The Right to be forgotten, in Europe anyway

October 08, 2019

0 comments

by Charlie Parker Solicitor, Senior Associate

Email +44 (0) 7841 074 041

by James Lloyd Solicitor, Senior Manager

Email +44 (0) 7483 417 072

The judgment in GC and Others v Commission nationale de l'informatique et des libertés (CNIL)1, otherwise known as the ‘Right to be Forgotten’ case, has been released.

Four applicants each asked a search engine operator to remove (or “de-reference”) search results on their names. The applicants wanted to prevent certain aspects of their private lives from appearing in search results. For instance, a search of one of the applicant’s names led to a video of her explicitly referring to an intimate relationship with a political figure for whom she worked. A search on another’s name included reference to historic criminal proceedings.

The search engine operator refused to take down the search results and so the applicants brought claims before the French data protection supervisory authority, CNIL, requesting that the search engine operator be ordered to do so. CNIL also turned the applicants down, so they went to the Counseil d’Etat (Council of State, France) to serve formal notice on the search engine operator. The Counseil d’Etat found that the applications raised questions about the interpretation of the Data Protection Directive (a precursor to the GDPR)2, and it referred the case to the European Court of Justice to clarify the obligations of search engine operators when handling a request for de-referencing. Although the right to be forgotten is now codified in the GDPR, this case revolves around the earlier Directive due to the age of the claims and the history of the case.

What is the 'right to be forgotten'?

The right to be forgotten is now codified in Article 17 of the GDPR3 and is more formally known as the right to erasure. The right allows individuals to make a request to have their personal data erased. However, the right is not absolute and only applies in some circumstances: it has to be considered alongside the right of freedom of expression and information, data controllers’ legal obligations, the public interest, processing for research purposes and the necessity to retain data to defend legal claims.

What did the court find?

Most significantly, the Court of Justice found that the right to be forgotten does not stretch beyond the borders of the European Union. While search engine operators should remove the search results following data subjects’ de-referecing requests in the EU, this does not apply to the rest of the world.

This decision hints at the limits of the GDPR and European privacy standards in the global market more generally, calling into question its extraterritorial jurisdiction. In practice, this recent judgment could signal a change in the way right to erasure requests are handled by multinational enterprises operating outside of Europe. If the right to erasure can only be enforced in Europe, what does this signal about the efficacy of other principles of European privacy law elsewhere in the world?

The court also found that the restrictions on processing special categories of data apply to search engine operators in the same way that they apply to any other controller of personal data, since it is the purpose of those restrictions to make sure fundamental rights to privacy and the protection of personal data is not compromised. However search engine operators are only responsible for the data because of their referencing function, and so the restrictions to the processing of sensitive data only apply to them because of that referencing and verification on the basis of a request by the data subject4.

When search engine operators receive a de-referencing request the operator may refuse to de-reference the data if the search results lead to data which were made public by the data subject. The search engine operator must establish whether the inclusion of the search results is strictly necessary to protect the freedom of information of internet users who are interested in accessing those search results by searching for the data subject’s name. The court found that while, usually, the rights to privacy and the protection of personal data override the freedom of information of internet users, the balance should depend on the nature of the data in question and how sensitive it is on the data subject’s private life, and on the interest of the public in having that information. This level of interest may vary depending on who the data subject is and the role they might play in public life.

Where a data subject has made a de-referencing request in relation to historic criminal proceedings, search engine operators must still weigh the data subject’s right to privacy and protection of personal data with the freedom of information. However, should the search engine operator find that freedom of information overrides the data subject’s right to privacy and protection of personal data, the operator must adjust the search results in a way that gives an overall picture of the data subject’s current legal position. This means that links to web pages containing information about the historic criminal proceedings must appear after the links to web pages containing information about the data subject’s current legal position.

Footnotes

1 C‑136/17 GC and Others v Commission nationale de l'informatique et des libertés (CNIL) [2019].

2 Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31.

3 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

4 C‑136/17 Abstract.

Sources

C-131/12 Google Inc v Agencia España de Protección de Datos, Mario Costeja González [2014]

C‑136/17 GC and Others v Commission nationale de l'informatique et des libertés (CNIL) [2019]

Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31

Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1

by Charlie Parker Solicitor, Senior Associate

Email +44 (0) 7841 074 041

by James Lloyd Solicitor, Senior Manager

Email +44 (0) 7483 417 072