Written by Tambiama Madiega with Anna Meriel Nichols,
© ibreakstock / Fotolia
The ‘right to be forgotten’ (or ‘dereferencing‘) refers to the fact that residents in the European Union (EU) can request that information about them, which appears when searching for their name on the internet, be delisted and therefore made inaccessible.
In the EU, the ‘right to be forgotten’ was first articulated in the 2014 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos case brought before the Court of Justice of the EU (CJEU). Article 17 of the General Data Protection Regulation (GDPR), applicable since 25 May 2018, enshrines a ‘right to erasure’ in EU law, which encompasses the ‘right to be forgotten’. On this basis, people living in the EU now routinely ask search engines like Google to take down links to their personal information.
However, the implementation of the ‘right to be forgotten’ has proven difficult and the territorial scope of this right has been challenged before the CJEU.
In Case 507/17 Google v CNIL, decided in September 2019, the CJEU provided some guidance on the implementation of the ‘right to be forgotten’. The Court held that, as matter of principle, search engine operators are not required to carry out a worldwide dereferencing order (i.e. on all versions of its search engine), but should implement an EU-wide dereferencing order (i.e. on all EU versions of its search engine), to ensure a consistent and high level of data protection throughout the EU. The Court also recalls that a balance must be struck between data protection and privacy rights and the right to freedom of information when making a dereferencing order, in line with the Charter of Fundamental Rights of the EU. Search engine operators must also implement geo-blocking measures to prevent, or at least seriously discourage, internet users in Member States from gaining access to dereferenced links within the EU.
The Google v CNIL decision has provoked significant reaction from stakeholders, civil society advocacy groups and academics. As the CJEU did not completely rule out worldwide dereferencing orders, questions as to the extraterritorial application of the ‘right to be forgotten’ and the potential conflict of rules and jurisdictions have been raised, while an increasing number of countries outside the EU are embedding such a right in their national legislation. In addition, the CJEU decision has sparked debates about the use of geoblocking techniques, the need for international standards, and how to strike a balance between privacy and protection of personal data and the right to freedom of information.
This Keysource gathers key documents, analyses and stakeholders’ views to throw a light on the issues at stake. It is the bibliographic companion to the EPRS At a glance publication: European Court of Justice limits the territorial scope of the ‘right to be forgotten’ (October 2019), which outlines the legal framework and CJEU decisions on the right to be forgotten in detail.
1. General sources of information
This survey intends to compile citizen awareness of the GDPR and more general opinions and behaviours relating to data sharing and data protection.
This factsheet, which was published following the Google Spain ruling, provides some guidelines on the implementation of the right to be forgotten.
The Article 29 Working Party (now the European Data Protection Board), an EU advisory body on data protection, issued guidelines on the implementation of the Google Spain judgment.
Territorial scope and extraterritorial application of EU law
This article examines the implications of the judgment for EU residents and comments on the significance of the decision as a means for testing how far the EU can expand its data protection standards beyond its territory. It also discusses how setting a ‘floor, not a ceiling’ for dereferencing obligations preserves Member State abilities to impose global dereferencing orders and the EU’s ability to position itself as the standard-bearer for data protection regulations.
This article compares the ‘diverging’ approaches to territorial scope in the CNIL case and Case C-18/18 Glawischnig-Piesczek v Facebook Ireland. In particular, it asks ‘to what extent is there a coherent approach to issues arising from the internet across the various legal measures that intersect with it?’
In this post, the author compares the outcome of the final decision with the non-binding Opinion of Advocate General Szpunar, and outlines how he sees the CJEU’s approach aligning with that of the United States Supreme Court on similar cases.
This article provides a commentary on the ‘general implications’ of the case, in particular the jurisdiction of delisting orders, and compares to the CJEU approach to the legal framework for the territorial scope of a right to be forgotten to the approach in the USA.
This article outlines why the outcome of the CNIL case was a ‘win’ for Google, simultaneously leaving ‘the door wide open … for future extraterritorial regulations of the internet’.
This piece argues that the CNIL judgment de facto approves geoblocking and gives rise to potential fragmentation of data protection enforcement.
This article examines ‘whether and how the right to be forgotten may apply to user-generated content hosts like Twitter or Facebook’.
While this article was published before the CNIL judgment was issued, it explains the arguments on both sides regarding territoriality and the enforcement of the right to be forgotten in the case, and provides a background summary of the key points from the Google Spain decision.
This link provides the reader with an overview of the relevant GDPR provisions and CJEU case law pertaining to a right to be forgotten in the EU.
This article outlines the positive and negative effects of the decision for the right to freedom of information, including the protection of access to knowledge and the matter of delisting by geography rather than language.
This book extract examines how the right to be forgotten’s ability to protect the privacy of individuals may change in significance over time. It also sets out how unpredictable societal change will compel organisations to realise that ‘knowing there is a RtBF provision in the GDPR is enough on its own’.
3. Stakeholder views
The EFF is an advocacy group focusing on the protection of access to developing technology, and a third party to the hearings in the CNIL case. Their comments following the judgment provide an insight into the US orientation towards the protection of free speech online. A copy of the EFF’s intervention to the case can be accessed here.
Article 19 is an advocacy group for freedom of expression rights, which intervened in the CJEU hearings on behalf of a coalition of free speech organisations. The group has applauded the outcome of the case, stating that ‘Courts or data regulators in the United Kingdom, France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see’.
The CCIA advocates internationally for ‘enhancing society’s access to information and communications.’ In this press release it stresses its satisfaction with the balance the court struck between freedom of information and the rights of citizens outside the EU.
The Multistakeholder Expert Group was ‘established to assist the Commission in identifying the potential challenges in the application of the General Data Protection Regulation (GDPR) from the perspective of different stakeholders, and to advise the Commission on how to address them.’ The group shares its opinions of Article 17 GDPR on pp.7-9.
EDRi is an international advocacy group for digital rights. In this piece, they outline their response to the Advocate General’s opinion in the Google v CNIL case, and include links to their previous opinions on the right to be forgotten.
Walker, general counsel for Google, published this post when the CJEU decision on the Google CNIL fine was pending, and provides some insight into Google’s perspective on dereferencing order litigation.
4. International outlook
The Judgment That Will be Forgotten, Oskar Gstrein, Verfassungsblog, 25 September 2019.
Part of this article argues that ‘the right to be forgotten is not a European concept‘, and that the CNIL judgment failed to consider how other countries have approached these cases. It compares the extent of developments in right to be forgotten jurisprudence in the EU to several other countries, and notes that ‘more than 25 percent of the nations on earth have already seen considerable legal developments in the area of a right to be forgotten, including regulation and court judgments.’
Article 8, the Right to be Forgotten and the Media, Hugh Tomlinson QC and Aidan Wills, International Forum for Responsible Media Blog, July 2018.
This review of the M.L. and W.W. v Germany case provides an overview of the criteria used to decide on delisting questions at the European Court of Human Rights (ECtHR). It comments on the parallels between the ECtHR and the approach in the Google Spain case, and outlines why a dereferencing request may be more ‘powerful’ against search engine operators or internet platforms than primary publishers such as news publications.
The ‘Right to be Forgotten’ Online within G20 Statutory Data Protection Frameworks, David Erdos and Krzysztof Gartska, University of Cambridge Faculty of Law Research Paper No 31/2019, September 2019.
This paper argues that the ‘basic underpinnings [of a right to be forgotten] are present in the great majority of G20 statutory frameworks. Whilst China, India, Saudi Arabia and the United States remain exceptional cases, fifteen out of nineteen (almost 80 %) of G20 countries now have fully-fledged statutory data protection laws. By default, almost all of these laws empower individuals to challenge the continued dissemination of personal data, not only when such data may be inaccurate but also on wider legitimacy grounds.’
The Right to Be Forgotten, Michael Kelly and David Satola, Illinois Law Review, January 2017.
The most prominent right to be forgotten case in Argentina arose in 2009, in the Virginia da Cunha case. This article gives an overview of the case and its ramifications from pp.28-31.
Data and Digital Rights: Recent Australian Developments, Goggin et al, Internet Policy Review, March 2019.
This paper explores proposals relating to data privacy rights from the Australian Competition and Consumer Commission (ACCC)’s Digital Platforms, and from a government-mandated creation of a Consumer Data Right.
Non-Compliance with Judicial Requests for Content Removal, Bloqueios, January 2007.
Questions on the enforceability of dereferencing orders arose in Brazil in 2007, when one of the country’s largest fixed-line telephone operators responded to a judicial order to remove a video of model Daniela Cicarelli from Youtube, which resulted in Youtube being blocked in large parts of the country. The link above provides an overview of and analysis of the materials in English relating to the case.
Draft OPC Position on Online Reputation, Office of the Privacy Commissioner of Canada, 26 January 2018.
The Privacy Commissioner lists ‘Reputation and Privacy’ as one of its strategic priorities for 2015-2020. Its draft position includes sections dedicated to De-Indexing, Source Amendment / Takedown and Legislative Solutions.
Right to be Forgotten: A New Privacy Right in the Era of Internet, Yuriko Haga, September 2017.
This chapter outlines the history and current situation regarding a potential right to be forgotten in Japan (section 5), including the appearance of cases against search engines since 2008, and the influence of the Google Spain judgment on more recent cases.
The Right to be Forgotten – the EU and Asia Pacific Experience (Australia, Indonesia, Japan and Singapore), Zeller et al, European Human Rights Law Review 2019 volume 1, p.23, UNSW Law Research Paper No 19-2, 23 January 2019.
The following articles and reports include further examples of countries where reference to a right to be forgotten has appeared in court judgments, statutes, or draft legislation: