Development Of The Right To Be Forgotten Under GDPR

6th December, 2022 - 6:17 am Categories: GDPR 0 Comments

Introduction

The origin of Right to be forgotten occurred in May 2009 from the European Commission’s meeting. A session on the “Is there a “fundamental right to forget? ” Was conducted. The Right to be forgotten is likewise called the right ‘to erasure.’ This right enables a person to demand the removal of his own information when this information gets insignificant to the organization. This right appears to be difficult to be enforced in light of the fact that an activity of disremembering is hard to be executed however the rule has been summoned to regard the personal privacy by deletion of inaccurate information.

The right to be forgotten is codified in the EU General Data Protection Regulation. This had made the EU to stretch out the right to be forgotten to every data processing. The GDPR gives any individual the right to request the erasure of their personal information or data when no satisfactory reason for its processing.

General Data Protection[Image Source:  Shutterstock]

Google Spain v AEPD and Mario Costeja González

On March 5, 2010, a Spanish citizen by the name of Mario Costeja Gonzalez filed a complaint with the Spanish Authority for Personal Data Protection (AEPD), the country’s data protection agency, as well as against Google Spain and Google Inc. The man complained that a Google search auction of his foreclosed house was violating his right to privacy since the processes involving him had long since been resolved, making any mention of them improper and irrelevant. He first asked the newspaper to remove or alter the pages so that his personal information didn’t show up, and then he demanded that Google Spain or Google Inc. remove the offending content.

The AEPD denied the newspaper’s demand on the grounds that no newspaper is required to retract its articles since they were properly published at the time they were released. The lawsuit filed against Google was upheld.

By stating that every person has the opportunity to ask for the deletion of their information if it is insufficient, irrelevant or no longer relevant for those reasons given the passage of time, the European Court of Justice effectively clarifies the right to be forgotten in this case.

The case was referred to the Court of Justice of the European Union by the Spanish court putting forward the following questions: (a)Does EU’s 1995 Data Protection Directive can be applied to search engines like Google?;(b) Does EU law (the Directive) gets applied to Google Spain even though the given company’s data processing server was in the United States?;(c) Lastly, whether an individual has the right to request to remove his personal data from accessibility via a search engine i.e. the ‘right to be forgotten’.

The Court determined that search engines may process user information were doing so is necessary for the legitimate interests of the data subject or of a third party. The right has restrictions, particularly when it comes to the data subject’s fundamental rights like the right to privacy.

The Court responded to the question of whether Google Spain is subject to EU legislation (the Directive) by stating that Google Spain is a subsidiary of Google Inc., making Google Inc. a subject of the EU Directive. The legal responsibilities that web search engines like Google had under the Directive were a major source of worry. The court ruled that web search engines have the legal authority to treat personal data were doing so is essential to the data owner’s or another party’s legitimate interests. The right is subject to limitations, especially when it comes to the data subject’s fundamental rights like the right to privacy.

The court ruled that in these situations, not only does the data subject have this right, but the data controller is also required to take this information down. With this ruling, the Court recognised that while Google was under no duty to remove Mario Costeja Gonzalez’s personal information, he did reserve the right to do so.

Due to the precedent it has established for all upcoming cases, the ruling is of utmost significance. Notably, the ruling clarified the distinction between removing information from a search engine and removing it from a website. When data is released on a single website, it will have a far less effect on the right to privacy and the protection of personal data than when the same material is published on a search engine. This is mostly due to the fact that a broader audience may access data that has been published on a search engine.

The Court’s decision was based on this justification. For instance, when someone looks for someone’s information, he will undoubtedly put the person’s name into a search engine and won’t visit every page where he believes the person’s name could be referenced. As a result, the data should be deleted from the search engine for greater protection of an individual’s privacy.

The Court has said that there are restrictions on the right to privacy and the protection of personal data, such as the interest of the general public. Although this right to privacy is of utmost significance, it cannot be absolute and must be balanced fairly. The Court must evaluate the appropriate balance between the freedoms of expression and information and the right to privacy on a case-by-case basis.

The geographic application of the right to be forgotten—specifically, whether it may be applied outside of the EU—was a crucial issue that this judgement left unresolved. The landmark decision in Google v. CNIL provided a solution to this question, holding that Google is not required by EU law to implement the global right to be forgotten.

The ruling made in this case serves as a benchmark for the protection of personal information not just in Europe but also internationally. The GDPR provides strong protection for the right to be forgotten. As one of the largest data controllers of personal information, Google has now established a process enabling quick and simple access for its users to their right to be forgotten.

THREE THINGS TO LEARN FROM EUROPE’S RIGHT TO BE FORGOTTEN DECISIONS

Lesson 1: France’s Global Injunction Was Problematic

The first takeaway from this case is that France’s decision ordering Google to remove links to certain material from its search engine results globally is neither valid nor practical. To comply with Europe’s “Right to Be Forgotten”, Google agreed to put down certain offending search results from its searching database. The question which was to be dealt now was which search database. The firm laid three distinct options:

Domain-level response: This constitutes the removal of offending listings from only the country level domain, example google.fr.

Location-specific response: In this the geolocation technology is used to identify where the user is located and make sure that users in that jurisdiction (in this case, Europe) do not have access to links to the offending material.

Global takedown: This means to remove the links to the offending material worldwide.

In this case, Google started at domain-level, then was pushed to location-specific, yet the regulators insisted on a global takedown. Google initially took down the offending and targeted material from its Google.fr page but not from the google.com. After conducting an advisory meeting, it was decided to use the geolocation technologies to remove the content. But CNIL wanted a global injunction and concluded that Google should remove the offending links on all its search results.

The European privacy law has guaranteed a protection of personal data in the European Union and the global delisting would help it. But the right to the protection of personal data is not absolute in nature and therefore needs to be balanced out with other key fundamental rights. This analysis made it clear that there was no express EU authorization for the CNIL’s global order. Also, because the order does not balance privacy rights with freedom of information concerns, the court rejected it.

Lesson 2: Global Injunctions Are Not Inherently Problematic

The court left a little bit of ambiguity concerning the extra territorial regulation of the internet. While the court said that EU law does not authorise France to compel Google to remove listings globally it also does not prohibit such a practice. This means that the absenteeism of any statutory authority can be a good reason to order a global injunction, as long as they comply with balancing privacy with freedom of information.

The court was of the opinion that there was nothing wrong with global injunctions also it suggested that they are useful as remedies to far reaching internet harms.

Lesson 3: The Two Big Debates in the U.S.: Universal Injunctions and Content Moderation

The court stated how important is the strong speech regulations but at the same time how impossible is to get right on a massive platform. In the sensitive data ruling, it was held by the court that Google must take consent before processing sensitive data. This required the help of users about what was sensitive and non- consensual data sharing.

The court, in its sensitive data ruling, noted that, while Google must get consent before processing sensitive classes of data, it did not expect Google to solve this problem without some help from users about what is sensitive and non-consensual data sharing.

The Right to be forgotten holds incredible significance in the present situation yet it comes with certain constraints. It is not the right which will over rule all the other fundamental rights like the freedom of the media or the freedom of expression.

I would like to conclude that the privacy of a person holds tremendous amount of importance in today’s scenario which cannot be denied in any way.

Conclusion

As you’ve just read and seen, the right to be forgotten does not come with any guarantees. There are several exclusions and restrictions. Data controllers must consider factors like probability, proportion, cost, and so on. Enabling the use of the right to be forgotten is difficult and requires careful consideration of each individual instance, the impact of various technology, and any potential competing legal justifications.

Setting priorities is also important. It is obvious that more is at risk in some situations (such as unlawful processing and express permission). It is also obvious that priority should be given to data pertaining to minors. Although there are many exceptions in practise, it is important to understand the justifications for exercising the right to erasure. Some context was given to the infographic.

Author: Vikrant Singra, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.

Tagged

Data Protection, GDPR, General Data Protection Regulation, Google Spain Case., Right to forgotten,

Leave a Reply

Categories

Archives

  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010