The Right To Be Forgotten: Can we ever erase our online selves?

Having your name connected to something on the internet that perhaps you regret or maybe never even did in the first place can be embarrassing at best, and at worst can have significant legal, social or economic consequences.

We can all think of a time when we have googled a business partner, new colleague or a potential love interest. But what happens when you are the subject of this kind of search, (for example, at the hands of a future employer) and your name comes up in the list of search results against something you would rather forget or would rather no longer be associated with?

The right to have your online footprint deleted or de-referenced is therefore highly important, and probably something most of us would like to exercise as our lives are played out in the digital space more now than ever before.

Those infamous four letters: GDPR

Well, we are not alone. The European Union (“EU”) legislators took notice of this in 2018 and provided for “the right to be forgotten” at Article 17 of the General Data Protection Regulation (or “GDPR” for short). In a nutshell, subject to certain exceptions, this right essentially allows EU based individuals (or “data subjects”) to request that any company holding or processing personal data about them delete, erase and destroy that personal data within 30 days of the request being made. Delete all my personal data — a.k.a the right to be forgotten.

Google Spain

However, from a legal perspective, this fundamental privacy right is not really new and was not invented by the GDPR.

When devising the GDPR, the EU legislator built upon a pre-existing position from the Court of Justice of the European Union (“CJEU”) in the case between Gonzalez vs. Google Spain from 2014. In this case, the CJEU ruled in favour of Mr. Gonzalez, ordering that Google has to de-reference listings on their search engine which are incorrect, superfluous or irrelevant when an individual requests that Google do so.

Google v. CNIL (France)

Back in September 2019, the CJEU gave us additional direction on how “the right to be forgotten” should be implemented in a case between Google LLC, (successor to Google Inc). v Commission nationale de l’informatique et des libertés (CNIL — the French Data Protection Authority).

In this case, the CJEU ruled that Google and other search engines only need to ensure compliance with an individual’s “right to be forgotten” on the version of their search engine which is available across the EU.

Of course, as we all know, search engines (which by and large are the product of US (and not European) tech-companies), meaning that an individual’s personal data can still exist out there, beyond the EU, on the global space that is the internet.

However, following on from this decision, it was nonetheless clear that search engines were not entirely let off the hook. The CJEU stated that search engines nonetheless need to implement measures that discourage internet users in an EU member state from accessing links which are available through other, non-EU, versions of their search engines.

How does this work in practice?

Google and other search engines have long struggled with how to practically comply with an individual’s “right to be forgotten”.

The overwhelming amount of information accessible via search engines makes the task a difficult one, but critics claim that Google is not taking the task seriously enough and disregards the detrimental effect a negative search engine result can have for an individual.

Google claims that it does comply with the fundamental right to be de-referenced on their search engine and say that they have received nearly 900 000 requests to remove about 3,3 million web addresses.

Swedish Data Protection Authority Issues Record Fine

With the above as a background, it is clear that Datainspektion, the Swedish data protection authority, did not step into unchartered waters when imposing its recent fine of 70 million Swedish kronor (approx. 7 million euro) on Google in respect of two “right to be forgotten” requests. The highest fine ever imposed by Datainspektionen for privacy violations.

The case began back in 2017 when an audit of Google’s practice of complying with Swedish data subjects’ requests of de-referencing on the search engine was conducted. The audit resulted in an order issued from Datainspektion to Google to de-reference a number of listings that appeared on the search engine.

The following year, in 2018, a new audit was conducted due to suspicion that the previous order had not been complied with. This follow — up audit was finalized in 2020 and resulted in the aforementioned fine. The audit evidenced that the 2017 de-referecing order was not complied with or was not extensive enough.

In respect of the first request, Datainspektion considered that Google should have removed more websites than it did, and in respect of the second request, that Google had been too slow in applying their de-referencing practice, and that they did not remove the offending listings “without undue delay”.

Datainspektionen is further of the opinion that the information that the concerned individuals wanted removed is clearly of a character that is protected by the right to be forgotten, and the public right to access to information should therefore be set aside.

Datainspektion also found a further breach by Google with regards to how the tech giant deals with “right to be forgotten” requests. In practice, when Google processes a request, it sends a notice to the website owners that their website link will be removed for specific search results. Datainspektionbelieve this practice to be in violation of GDPR. More specifically, it considers that through this process, Google uses personal data without respecting the principles of lawfulness, transparency and fairness required, as it is essentially processing personal data beyond the purpose for which it was initially collected, and without a lawful basis for doing so.

Being forced to pay 70 million Swedish kronor for not de-referencing two listings on a search engine may seem disproportionate. However, Google is an enterprise with enormous turnover, for the fine to have a punitive effect, then sums in these figures need to be brought to the table. The fact that Google already had been ordered by Datainspektion to de-reference the listings and a long period of time had passed where Google apparently had not done enough in this regard also justifies a fine of this size.

Google has responded saying that they believe the decision of the Swedish Data Protection Authority is incorrect and that it plans to appeal the decision. They see the decision as largely being built on Google’s practice of notifying website owners of de-referencing requests. They believe that this practice is fully in line with the GDPR.

Can Google be successful in their appeal?

The issue of respecting fundamental privacy rights is a difficult task. A number of rights must be balanced against each other and trying to strike the right balance can often lead to controversy.

This balancing act is something that has been long-carried out by authorities and courts when deciding on issues regarding fundamental rights. The GDPR is a rather new law and practical guidance in some of the areas — especially where new technologies are involved, can be hard to come by.

Does France have the answer?

However, the French State Court issued a guidance paper in December 2019 on how search engines should exercise the right to be forgotten after it receives requests from individuals. The guidance states that each individual has a right to be forgotten, but that this right is not absolute. A balance between the public’s right to information and the individual’s right to privacy and being “forgotten” online, must be struck.

The French guidance further emphasises that particular attention in this balancing assessment should be given to which category of data the individual wants de-referenced on the search engine. Sensitive data or data relating to criminal offenses and convictions is highly invasive to an individual‘s privacy, and should therefore generally mean that the de-referencing or “right to be forgotten” request should be granted by the search engine. How the information was made public (including whether it was voluntarily made public by the individual themselves) as well as the whether the individual is a public figure, will also be taken into account in assessing the balancing act.

Looking forwards — So, what can be expected from the appeal of Datainspektion’s decision against Google?

The first of the two listings Google had not removed was from a discussion thread accessible via the search engine’s results page. The thread displayed sensitive information related to the individual’s mental health, sexual preferences, ethnicity, religious beliefs, as well as previous prosecutions, investigations, family and addresses. The second listing concerns information from a news article published on the regional paper Sydsvenskan’s website. This article contained information on criminal offense and ongoing investigations of the person who requested the listing, with reference to this article, removed from Google’s search engine results. When drawing on the guidelines from the French State Court (which the supervisory authorities across Europe can do for inspiration and guidance, since the GDPR is a harmonised law across Europe), it does seem like Google’s appeal would not likely succeed on this point. The right to be forgotten for the individuals in this case must be given significant weight when considering the public’s right to access information, freedom of information and freedom of speech, due to the sensitivity of the information accessible via the search engine results.

However, the second breach found by Datainspektionen, Google’s practice of notifying website owners of de-reference requests, seems to have a better chance in an appeal. The notification is done by sending messages to the website owners referring to the listings that will be removed. As Google states, this practice has a positive aspect by ensuring transparency in the process and also safeguards the website owners’ rights in the de-reference process.

Further, Google reiterates that no information about the individual requesting the de-referencing is being given to the website owners and no justification for the de-referencing is provided. These are positive aspects that protect the individual exercising their “right to be forgotten”. However, a website owner would probably easily understand who the individual is, by simply reading the link that is going to be removed. An article containing sensitive information about a person will in most of cases be requested removed by that person him — or herself. Complete anonymisation can therefore quite seldom be ensured.

To conclude…

Google could probably aim for a partial win in their appeal against the Datainspektionen. Google believes that the large fine is based upon their notification practice, and if this practice is later deemed lawful, and Google is correct in their assertions, then we would probably see that the fine will be drastically reduced. The current corona virus crisis has put a temporary hold on the effectiveness of the whole society. The answer on whether or not Google will be successful in their appeal could involve a long wait.

In the meantime, if you made it to end of this piece, it is certainly worth noting that whilst entrenched in law, the “right to be forgotten” in the online environment, especially when search engines are involved, is far from absolute and easy to invoke.

A stark reminder for us all to be mindful when voluntarily sharing information about ourselves with others and online which we later may regret. If we do want to erase our online selves, cases from France, Sweden, Spain and the EU certainly tell us that the struggle is uphill.

Article by Anders Molander Skavlan @ Gerrish Legal, first published on Medium.com in April 2020 / Cover photo by Rajeshwar Bachu on Unsplash

Previous
Previous

Influencers: what are the online rules that must be followed?

Next
Next

Gerrish Legal at the Transparency by Design Summit!