links from search results in Europe and nowhere else.

The court ruling stemmed from a May 2015 dispute between French Data Protection Authority, the CNIL, and Google Inc where the CNIL gave Google Inc formal notice to apply de-referencing requests to all its search engines domains and name extensions. Google Inc however refused to do so and confined itself to removing the links in question from only the results displayed in EU member states. As a result on March 10, 2016, the CNIL imposed a EUR100,000 penalty on Google Inc. Google subsequently requested that the Council of State, France, annul the March 10, 2016 adjudication on the grounds that the right to be forgotten does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engines domain names.

 

On Tuesday the court ruled in favor of Google Inc, concluding that:

Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subjects fundamental rights. Thus, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subjects name from gaining access, via the list of results displayed following that search, through a version of that search engine outside the EU, to the links which are the subject of the request for de-referencing.

GDPR’s Right to Be Forgotten

An individual’s right to request to have personal data erased falls under article 17 of the GDPR. This is known as their right to erasure or the right to be forgotten. This right is however not absolute and only applies in certain circumstances.

According to the ICO an individual has the right have their personal data erased if:

“the personal data is no longer necessary for the purpose which you originally collected or processed it for;
you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
you are processing the personal data for direct marketing purposes and the individual objects to that processing;
you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
you have to do it to comply with a legal obligation; or
you have processed the personal data to offer information society services to a child.”

Dr Bostjan Makarovic, Aphaia managing partner, further explains: “Like other GDPR rights, one could not expect the right to be forgotten to apply globally, without limitations. The latest ECJ Google right to be forgotten ruling further clarifies the limits of the GDPR’s extraterritorial effects.”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Leave a Comment

(0 Comments)

Your email address will not be published. Required fields are marked *