Google wins right-to-be-forgotten cases as EU court narrows scope of requests
24 Sep 2019 12:00 am by Matthew Newman
Google has scored two major victories at the EU’s highest court as judges narrowed the scope of Internet users’ right to be forgotten, rejecting calls to impose the right globally and to make the delisting of sensitive personal data automatic.
In the first ruling, the Court of Justice said that Google isn’t required to carry out dereferencing on all versions of its search engine. The court said that the EU’s “right to be forgotten” law should apply solely within the bloc’s 28 member countries.
Google had challenged an order by French privacy regulator CNIL that it must extend its delisting practice to all of its domain-name extensions.
The search company has argued that the right to be forgotten applies only to its EU-based sites. It currently deletes names from websites such as its UK or Spanish sites — google.co.uk and google.es, for example — but not from google.com.
Google and media groups had argued that rulings making the right to be forgotten a worldwide right would end up giving governments a free hand in censoring the Internet.
The court agreed with this argument, saying that many other countries “do not recognize the right to dereferencing or have a different approach to that right.”
“The balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of Internet users, on the other, is likely to vary significantly around the world,” the court said.
EU judges said that there’s no explicit obligation for the right to be forgotten to be extended outside the EU. Moreover, the EU doesn’t have any cooperation mechanisms with other governments on the scope of delisting outside the EU, the court said.
However, the court did rule that Google and other search engines must carry out dereferencing on the domain names — such as google.fr or google.de — corresponding to all EU countries and put in place measures, such as geo-blocking, that would prevent users from one member state to access links on domains outside of the EU.
— Sensitive data —
In the second case, the court said there’s no automatic requirement for Google to delist “sensitive” personal data.
The case stems from a dispute between the search engine and four French citizens who asked Google to delete links to webpages about them.
Google refused, so the citizens appealed to the CNIL, which sided with the US tech company. They then appealed this decision at the State Council, France’s supreme court, which in turn asked the EU Court of Justice for guidance.
The search engine has argued that the case could create a loophole that would force the company to remove data as soon as someone demands it, even if there is a public interest in such information being freely available.
A requirement for automatic delisting could have opened the door to politicians seeking to erase information about them that the public should have a right to see.
The court agreed with Google’s arguments, stating that “a balance must be struck between the fundamental rights of the person requesting the dereferencing and those of Internet users potentially interested in that information.”
Google's senior privacy counsel Peter Fleischer said in a statement that the company has worked hard to implement the right to be forgotten in Europe, and to strike a “sensible balance” between people’s rights of access to information and privacy.
Fleischer said it's “good to see” that the EU Court of Justice has agreed with the company arguments that delisting shouldn't be carried out on a worldwide basis, and that sensitive data shouldn't be automatically delisted.
The case numbers are C-507/17 and C-136/17.
03 Aug 2020 9:29 pm by Ana Paula CandilCompanies are pressuring Brazilian lawmakers to delay implementation of the nation's data-protection law from Aug. 16 until next May.
Biggest cyberattack ever caused $15 billion loss to customers of companies directly hit, though banks softened impact, study says31 Jul 2020 12:00 pm by Neil RolandThe most damaging cyberattack ever in 2017, caused a $15 billion loss to customers of companies directly hit, a federal study said.
International companies more prepared than local companies for Brazilian data protection law, Alves says30 Jul 2020 11:00 am by Ana Paula CandilInternational companies are much more prepared for Brazil's new data protection law than Brazilian firms because they already comply with similar legislation.