The right to be forgotten vs. Google, Inc.
Probably no one could have predicted that a complaint of one man in a European country, over his right to privacy, may possibly change a significant part of the global operational structure of the Internet giant. And yet, Google has already implemented changes to its main tool – search engine – due to the new legal framework and complaints from some DPAs. The legal battle is still not over, and it remains to be seen how a newly established right to be forgotten (hereinafter: RTBF) will affect Google’s business.
The right to be forgotten
The RTBF - a right to be delisted - was established in the judgment of the Court of Justice of the European Union (Google Spain v. AEPD and Mario Costeja González; hereinafter: CJEU judgment) in May 2014, and later stipulated in the General Data Protection Regulation (hereinafter: GDPR) as the right to erasure.
This decision introduced a new rule: under certain conditions, European Union residents can request from search engines to delist specific results for queries that include their name. The delisting process currently encompasses results from Google search, image/video search, and Google news. However, URLs are delisted only from the search for queries related to the name of an individual. For example, if an article mentions John Smith travelling to London, the article will not be shown as a result upon a query about “John Smith,” if it is designated for delisting. Still, it may show up as a result after the search on “travelling to London.”
Until 1 November 2016, Google received 575,329 requests, and evaluated for removal 1,751,062 Due to transparency, upon delisting certain URL(s) the company notifies webmasters of sites where specified pages used to be found.
The most important factor necessary for deciding to remove a result is that the personal data about the individual contained in the specific URL is inadequate, irrelevant or no longer relevant for public interest, or excessive in relation to the purpose(s) for which it was collected or processed.
Taking down any material from company’s servers requires an extensive analysis which may impose a significant burden on the company, especially bearing in mind that this process cannot be performed automatically, and that it must rely heavily on the human factor. It is necessary to perform a detailed test and to determine the right balance between the requestor’s right to privacy, other users’ right to free expression and free access to information, and finally, the company’s freedom to conduct business.
Companies usually develop an internal set of questions which guide them when determining whether a person may exercise their right to be delisted. Article 29 Working Party issued Guidelines on the implementation of the CJEU judgment, which may serve as a very important indicator for companies when making their own internal rules. Google, Yahoo, and Bing have their publicly available forms, where Bing’s is the most detailed one so far.
The following questions are also relevant when deciding about removing specific URLs and are usually incorporated in companies’ internal guides:
- Is the request detailed and does it contain all information necessary for making an informed decision?
- Does the requestor have residency/nationality of an EU country?
- Is the requestor a public figure?
- Is there a public interest in keeping the information available in search results upon a query containing the requestor’s name?
At times, finding the right balance may be relatively easy, whereas in some instances the decision is very difficult to make. In case of a disagreement with the company’s decision, users are encouraged to contact their local DPA.
Although Google does not have registered seats in all EU member countries, GDPR’s reach also extends to other establishments (such as sales offices dealing with marketing and advertising), which conduct processing of data that is considered inextricably linked to the establishment, as stipulated in the CJEU judgment. In practice, almost all establishments fall under this definition.
Even if a controller/processor does not have any establishment in an EU country, but processes personal data about its citizens in connection with the online offering of goods and services, as well as with monitoring clients’ behavior within the EU, the GDPR will apply.
Mere access to a website from an EU country is not enough to make such a connection, whereas the facts regarding the use of a national language and currency on the website, and the possibility of ordering goods from that country are extremely relevant.
Despite the fact that Serbia is not an EU member, and therefore, that the CJEU judgment and GDPR are not directly applicable to our legal framework, the result of the below mentioned Google – CNIL dispute may have implications on Serbian search results too.
Google v. CNIL – waiting for the final solution on the RTBF’s implementation
Upon the establishment of the RTBF in the CJEU decision, the practice became to remove specified content from all EU domains. However, there have been various discussions with EU data protection regulators (mainly CNIL - the French DPA) about the implementation of this right, and Google complied with a requested change. Namely, the company introduced a new system, which delists content based on IP address of a requestor, in addition to delisting it from all EU domains.
This means that, if for example a French citizen requests a removal which gets approved by Google, no person with a French IP address will be able to find the content regardless of the domain they search on (google.fr, google.co.uk, google.com, etc.). However, any other person with another IP address (no matter if it is inside or outside the EU, as long as it is not the requestor’s country) who searches for it on google.com (or any other domain outside the EU), will be able to find it.
The latest CNIL’s order is based on the concern that the additional IP address protection is not effective, because it is easily circumvented by using VPNs, or similar tech savvy tools. Therefore, CNIL now requires Google’s compliance with the French law on a global level.
If the court aligns with CNIL, then Google will have to delist a specified content from all domains, practically applying French law in every country in the world. The company expressed a legitimate concern that such global application of one law may lead to an increased number of similar requests for application of far stricter laws regulating information coming from other countries.
Google is now waiting for the decision of the French Supreme Administrative Court, Conseil d’Etat, before which it challenged a previous ruling to fine the company with 100.000 euros for failing to comply with CNIL’s latest request and to remove selected URLs from global search results.