The European Court of Justice recently limited the “right to be forgotten” in a landmark decision for online privacy law.
The decision arises from a dispute between Commission nationale de l'informatique et des libertés (CNIL) – the French data protection authority – and Google concerning the scope of the right to be forgotten. The right allows individuals to ask search engines to remove links to websites, news articles and databases that contain personal data which is considered irrelevant, obsolete, excessive or not in the public interest.
In 2015, the CNIL insisted that Google and other search engines remove such links globally, to prevent internet users from locating removed information from outside the European Union. Google challenged this by arguing that the right is restricted, applying the right to EU versions of the search engine only.
The Court found in favour of Google, laying down the rule that the “right to be forgotten” cannot be applied outside of the EU. Essentially, the Court limited the geographical reach of the right to be forgotten, meaning Google and other search engines will not be forced to remove links globally. The Court was clear in saying that it could not impose the right to be forgotten on countries that did not recognise the law – it said the balance between the right to privacy and protection of personal information on one hand and the freedom of information of internet users on the other is likely to vary significantly around the world.
The Court stressed that search engines must discourage internet users from using non-EU versions of the search engine to access information that has been removed from an EU domain of its website.
You may remember that the Court had determined, previously in Google Spain v AEPD and Mario Costeja González, that Google is a controller in relation to the processing of personal data carried out in the context of its search activity. As a result, Google was found liable to comply with requests for erasure under EU data protection laws, but the precise parameters of this obligation have become the subject of controversy over recent years. So, the ruling in Google v CNIL sets some useful parameters for controllers, and in turn questions the extra-territorial application of the General Data Protection Regulation, to the extent an individual wishes to exercise their individual rights.
That said, the ruling certainly provides welcome clarification for search engines on the right to be forgotten and helps settle some fears as there is the hope that this limitation will heavily reduce the burden in handling these requests.
Goodwin’s Chambers and Legal 500 ranked Data, Privacy and Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration and Legal 500 Recommended Lawyer; a Legal 500 “Leading Lawyer;” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as three other areas; Legal 500 Cyber Law ranked partners; several former federal prosecutors; and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.