On Tuesday this week, the ECJ delivered its judgment in a case between Google and the French privacy regulator CNIL. The judgment clarified that an individual’s right to erasure of personal data, the so called ‘right to be forgotten’, only extends to the boundaries of the EU – it is not a right to worldwide erasure. There has been a lot of interest in the case as you can imagine since, had the ruling gone the other way, it could have been seen as an attempt by Europe to police international companies beyond the EU’s borders.
The case originated in a dispute between Google and the French privacy regulator CNIL. Five years ago, judges in Luxembourg made it a requirement for Google globally to delete links that led to sensitive details, if asked to do so by a individual data subjects. Google reacted to the original judgment by introducing a geo-blocking technology which stopped European users from being able to see delisted links. However, it resisted delisting search results for people in other parts of the world, challenging a €100,000 (£88,376) fine CNIL sought to impose.
To put it in context, Google has said that since the original ruling, it has received more than 845,000 requests to remove a total of 3.3 million web addresses, with about 45% of the links ultimately getting delisted. This involves both removing the results from all of its European sites as well as restricting results from its other sites – such as Google.com – if it detects a search is being carried out from within Europe. However, this means that users can still circumvent the action if they use a virtual private network (VPN) or other tool to mask their location. The ECJ ruling went on to say that the delistings must “be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user” from being able to access the results from one of Google’s non-EU sites. “It will be for the national court to ascertain whether the measures put in place by Google Inc. meet those requirements” through its current processes.
The GDPR and our own Data Protection Act 2018 call this right, a ‘right to erasure’. Under Article 17 of the GDPR we all, as individuals, have the right to ask to have personal data erased. However, the right is not absolute and only applies in certain circumstances where:
The right to erasure does not apply if processing is necessary for one of the following reasons:
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
If you or your business has received a request for erasure, then you must comply with a request for erasure without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond. This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
If you would like more information on the right to be forgotten or on other data protection matters, please contact one of our data protection team : Laura Trapnell, Crispin Dick, Emily Sadler or Ryan Mitchell.