Judges at the Court of Justice of the European Union this week ruled that Google does not have to apply the GDPR’s right to be forgotten globally.
On Tuesday September 24th, in what is being lauded as a landmark privacy case, Luxembourg-based judges said operators of a search engine are not required to carry out a de-referencing on all versions of its search engine. This means that firms like Google—when acting on an individual’s request to remove personal data; i.e their right to be forgotten,—only need to remove links from search results in Europe and nowhere else.
The court ruling stemmed from a May 2015 dispute between French Data Protection Authority, the CNIL, and Google Inc where the CNIL gave Google Inc formal notice to apply de-referencing requests to all its search engine’s domains and name extensions. Google Inc however refused to do so and confined itself to removing the links in question from only the results displayed in EU member states. As a result on March 10, 2016, the CNIL imposed a EUR100,000 penalty on Google Inc. Google subsequently requested that the Council of State, France, annul the March 10, 2016 adjudication on the grounds that the right to be forgotten does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.
On Tuesday the court ruled in favor of Google Inc, concluding that:
“Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.
“However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Thus, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, through a version of that search engine ‘outside the EU, to the links which are the subject of the request for de-referencing.”
GDPR’s Right to Be Forgotten
An individual’s right to request to have personal data erased falls under article 17 of the GDPR. This is known as their right to erasure or the right to be forgotten. This right is however not absolute and only applies in certain circumstances.
According to the ICO an individual has the right have their personal data erased if:
Dr Bostjan Makarovic, Aphaia managing partner, further explains: “Like other GDPR rights, one could not expect the right to be forgotten to apply globally, without limitations. The latest ECJ Google right to be forgotten ruling further clarifies the limits of the GDPR’s extraterritorial effects.”