The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

EU Court Limits 'Right to Be Forgotten'

by Chris Brook on Friday September 27, 2019

Contact Us
Free Demo
Chat

Google won what many viewed as a milestone case this week as Europe's top court ruled it doesn't have to extend the "right to be forgotten" privacy rule beyond the EU’s 28 member states.

It took several years but Google was finally awarded a big time victory this week after the EU's top court ruled that the company doesn't have to apply the "right to be forgotten" rule beyond the EU.

The European Court of Justice ruled Tuesday that there’s “no obligation under EU law for a search engine operator” to extend the rule beyond EU member states.

Google waited five years for the decision after a previous ruling mandated the internet giant delete links to personal information on request.

It was in that case in May 2014, in a Court of Justice of the European Union ruling, that the “right to be forgotten” first surfaced. The gist of the privacy law being that individuals have the right to ask search engines to delist results for queries as long as they're “inadequate, irrelevant or no longer relevant, or excessive.”

Google took umbrage with the French data protection authority, CNIL, in 2016 after the DPA asked the company to honor those requests globally, instead of on a per country basis. Google complied by introducing a geoblocking feature, something which stopped European users from seeing delisted links but refused to remove links globally upon request, something that prompted CNIL to fine the company 100,000 euros ($109,790).

According to Google's annual transparency report, which keeps track of requests to delist content under European privacy law, since 2014, the company has received 845,501 requests to remove links, and removed 45 percent of the 3.3 million links.

While Google will still have to remove to links to sensitive personal data on request in Europe, Tuesday’s ruling means it won't have to do the same elsewhere in the world.

“Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject ... to carry out such a de-referencing on all the versions of its search engine,” the court said specifically, adding in a statement that “the balance between right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.”

While the case obviously had ramifications for Google and CNIL, it also helps forecast how high courts can regulate the internet going forward.

If the court had ruled differently, it could have set a precedent for other regions as to how rules are implemented. Many privacy advocates have argued that creating a global "right to be forgotten" could place global free speech in jeopardy.

There was some grey area with the court’s decision however. The ruling leaves the door open for European regulators to order the "right to be forgotten" to apply outside the EU in specific cases, a concept that wasn't lost on CNIL.

“The Court specifies that, although there is no obligation of global de-referencing under EU law, it is also not forbidden. Thus, a supervisory authority, and so the CNIL, has the authority to force a search engine operator to delist results on all the versions of the search engine if it is justified in some cases to guarantee the rights of the individuals concerned,” CNIL said in a statement Wednesday before confirming that it will comply with the court’s decision.

Tags: Privacy

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.