Published on Tuesday, October 1, 2019 - 11:18 by Camilla Winlo
Do we really have a ‘right to be forgotten’?
Article 17 of GDPR sets out a right to erasure - also known as a ‘right to be forgotten’. This mandates that organisations must erase personal data when it is no longer needed, or when the data subject objects to its possession and their objection is stronger than the reason for keeping it.
This is a controversial right, because it pits the rights of individuals against the rights of organisations and other individuals, and the right to privacy against the right to free speech.
These decisions about when personal information is no longer needed and when it should be erased are difficult to make, especially when an individual is asking for an exception to a standard policy. In order to understand where one right ends and another begins, we need case law.
On 24 September 2019, the European Court of Justice (CJEU) made an important ruling about the right to be forgotten which is worth exploring. You can read the whole judgment here.
The background of the Google ‘right to be forgotten’ case ruling
On 21 May 2015, the French supervisory authority CNIL served a notice on Google, stating that when it granted a ‘right to be forgotten’ request, it had to ensure that any related links were delisted from every Google site around the world.
Google refused to comply with the request. Instead, it agreed to remove the links from Google sites available in EU member states and to use ‘geoblocking’ techniques. These stop Google searches carried out from within EU member states from accessing links that are still live outside the EU.
CNIL decided that this was not sufficient to comply with the law and on 10 March 2016, it fined Google €100,000. Google appealed this fine, and the CJEU decision was the final stage in the appeal.
What did CJEU decide?
CJEU overturned the fine on Google and agreed that Google’s approach was lawful and appropriate. In doing so, it set out a number of instances where individual Member States can interpret the GDPR differently from one another.
One of the reasons why CJEU ruled that way was because it said that the ‘right to be forgotten’ is not absolute, and it has to be balanced against other rights - such as the right to free speech and the right to freedom in journalism. It said that the different EU Member States each set their own balance, and outside the EU it could be weighted differently again.
This also means that the balance may vary in different circumstances.
CJEU’s judgment says that, by default, delinking should prevent individuals in any EU Member State from accessing links to information in scope of a ‘right to be forgotten’ request.
However, it also specifically says that individual Member States will need to make the final determinations on the appropriate geographic scope of delinking. In certain harmful situations, delinking in countries outside the EU may be directed.
What does this mean for the GDPR and the ‘right to be forgotten’?
The ruling makes clear that CJEU considers that the GDPR should apply consistently within EU Member States, but that its application outside of the EU should be risk- and harm-based.
It’s easy to think of Google listings as being completely neutral and objective, but of course they are not. The search ranking is affected by many different things, some more opaque than others.
In general, search rankings are of more consequence to some people than others. People with unusual names, for example, will be more affected than people with very common names, simply because any results returned are more likely to relate to them.
People who are not at all in the public eye might be more affected because any negative stories about them are more likely to remain easy to find, than people for whom old news is constantly replaced by new.
One of the attributes Google considers when deciding how to order results is how many people making that search click on a link. That can amplify controversial or salacious stories. In addition, because people generally believe in Google, and believe that results are ranked on ‘relevance’, it can mean that inaccurate stories are found more easily than corrections and counterpoints.
Clearly, in many cases, it will be enough for local links to be removed. However, that will not always be the case. The US, for example, has a policy to refuse individuals with a history of illegal drug taking entry into the country. If a false story is published claiming that an EU citizen has used illegal drugs, then the harm to that citizen could be that they cannot travel to the US if the story can be found from within the US. In this situation, a Member State might require that the links are removed in the US as well as the EU.
If the story were true, they might not make such a ruling, as the harm would result from the individual’s own actions and not from the false publication. Clearly the US is within its rights to enact such a border policy and the GDPR does not aim to frustrate national prerogative.
However, if the story is false, the US is not harmed or frustrated by the story being easily found using a Google search – but the individual may be. This is why CJEU ruled that the facts of each case should be considered when deciding the geographic scope of a right to be forgotten request.
What does this mean for organisations?
Organisations should take this ruling as a reminder that the GDPR requires them to consider risks and harm to individuals when making decisions affecting their rights.
It is also a useful reminder that ‘one size does not fit all’ when it comes to privacy, and that it is important to ensure that any generally applicable policy can be adjusted where individual circumstances indicate that the policy does not act as intended.
With this in mind, we recommend clearly stating objectives within any policy, as a reminder of the risks and harm the policy is designed to mitigate and to assist policy users in making good decisions.
At DQM GRC, we can help your organisation create policies that align regulatory requirements with your organisation's values, objectives and capabilities. We can then help you translate these policies into actionable guidelines, logical processes and detailed playbooks and design staff training that results in real behavioural change.
To find out more about how we can help your organisation, call us now on 01494 442900 or complete our enquiry form:
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: