Businesses around the world are focused on collecting as much information about their consumers as they can to optimize their business activities with the intent to earn higher profits and in this highly digitalized world collection and storage of such information comes in handy. As a result, an individual’s information, personal or otherwise, is just a Google search away. Recognizing the consequences of trusting the business giants with huge data the European Union passed the General Data Protection Regulation (GDPR) in 2018 which governs how personal data must be collected, processed, and erased. This article talks about the scope of Right to be Forgotten under the Regulation in light of certain judgments passed by CJEU.
With the intent to strengthen the fundamental right to Privacy, Article 17 of GDPR provides for the erasure of personal data, immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing or the data subject has objected and there are no overriding legitimate grounds for the processing, or erasure is required to fulfil a statutory obligation under the EU law or the right of the Member States. In addition, data must naturally be erased if the processing itself was against the law in the first place. (1)
The responsibility to erase, upon a request being made, the personal data is entrusted to the “controller”. The term “controller” under the directive does not specifically define any authority or organization but merely states “any natural or legal person public authority, agency or other body which … determines the purposes and means of the processing of personal data”. The Court in Google v. Spain held that the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ and as such carrying out such activities by the operator of search engines gives them the title of ‘controller’ under the directive. This court recognized the role of search engines as a “controller” of personal data and their responsibility to take down any personal information on request for its erasure being made after considering that the personal data does not fall under the exceptions provided in the directive.
Request for erasure can also be made via Data protection Agencies set up in each member states of EU. In the case of Google v. CNIL, Court was concerned with the territorial scope of Right to be forgotten requests i.e. whether the search agencies should take down the personal data nationally or globally, it held that;
“a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.”
This leaves the door open to data protection agencies in EU states to consider situations which may gravely affect the right to privacy and order a global takedown in certain situations if the agencies may feel so.
In another case, concerning French citizens petitioning the CNIL, the Court was concerned with whether prohibitions on the processing of special categories of personal information applied to search engines and indexes, and if so, to what extent. These correspond to ‘sensitive’ personal information such as legal proceedings, criminal convictions, political beliefs, race or ethnicity, etc. The Court held that, for information falling within these categories, there is a default obligation on search engines to takedown such information. However, this too is subject to specific exemptions which must be weighed up and enforced by the search engines themselves.
As the Court notes:
“where the operator of a search engine has received a request for de-referencing relating to a link to a web page … the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data … ascertain, having regard to the reasons of substantial public interest … whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search.”
On examining the above judgments the intention of the court is to balance out Right to Information with Right to Privacy and has given this balancing power to the Data protection agencies and majorly to internet search engines without specific guidelines as to how the examination of request has to be done or how to determine whether the information in relation to which the request is made amounts to ‘personal data’, additionally, these cases concern only ‘search engines’ which fall under the definition of ‘controller’ but does this definition also extend to other internet intermediaries? How is the order passed by a Data protection Agency situated in one country to be enforced in another country in case of global take down of information?
There are certain gaps in the implementation of GDPR but these developments by EU courts serve as a guide for other countries, around the world to frame their own Data Protection policies.