We have written before the about the right to be forgotten and two new rulings from the European Court of Justice last week add some clarity as to what that right entails. There are some technical terms in this note which you can check by looking at our glossary at www.bit.ly/gdprwords.
What’s the history?
The right to be forgotten first came before the European Court of Justice (ECJ) in May 2014 when the ECJ looked at a complaint lodged with the Spanish Data Protection Agency against a Spanish newspaper publisher, Google Spain and Google Inc. by an individual who was unhappy that when internet users searched his name in Google the results displayed 2 pages of a newspaper about him dating back to early 1998. The ECJ decided that Google was processing personal data under data protection law (this case pre-dated the coming into force of GDPR) and that Google was acting as a data controller. You can find out more about this case in our alert from May 2014 here https://www.corderycompliance.com/european-court-google-ruling/
The case caused shockwaves throughout some sections of the internet community and Google sponsored a tour to talk to interested parties about the significance of the judgment. You can find out more about this here https://www.corderycompliance.com/blog-google-advisory-council-event-discusses-the-right-to-be-forgotten/
There have been cases on the right to be forgotten since, including a case limiting the right to be forgotten in 2017 (https://www.corderycompliance.com/client-alert-european-court-limits-right-to-be-forgotten/) and a case before the European Court of Human Rights in 2018 here https://www.corderycompliance.com/european-court-murder-anonymization-rtbf-judgement/
Data protection regulators have also been involved following the original ECJ judgment – for example the UK Information Commissioner’s Office made its first order in 2015 https://www.corderycompliance.com/first-ico-right-to-be-forgotten-order-against-google/
What about GDPR?
The General Data Protection Regulation (GDPR) came in on 25 May 2018 and brought in a statutory right to be forgotten (also called a right to erasure) across the EU. You can find out more about GDPR in our FAQs here www.bit.ly/gdprfaq. The right to be forgotten in GDPR is not exactly the same as the court-made right from the Google Spain case but GDPR does create a statutory right to be forgotten (again subject to exceptions) in GDPR Art.17.
These cases were brought to consider pre-GDPR law however the ECJ said it took GDPR into account when looking at the questions before the court.
What were these new cases about?
Both of these new cases were referrals from France.
In the first case (Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)) the French Data Protection Authority, CNIL, imposed a penalty of €100,000 on Google because of Google’s refusal when granting a de-referencing request to apply it across all of Google’s domain name extensions. Google had granted the de-referencing request but only applied it to the pages on the versions of its search engine directed at EU Member States. Google asked the Conseil d’État in France to annul CNIL’s decision. The Conseil d’État referred a number of questions of EU law to the ECJ for a preliminary ruling.
The ECJ said that whilst individuals do have rights to de-referencing this is not an absolute right and the rights of individuals must be balanced against other rights and be proportionate. It said that the balance between rights to privacy and rights to freedom of information vary significantly around the world. It said that it was not clear that EU lawmakers had intended to extend the scope of de-referencing outside the EU and as a result effectively agreed with Google that CNIL’s order could apply only to search engines relating to EU countries. It did however state that Google could be ordered to take steps to prevent or (seriously discourage) an internet user from conducting a search from an EU country via a different version of Google outside the EU.
What was the second case about?
The second case (GC, AF, BH, ED vs. Commission nationale de l’informatique et des libertés (CNIL)) was also referred from France after 4 individuals brought proceedings before the Conseil d’État against CNIL regarding four separate decisions of CNIL refusing to serve formal notice on Google to de-reference various links. The individuals concerned sought the removal of various links from Google including links to YouTube content (Google bought YouTube in 2016) and newspaper articles. These were separate complaints involving different subject matter in each case but involved two former political figures, a former advisor to the Church of Scientology and a person previously convicted of child sex offences.
Again the Conseil d’État referred questions on the interpretation of EU law to the ECJ. The ECJ looked at the balancing test between the data subject’s rights and the freedom of internet users and said that the balance might be different for public figures where the public could have more interest in information relating to those who live a public life. It said that where the operator of the search engine receives requests for de-referencing it was still a balancing test based on all of the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s rights to privacy. It must also look at whether the material in a search is strictly necessary for protecting the freedom of internet users potentially interested in accessing the web page by searching.
Where the data subject has made the information public, a search engine operator may refuse to agree to the de-referencing request provided that its processing is lawful and provided that the data subject does not have the grounds to object to processing given his or her particular situation. The ECJ also gave particular guidance when referring to criminal proceedings including requiring someone providing links to criminal cases to update those links as the case progresses.
Where does this leave us?
It is clear that these cases are somewhat complex and the situation is not helped by the fact that the ECJ’s own website was down on the day it gave judgment. What is clear is that we are seeing more right to be forgotten requests since GDPR came into force and those requests are not just being made against search engines. For example, organisations have received right to be forgotten requests from failed job candidates, former employees and third parties involved in due diligence have received right to be forgotten requests from people wishing to clean up their past. Given the increasing use of right to be forgotten and other data subject rights, organisations should:
- have a proper process in place for dealing with data subject requests;
- train public facing individuals across the business to be alive to data subject requests – there is no set form and requests can be made orally and by social media;
- be prepared to do a balancing test when they receive requests. Having a Data Protection Impact Assessment (DPIA) for that particular process can help so that a justification for processing can be readily to hand.
We are likely to see more right to be forgotten requests in the coming months and organisations should do all that they can to make sure that they handle requests properly.
There are more details of the Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) case here http://bit.ly/2miAnQ7
There are more details of the GC, AF, BH, ED vs. Commission nationale de l’informatique et des libertés (CNIL) case here http://bit.ly/2n51cYo
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1784
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1785