PART 1: Google Saga - The right to be forgotten...
In this digital age, data protection and privacy are more important than ever.
With the new European-wide rules imposed by the GDPR, every business must be aware of its obligations to avoid fines, sanctions and bad press. Google is amongst the biggest companies learning these lessons, and by following its legal battles we can learn some lessons of our own!
In this two-part article, Gerrish Legal will consider the high profile and high impacting disputes Google has had in the epoch of data protection, and what it can teach us about GDPR…
Part 1: The right to be forgotten: privacy or censorship?
The right to be forgotten is an important part of the General Data Protection Regulation ((EU) 2016/679), and it is a right that Google was instructed to follow by the European Courts before the GDPR had even been implemented, allowing citizens to request that unnecessary data about them is removed from the internet. When Google was fined by a French data protection watchdog (the “CNIL”) for not ensuring the right, Google fought back, appealing the fine to the European Courts. The outcome is not what you might expect…
How it all began: the birth of the right to be forgotten
The right to be forgotten has been on the minds of EU legislators since 2010, when a Spanish citizen made a complaint to his national Data Protection Agency about Google. Google’s search results were displaying information about him- images of a newspaper article- which were no longer correct. Google argued that as a search engine, it was not controlling or processing any data but simply displaying it, and, in any case, its servers were located outside of the EU, so EU data protection rules should not apply to it.
The EU Court however, in Google Spain v AEPD and Mario Costeja González (2014), disagreed, giving clear instructions: regardless of where Google’s servers were located, data protection rules applied to it as it had a branch in the EU, and search engines are controllers of data and cannot escape their responsibilities when handling personal data.
Individuals have the right to ask search engines to remove links with personal information about them when the information is wrong, unnecessary, excessive or inadequate.
The GDPR and the right to be forgotten
Although thanks to this Spanish decision the right to be forgotten was accepted in the EU for some years, the GDPR saw the first time that the right was codified (Article 17(2)), along with the right to erasure.
The right to erasure sets out a few situations where personal data must be erased by controllers. It must be removed immediately if the data is no longer needed for its original processing purposes, if the data subject withdraws their consent for the processing and there is no other purpose for it, if the data subject objects to the processing to begin with and there is no reason for it, or if EU law mandates that the data must be erased.
If a reason for erasure exists, the right to be forgotten also exists. If a controller of this data has made any of the data public, they must take reasonable measures to inform any other controllers that the data should be forgotten, as well as ensuring that their own versions of the data are erased.
Unless a controller sets out a special procedure for requesting to be forgotten there is no special way that the request must be made. The only requirement is that the identity of the data subject can be proven in a suitable way: if it is not proven, the controller can request more information or reject the request, and this decision must be communicated to the person making the request within one month.
The European Commission made it clear when publishing the GDPR that while everyone has this right, it is not a right that is unreservedly guaranteed: it is a right that needs to be carefully balanced with the right of freedom of expression, and with the public interest.
For example, if a local newspaper publishes a compromising story online about a public figure, this figure probably won’t be able to have the news story deleted on the basis that their personal data is being processed; here, the personal data is being used to exercise the right of freedom of expression.
On the other hand, if you upload a photograph of yourself on a social media website but some years later decide you don’t want the photograph to be shown any more, you have the right for this photograph to be deleted, and for this social media platform and any other platforms where it has been shared to take reasonable steps to remove it.
Google’s reaction to the right to be forgotten: legal battles
Following the Spanish decision, and the GDPR, Google received an influx of demands from EU citizens for their personal data to be forgotten. From the start of 2018 alone, it received 655,000 requests for 2.5 million links to be removed, and it was accepting around 40% of these requests.
Google was not automatically accommodating of all requests to be forgotten. In 2018, it attempted to refuse requests made by 2 men about their criminal records. Both men took their cases to English Court, and a joint decision saw Google winning one case and losing one case. The judge explained in NT1 & NT2 v Google LLC (2018)that the right to be forgotten should have been granted to the person with an old and minimal criminal record, since the information was unnecessary and excessive. For the individual who received a lengthier sentence for a more serious crime, freedom of expression and public interest prevailed over their right to be forgotten.
The CNIL (France’s National Commission for Information Technology and Civil Liberties) became aware in 2016 that following a valid request for data - an individual’s name - to be deleted, Google had allowed the request only in the EU, and left the data visible to the rest of the world.
Google’s position was that since the data protection rules only applied in the EU, it only had to apply its “geo-blocking” measures on domains accessible in EU states, meaning that the data was still accessible outside of the EU, even though Google had accepted that the data should be forgotten. The CNIL fined Google €100,000 for failing to block the information world-wide, and Google appealed this fine to the EU Court.
The European Court’s position on the right to be forgotten: data censorship should be limited to the EU
The EU Court’s Advocate General Maciej Szpunar, perhaps surprisingly, agrees with Google! Search engines should not be required to carry out delisting on all the domain names of its search engine globally.
At the start of this year, in January 2019, Advocate General Szpunar issued an opinion approving that the right to be forgotten should not be enforced globally, but only in the EU. He confirmed that the right needs to be balanced against other fundamental rights, such as freedom of expression and the legitimate public interest in accessing information.
This statement follows a number of international free speech organisations warning that extending the power of the right to be forgotten could lead to extreme censorship in some countries.
The Advocate General is of the opinion that giving the right global scope would have effects beyond the 28 member states, preventing EU authorities from being able to determine a right to receive information, let alone balance it against other fundamental rights to data protection. It could also have the unintended result of EU citizens losing the ability to access information based on decisions made in countries outside the EU.
The most important thing to the Advocate General is that once an order has been made within the EU, search engines should take every measure available to them to ensure full and effective de-referencing within the EU.
We await a decision from the ECJ, which is expected within the next 6 months, however the Court tends to respect the opinion of its Advocate General, so the publication of his preliminary opinion seems like a positive step for Google in this ongoing legal battle.
What is clear from the announcement is that each situation must be viewed in its own merits, so that the right to be forgotten can be weighed against basic rights of freedom of expression and accessing information.
What next for Google?
Google’s next legal dispute regarding the processing of personal data did not end so well…
Make sure you read part 2 to find out what happened!
In the meantime, if you have any queries about the Google saga or how the decision applies to your business’ personal data processing and deletion / retention requirements, then get in touch for your free 30 minute consultation.
Article by Lily Morrison @ Gerrish Legal, February 2019