The Right to Be Forgotten – how far does your right to privacy online go?
Have you ever Googled your name and been surprised about the results that you have found?
Since the GDPR came into force in May 2018, many of us have become more aware of our privacy rights, and some of us might have started to take more care when posting information online or when using social media. However, sometimes, we have less control over our personal data, especially when it is featured on third-party websites which might find themselves at the top of a list of Google search results.
Of course, the GDPR has provided individuals with a stronger set of rights which aims at protecting privacy, private life and individual rights and freedoms. One of these rights which has been enshrined in the GDPR is the right to obtain deletion of our personal data, also known as the “right to be forgotten”, or the “right to be de-referenced” when this relates to search results.
In a non-digital world, having personal data deleted can be challenging for individuals and companies alike, but is usually doable – for example, it is fairly simple for the company using an individual’s personal date (the data controller) to ascertain when the right to be forgotten can be applied, and then to locate and destroy paper files which contain our information. However, things become a little bit more complicated in an online environment, especially when personal data has been processed by Internet search engines which might be gained from social media platforms as well as from third-party websites.
IS THE “RIGHT TO BE FORGOTTEN” NEW?
You might think that the right to be forgotten is a new concept, given the recent overhaul of privacy laws in Europe since the GDPR a year and a half ago. However, the right be forgotten was actually recognised in the EU back in 2014 when the European Court of Justice ruled in a case brought by Mr Gonzalez against Google Spain / Google Inc.
When Mr Gonzalez typed in his name into Google’s search engine, he noticed that there were websites in the list of results which contained his personal data. Mr Gonzalez asked the courts to delete or modify these webpages so that his personal data no longer appeared in the search results. This followed on from a request that he had made directly to Google, which Google had failed to grant. In this case, the European Court of Justice confirmed that a search engine provider, such as Google, is deemed to be the data controller of personal data which is processed via its search engine, even if that data appears on a third party website. The European judges therefore created the right to be “de-referenced” as part of the right to be forgotten which means that individual European citizens have the right to ask search engines to remove links in the search results which direct Internet users to websites containing that individual’s personal data.
IS THIS AN ABSOLUTE RIGHT?
Back in September 2019, the European Court of Justice ruled on the matter of the right to be forgotten online again. The European judges stated that the right to be forgotten is not unlimited, and whilst the Internet (by its very nature) is global, the search engines are only bound to implement the right to be forgotten on versions of their search engines which are available across the EU (e.g., google.fr or google.se). Nevertheless, recognizing the issues that this might have for European citizen’s privacy rights further afield, the European court did nonetheless state that the search engines need to put measures in place which discourage internet users in a European member state from having access to links which are available via versions of their search engines which exist outside of the EU (such as google.com or google.au). Since this decision, for European citizens, the right to be de-listed is therefore not absolute when a link appears in a list of search results which are accessible via a non-European search engine.
HOW WILL GOOGLE DECIDE HOW TO EXERCISE THE RIGHT TO BE FORGOTTEN?
In December 2019, the French state court actually issued some useful guidance which will be used to interpret privacy law across the EU. The guidance is really aimed at search engine providers, such as Google, as well the data protection supervisory authorities, and pretty much follows the guidance from the aforementioned court decisions. The key takeaways are as follows:
The right for an individual person who is associated to a webpage containing their personal data has a RIGHT to be forgotten;
However, this right is not absolute, and it is important to make sure that there is a balance between an individual’s right to a private life and the public’s right to information; and
When trying to strike the right balance, it will be important to look at the category of personal data in question.
The French state court stated that 3 different categories of personal data are concerned by the right to be forgotten:
Sensitive personal data – also known as special category personal data (which includes health data, data related to sexual preferences, political opinions, religious beliefs…);
Criminal data (for example, related to criminal proceedings or convictions); and
Data which relate to a person’s private life, but which is not sensitive or criminal data.
As a general rule, your right to be de-referenced from a search engine’s list of results or your right to be forgotten is stronger when you are exercising this right in respect of sensitive or criminal data. The French state court held that:
… the right to be de-referenced from a list of search results can only be legally refused when the request relates to sensitive personal data or criminal data about a person which can be accessed by an internet search of someone’s name is strictly required for public information purposes…
Regarding personal data which relates to your private life generally, the guidance states that any request to be de-referenced or forgotten may only be refused where there is an overriding interest for the public to have access to the information in question.
Therefore, as well as taking the contents of the personal data into account, the search engines must also have regard to the status of the individual, whether they are famous or well-known, whether they have a role in public life or society and the circumstances in which the personal data was made public (for example, if the individual his/herself made the personal data public – either on their own website, by revealing it publicly to the press or via social media).
Even if this guidance is really aimed at search engines and at supervisory authorities, we thought that we would share it with you because it does give us insight into how a request to be forgotten or de-referenced from a search engine should be dealt with.
Whilst the right is not absolute, some comfort can nonetheless be found in this guidance and the recent European court decisions when we seek to have control over our privacy rights – especially when information is processed about us by US tech-giants.
Are you concerned about your privacy rights on the internet? Have you ever Googled your name and been surprised about the results that you have found? If you want to discuss or if you require any advice in this area, please get in touch.
Article by Charlotte Gerrish @ Gerrish Legal, first published on TechGirl in January 2019