In brief - The European Court of Justice has ruled that the right to be forgotten only applies to the EU, not globally
What is the right to be forgotten?
The right to be forgotten is one of the more notorious rights under the General Data Protection Regulation (GDPR). It gives EU citizens the right to request the deletion of personal data held by controllers or processors where the data is no longer necessary for the purposes it was collected, where consent to hold it has been withdrawn, or under other enumerated grounds. There is no equivalent in the Australian Privacy Principles, although APP 13 contains a right to correct personal data.
Of particular interest is the right as it reflects search engines. While the right may not apply where a newspaper legitimately archives an article about a bankruptcy, or a conviction, for example, search engines make it easy for anyone in the world to find those embarrassing details about the subject forever. This has led to litigation in the EU already.
Does the right to be forgotten impose duties on data holders outside the EU?
The reach of the GDPR under article 4 applies to:
(a) controllers of data processing who are in the EU;
(b) processors in the EU wherever their controllers are;
(c) provisions of services in the EU; and
(d) monitoring behaviour in the EU.
Processors outside of the EU no longer have to comply with the right to be forgotten
Google uses geolocation to produce results in the searcher's domain. For example, an Australian user searches via Google.com and google automatically redirects the search to google.com.au.
On 21 May 2015, the President of the French data protection agency served a notice on Google ordering it to apply the right to be forgotten on all Google's search engine's domain name extensions around the world.
Google refused to comply with the notice, and only removed the right to be forgotten link from the results corresponding to the version of its search engine in the Member States.
The agency determined that Google's conduct insufficiently 'geo-blocked' the right to be forgotten data and imposed a penalty on Google of EUR100,000.
Google challenged this and the litigation ended in the European Court of Justice.
Among other things, Google argued that the 'right to de-referencing' (ie the right to be forgotten) does not necessarily require that the links at issue be removed from all its search engine domain names.
The obligation of the right to be forgotten cannot be avoided
The Court noted that the processing of personal data is carried out (in the context of the activities of an establishment):
(a) if the controller establishes in a Member State a branch intended to promote and sell advertising space offered by that search engine; and
(b) it orients its activity towards the inhabitants of that Member State.
The fact that the search engine is operated by an undertaking that has its seat in a third (EU) State does not mean that the controller can escape the obligation to effect the right to be forgotten.
In Google's case, it is apparent that Google's establishment in French territory carries on commercial and advertising activities which are inextricably linked to the processing of personal data, and that the existence of gateways between its various national versions does not change that.
Thus, the processing occurred within the Framework of Google's establishment in French Territory.
The objective of the GDPR is to guarantee a high level of protection of personal data throughout the EU. Accordingly, de-referencing must meet that objective in full.
However, the Court highlighted three important points:
(a) numerous third States (ie outside the EU) do not recognise the right to de-referencing, or have a different approach to this right.
(b) the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
(c) a balance must be struck in respect of the scope of a de-referencing outside the EU.
The Court was not satisfied that it was the objective of the legislature to confer a global scope on the right to de-referencing beyond the EU.
The interest of the public in accessing information may, even within the EU, vary from Member State to Member State, so that the court must of weigh up the data subject's right to privacy and the protection of personal data against that public interest.
Finally, the court held that it is for the search engine operator to take sufficiently effective measures to ensure the effective protection of the data subject's fundamental rights.
Those measures themselves must meet all the legal requirements and discourage internet users in Member States from gaining access to the links in question.
The Court found that the law does not currently provide for the duty to effect the right to be forgotten outside the EU
EU Law does not currently require that de-referencing cover all versions of the search engine in question (ie where Google operates in multiple countries via a geographical tld).
In addition, the Court held that the measures adopted or proposed by Google via 'geo-blocking' meet the legal requirements of search engine operators to take sufficiently effective measures to ensure data subjects fundamental rights.
This is a welcome guidance to data holders outside the EU (but caution must still be exercised in respect of the asserted reach of Article 4).
The follow diagrams illustrate how the right to be forgotten should now apply
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.