General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

'Right to Be Forgotten' Should Be EU-Only, Adviser Says

European Court of Justice Gets Non-Binding Legal Opinion From Advocate General
'Right to Be Forgotten' Should Be EU-Only, Adviser Says

Europe's "right to be forgotten" should not apply worldwide, but only inside the EU.

See Also: How Enterprise Browsers Enhance Security and Efficiency

So said an advocate general for the European Court of Justice, the EU's highest court, on Thursday in a case involving Google and France's data protection authority CNIL - the Commission nationale de l'information et des libertés.

Last year, CNIL argued before a 15-judge panel that the so-called right to be forgotten should apply worldwide. Its view is backed by both the French and Austrian governments (see: Google and EU Fight France Over 'Right to Be Forgotten').

But others, including Google as well as the European Commission - the EU's politically independent executive arm - argued that the right to be forgotten should only apply within the 28 member states within the EU.

On Thursday, Advocate General Maciej Szpunar issued an opinion that the relevant European law does not address extraterritoriality, and thus he was not in favor of extending the right to be forgotten worldwide, except in exceptional cases.

"He therefore takes the view that a distinction must be made depending on the location from which the search is performed," the ECJ says in a press release summarizing Szpunar's opinion.

"Thus, search requests made outside the EU should not be affected by the dereferencing of the search results," it says. "He is therefore not in favor of giving the provisions of EU law such a broad interpretation that they would have effects beyond the borders of the 28 [EU] member states."

Opinion is Non-Binding on Court

Szpunar is one of 11 advocates general who serve on the ECJ. Their job is to issue a preliminary opinion in a case, which is not binding on the court. "It is the role of the advocates general to propose to the court, in complete independence, a legal solution to the cases for which they are responsible," the ECJ says. "The judges of the court are now beginning their deliberations in this case. Judgment will be given at a later date."

The opinion comes as part of the "scope of 'right to be forgotten' being defined," says Stewart Room, head of consultancy PwC's GDPR practice, in a blog post. "[The] interim position of EU court is that Google should apply [it] only in EU."

Google didn't immediately respond to a request for comment on the advocate general's opinion.

The Right to Erasure

Europe's right to be forgotten - aka "right to erasure" or delisting - predates the EU's General Data Protection Regulation, which went into full effect in May 2018. But GDPR further enshrines those rights under article 17, which states that in certain cases, "the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay."

Categories of websites hosting content requested for delisting, from Jan. 22, 2016, through Jan. 11, 2019 (Source: Google)

When Europe created the right to be forgotten, however, it did not detail how exactly it should be implemented. That has led to ongoing negotiations - and legal disagreements - between data controllers, including search engine operators, and EU member states' data protection authorities over the threshold for when delisting should occur, balanced with a public right to access knowledge.

In May 2015, the president of France's CNIL served a formal notice to Google stating that when it approved a "right to be forgotten" request to delist a link, it should remove links to the information from all of its website domain extensions worldwide.

Google refused to comply with that request, although did later propose to implement geo-blocking requests that would remove links not only from its European website domains, but also prevent anyone who appeared to be located inside from Europe from accessing the delisted links from any Google site.

CNIL said that approach was insufficient, and on March 10, 2016, imposed a fine of €100,000 ($115,000) on Google.

Google contested the fine, arguing that it should be dismissed, and in August 2017, asked the European Court of Justice to rule on the matter.

Opinion Backs Google's Approach

The Thursday advocate general opinion follows testimony before the ECJ last September by Google, the EC, CNIL and others, including privacy rights groups.

The advocate general says that "the fundamental right to be forgotten must be balanced against other fundamental rights, such as the right to data protection and the right to privacy, as well as the legitimate public interest in accessing the information sought," the ECJ says.

"He therefore proposes that the court should hold that the search engine operator is not required, when acceding to a request for dereferencing, to carry out that dereferencing on all the domain names of its search engine in such a way that the links in question no longer appear, irrespective of the location from which the search on the basis of the requesting party's name is performed."

But the advocate general wants to see the controls put in place by Google continue, including its practice of using multiple means to restrict access from inside the EU to any de-listed results.

"Once a right to dereferencing within the EU has been established, the search engine operator must take every measure available to it to ensure full and effective dereferencing within the EU, including by use of the 'geo-blocking' technique, in respect of an IP address deemed to be located in one of the member states, irrespective of the domain name used by the internet user who performs the search," the ECJ says of the advocate general's opinion.

Delisting requests sent to Google from Jan. 22, 2016, through Jan. 11, 2019

Google says that under the right to be forgotten, so far it has received 762,315 requests that have collectively asked it to "delist" 2.9 million URLs. It says 89 percent of requests have come from individuals, rather than on behalf of organizations.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.