In one of our earlier vlogs we discussed the right to be forgotten under the GDPR. This time around, we look at the decision of the Court of Justice of the European Union in Google v Commission nationale de l'informatique et des libertes (the French data protection regulator).
Hi, I'm Deirdre and welcome to the Kemp IT Law vlog.
Article 17 of the GDPR codified the EU based "right to be forgotten" allowing data subjects to request erasure of personal data in certain limited circumstances.
In a case pre-dating the GDPR, CNIL had required Google, when granting a right to be forgotten request to remove links on all of Google's domain name extensions and not just those accessible within the EU. Google objected and instead only removed the links in question from the domain names corresponding to the versions of its search engine in EU Member States. Google also offered functionality based on IP address blocking that would prevent internet users from accessing the results at issue from an IP address located in the same state of residence as the individual making the right to be forgotten request. CNIL, however, viewed these measures as inadequate and fined Google EUR100,000. Google then objected to this and the case ultimately came before the Court of Justice of the European Union to determine whether Google's actions were sufficient to comply with the right to be forgotten under the EU Data Protection Directive and the GDPR.
The Court of Justice held that there was no legal requirement on a data controller to de-reference or remove content in response to a right to be forgotten request on a global basis. It is sufficient to do this in EU member states. The Court of Justice, did however, specifically state that although there was no legal requirement to do so, such a practice was not prohibited, thus leaving it open for member states to supplement the EU position by requiring global erasure at a member state level.
For now, for controllers, this means that compliance with a
right to be forgotten request is mandatory in the EU only, thus
potentially reducing the burden and costs of compliance.
For individuals, it may mean that different data is available from outside the EU and that the individual will need to find different ways to have personal information removed. This increases the steps an individual will need to take to avail of his/her right to be forgotten if personal information concerning that individual is accessible in non-EU jurisdictions.
For both, it's important to look out for developments at a member state level. If any EU member state decides to introduce a requirement that personal information is erased/rendered inaccessible on a global basis, that member state is likely to become the jurisdiction of choice for individuals to apply for their right to be forgotten and will render nugatory the Court of Justice's decision in this case.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.