Google wins landmark case establishing that this right does not extend outside of the EU
On Tuesday this week, the ECJ delivered its judgment in a case between Google and the French privacy regulator CNIL. The judgment clarified that an individual’s right to erasure of personal data, the so called ‘right to be forgotten’, only extends to the boundaries of the EU – it is not a right to worldwide erasure. There has been a lot of interest in the case as you can imagine since, had the ruling gone the other way, it could have been seen as an attempt by Europe to police international companies beyond the EU’s borders.
The case originated in a dispute between Google and the French privacy regulator CNIL. Five years ago, judges in Luxembourg made it a requirement for Google globally to delete links that led to sensitive details, if asked to do so by a individual data subjects. Google reacted to the original judgment by introducing a geo-blocking technology which stopped European users from being able to see delisted links. However, it resisted delisting search results for people in other parts of the world, challenging a €100,000 (£88,376) fine CNIL sought to impose.
To put it in context, Google has said that since the original ruling, it has received more than 845,000 requests to remove a total of 3.3 million web addresses, with about 45% of the links ultimately getting delisted. This involves both removing the results from all of its European sites as well as restricting results from its other sites – such as Google.com – if it detects a search is being carried out from within Europe. However, this means that users can still circumvent the action if they use a virtual private network (VPN) or other tool to mask their location. The ECJ ruling went on to say that the delistings must “be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user” from being able to access the results from one of Google’s non-EU sites. “It will be for the national court to ascertain whether the measures put in place by Google Inc. meet those requirements” through its current processes.
So what is the right to be forgotten?
The GDPR and our own Data Protection Act 2018 call this right, a ‘right to erasure’. Under Article 17 of the GDPR we all, as individuals, have the right to ask to have personal data erased. However, the right is not absolute and only applies in certain circumstances where:
- the personal data is no longer necessary for the purpose for which it was originally collected or processed;
- you gave consent to the processing of your personal data and you now withdraw your consent;
- the entity processing your personal data is relying on ‘legitimate interests’ as the basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing;
- you object to the processing of your personal data for direct marketing purposes;
- your personal data is processed unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
- a third party has processed the personal data to offer information society services to a child.
The right to erasure does not apply if processing is necessary for one of the following reasons:
- To exercise the right of freedom of expression and information
- To comply with a legal obligation
- For the performance of a task carried out in the public interest or in the exercise of official authority
- For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
- For the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- If the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
- If the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
If you or your business has received a request for erasure, then you must comply with a request for erasure without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity (If you have doubts about the identity of the person making the request you can ask for more information); or
- a reasonable administration fee (only in certain circumstances where the request is manifestly unfounded or excessive).
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond. This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
If you would like more information on the right to be forgotten or on other data protection matters, please contact one of our data protection team : Laura Trapnell, Crispin Dick, Emily Sadler or Ryan Mitchell.