The right to be forgotten provided under Article 17 of the General Data Protection Regulation (GDPR) was found by the Swedish Data Protection Authority (DPA) to be violated by the famous search result giant Google.
What is 'right to be forgotten'?
For the first time, the right to be forgotten appeared in 2014 in the EU. found for the first time in the case of Google Spain v Mario Costeja Gonzalez (Case C-131/12) (the Google Case), which was reinforced in 2018 under Article 17 of GDPR1.
Right to be forgotten gives individuals the right to have their personal data erased/deleted without undue delay, however, this right is not absolute and can be qualified under certain circumstances as specified in GDPR.
What was the result of Swedish DPA's inspection?
It all started in 2017 when Swedish DPA initiated an inspection in relation to the way Google handles individuals' rights to have their search result listings for searches which include their names removed from Google search engine, provided under the GDPR. Throughout the inspection the Swedish DPA found out that Google in several cases failed to fulfill its obligations to delist certain names of individuals from its search engine and ordered it to do so.
After some indication received by the Swedish DPA in relation to Google's failure to comply with previous orders, the Swedish DPA decided to initiate another inspection in 2018. As a result, it was found that Google did not follow the previous order to delist certain names of individuals from its search engine and issued a fine of approximately 7 million Euros for failure to comply with GDPR.
How are search results being removed?
In common practice, organisations that collect and process personal data such as Google, they notify the webmaster when removing a search result in order for the webmaster to know which webpage link was deleted to republish the webpage that was removed.
When Google removes a search result listing, it notifies the website owner to which the link is directed in a way that gives the site owner knowledge of which webpage link was removed, as well as who was behind it. This permits the site owner to re-publish the web address that will then be displayed in a Google search, thereby republishing the same information without correction and undermining the effectiveness of the right to be forgotten.
Google appears to have no lawful basis to inform websites' owners when search results were delisted. Since they used personal data to inform the site owners, this can be regarded as using the personal data beyond its original purpose which is a violation of GDPR.
How is the right to remove search result listings exercised?
Since 2014 when the Court of Justice of the European Union (the ECJ) in the case of the Google Case ruled that individuals may request search engine provider to remove search listing that contains the name of an individual in case the listing is inappropriate, irrelevant, no longer relevant or excessive, millions of requests were received by Google for removal of search result listings but not all of them were removed.
The right to have search results removed is not absolute. The exercise of this right stops when processing of personal data is necessary for one of the following purposes:
- In order to comply with a legal obligation;
- For the performance of task carried out in the public interest;
- For the establishment, exercise or defence of legal claims;
- For archiving purposes in scientific research historical research or statistical purposes where erasure is likely to render the achievement of that data processing;
- To exercise the right of freedom of expression and information.
What was the judgment of Google Case?
In the Google Case, the ECJ weighted the protection of privacy against the freedom of speech and concluded that the protection of privacy is more important than the search engine providers interests and the wider public interest in accessing information.
The ECJ held that Google should de-index that specific search query for searches made from Sweden. Furthermore, it concluded that the Swedish DPA cannot request Google to de-index this result in respect of countries other than Sweden.
Conclusion
It can be concluded from the judgment that the right to be forgotten is not a right that can be exercised worldwide, it only applies to countries within the EU.
European data regulators are not in the position to determine the search results that internet users around the world get to see, they should only be able to delist websites within their country's jurisdiction.
The obligation to regulate global searches as per the order of the DPA with a place of establishment within a member state would mean that national legislation of all Member States would be applicable.
This may ruin the legal certainty and result in chaos where organisations will not be able to foresee or predict whether they can be responsible for processing personal data.
Footnote
1Article 17 of the GDPR provides that "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay". Full Article 17 on the right to be forgotten can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.