skip to Main Content

Development Of The Right To Be Forgotten Under Gdpr

INTRODUCTION

The European Commission meeting in May 2009 gave rise to the Right to be Forgotten. An examination of the question, “Is there a basic right to forget?”is carried out. The right “to erasure” is another name for the right to be forgotten. When personal information becomes irrelevant to the organisation, a person has the right to request that it be deleted. Given how hard it is to forget anything, this right could be challenging to implement. However, the regulation has been called for to take into account personal privacy by removing erroneous information.

The EU General Data Protection Regulation contains a codification of the right to be forgotten. Due to this, the EU decided to extend the right to be forgotten to all data processing. Any person has the right under the GDPR to ask for the deletion of their personal information or data if there is no compelling reason to continue processing it.

Google Spain v. AEPD and Mario Costeja González

On March 5, 2010, a Spanish national by the name of Mario Costeja Gonzalez lodged a complaint against Google Spain and Google Inc. with the Spanish Authority for Personal Data Protection (AEPD), the nation’s data protection authority. The individual claimed that a Google search auction of his repossessed home violated his right to privacy since the proceedings involving him were long over, making any mention of them illegal and unnecessary. He demanded that Google Spain or Google Inc. remove the offensive content after first asking the newspaper to delete or modify the pages so that his personal information didn’t appear on them.

[Image Sources: Shutterstock]

General Data Protection RegulationThe AEPD rejected the newspaper’s request on the grounds that since the items were lawfully published when they were issued, no newspaper is compelled to have them retracted. The court upheld the Google lawsuit.

The European Court of Justice effectively explains the right to be forgotten in this case by noting that every person has the option to request the deletion of their information if it is inadequate, irrelevant, or no longer relevant for those reasons given the passage of time.

The case was referred to the Court of Justice of the European Union by the Spanish court putting forward the following questions:

  • Does EU’s 1995 Data Protection Directive can be applied to search engines like Google?;
  • Does EU law (the Directive) gets applied to Google Spain even though the given company’s data processing server was in the United States?;
  • Lastly, whether an individual has the right to request to remove his personal data from accessibility via a search engine i.e., the ‘right to be forgotten’.

The court ruled that search engines are allowed to process user information were doing so is required by the data subject’s or a third party’s legitimate interest. The right is subject to limitations, especially when it comes to the basic rights of the data subject, such as the right to privacy.

Google Spain is a subsidiary of Google Inc., making Google Inc. a subject of the EU Directive, according to the court’s response on the question of whether Google Spain is subject to EU law (the Directive). A major source of concern was the legal obligations that web search engines like Google had under the Directive. The court determined that web search engines have the right to handle personal data were doing so is necessary to the legitimate interests of the data owner or another party. The right is subject to restrictions, particularly when it comes to the basic rights of the data subject, such as the right to privacy.

The court determined that in certain circumstances, the data controller must also remove this information in addition to the data subject having this right. With this decision, the Court acknowledged that Mario Costeja Gonzalez had the right to have his personal information deleted even if Google was not required to do so.

The decision is extremely important since it sets a precedent for all future cases. Notably, the decision made clear the differences between deleting content from a website and a search engine. The right to privacy and the protection of personal data are far less affected when information is made public on a single website than when the same information is made public on a search engine. This is mainly because material that has been published on a search engine may be accessed by a larger audience.

This defence served as the foundation for the Court’s ruling. For instance, when someone searches for information on another person, he will surely enter the person’s name into a search engine and won’t visit every website where he thinks the person’s name may be mentioned. As a result, the information has to be removed from the search engine for more privacy protection.

The right to privacy and the protection of personal data are subject to limitations, according to the court, including the interest of the general public. Despite the fact that this right to privacy is extremely important, it cannot be absolute and must be reasonably balanced. On a case-by-case basis, the Court must determine the proper ratio between the freedoms of expression and information and the right to privacy.

An important question that this ruling left open was the right to be forgotten’s geographic scope, more particularly, whether it could be used outside of the EU. This issue was resolved by the historic ruling in Google v. CNIL, which held that Google is not compelled by EU legislation to implement the universal right to be forgotten.

The decision in this case sets a standard for the protection of personal information both domestically and abroad. The right to be forgotten is well protected under the GDPR. As one of the biggest data controllers of personal data, Google has recently developed a procedure that enables its users to exercise their right to be forgotten in a rapid and straightforward manner.

THREE THINGS TO LEARN FROM EUROPE’S RIGHT TO BE FORGOTTEN DECISIONS

France’s Global Injunction Was Problematic

The first lesson from this case is that it is not lawful nor practicable for France to force Google to worldwide erase links to specific content from its search engine results. Google agreed to remove certain offensive search results from its database in order to abide by Europe’s “Right to Be Forgotten” law. Which search database should be used was the question at hand. The company presented three different options:

Domain-level reaction This entails removing objectionable items from only the country-level domain, for instance, google.fr.

Geographical response: In this situation, the user’s location is determined using geolocation technology, which ensures that people in that region (in this example, Europe) do not have access to links to the offensive information.

Global takedown: This refers to removing the infringing material’s connections from every website in the globe.

In one instance, Google began at the domain level before being forced to go local, but the authorities insisted on a worldwide removal. The offensive and targeted content was first removed by Google from its Google.fr website but not from google.com. It was determined to employ the geolocation technology to delete the content after holding an advisory meeting. However, CNIL sought a broad injunction and came to the conclusion that Google should take the infringing links down from all of its search results.

The worldwide delisting would aid in the protection of personal data in the European Union, which has been protected by European privacy legislation.However, because it is not a natural right, the right to the protection of personal information must be weighed against other important basic rights. This study demonstrated that the CNIL’s worldwide order was not expressly authorised by the EU. Additionally, the court dismissed the order because it did not strike a balance between concerns about openness of information and privacy rights.

Global Injunctions Aren’t Always a Bad Thing

Regarding the extraterritorial regulation of the internet, the court allowed some room for interpretation. Despite the fact that EU legislation does not permit France to require Google to delete listings internationally, the court ruled that this practise is not illegal either.This implies that, as long as they adhere to the principle of striking a balance between privacy and openness of information, the absence of any statutory authority might be a valid justification for issuing a global injunction.

The court held that there was nothing improper about worldwide injunctions and suggested that they may be effective as redress for widespread internet abuses.

Content Moderation and Universal Injunctions: The Two Big American Debates

The court emphasised the value of robust speech laws while also emphasising how difficult it is to speak clearly on a large platform. The court decided in the sensitive data decision that Google must get consent before processing sensitive data.Users’ knowledge of what data sharing was sensitive and unlawful was needed for this.

In its decision on sensitive data, the court stated that while consent must be obtained before processing some sensitive classes of data, it did not anticipate Google to be able to resolve this issue without some assistance from users regarding what constitutes sensitive and unlawful data sharing.

The Right to be Forgotten is incredibly important in the current context, yet it has several limitations. It is not the one essential right that will take precedence over all other rights, such as freedom of the press or freedom of expression.

This is to get to the conclusion that a person’s privacy is extremely important in today’s world and cannot be discounted in any manner.

CONCLUSION

The right to be forgotten does not come with any assurances, as you have just read and witnessed. There are several limitations and exclusions. Probability, proportion, cost, and other considerations must be taken into account by data controllers. Enabling the application of the right to be forgotten is challenging and necessitates thorough analysis of every situation, the influence of various technologies, and any potential conflicting legal grounds.

Another crucial step is setting priorities. It is evident that in some circumstances (such as those involving unauthorised processing and express authorisation), more is at stake. It goes without saying that information relating to children should be given top consideration. Despite the fact that there are several practical exceptions, it’s critical to comprehend the arguments for using the right to erasure. Some background was given to the infographic.

Author: Abhishek Singh, A Student at National University of Study and Research in Law, Ranchi, in case of any queries please contact/write back to us via email to [email protected] or at IIPRD. 

REFERENCES/CITATIONS

  • Banking Hub. 2017. GDPR deep dive—how to implement the ‘right to be forgotten’. https://www.bankinghub.eu/banking/finance-risk/gdpr-deep-dive-implement-right-forgotten
  • Alexander Tsesis. 2019. Data Subjects’ Privacy Rights: Regulation of Personal Data Retention and Erasure. University of Colorado Law Review 90 (Jan. 2019), 593–629.
  • Google Spain v Agencia Española de Protección de Datos and Mario Costeja González, case C131/12, 13.05.2014. ECLI:EU:C:2014:317.
  • McGOLDRICK, Dominic. Developments in the Right to be Forgotten, Human Rights Law Review, 2013, vol. 13, no. 4, pp. 761–776.
Back To Top