Google & The Right to be Forgotten
On Governing Information in a Globalised World
Dr Jonathan Foster
University of Sheffield Information School
The Ruling by the European Court of Justice earlier this week raises two important issues. First the issue of how democratic societies strike a balance between the privacy rights of the individual on the one hand, and the public interest on the other. Second, the limits of legal jurisdiction and of institutional obligation.
The ‘Right to be Forgotten’ — or ‘Right to Erasure’ as it is now known — is a provision under the General Data Protection Regulation (GDPR). This provision provides individuals with the right to request organisations, search engine operators for example, to remove specific personally-identifying information about them. A number of reasons can be given by the user to justify their request: that processing of the data is no longer necessary in relation to the original purposes for which the data was collected, that data processing relies on the user’s or ‘data subject’s’ consent and the user now withdraws their consent, or that data processing is considered unlawful. For their part the Right to Erasure also places a number of obligations on organizations: to respond to the user’s request and if not acceding to it, to provide their reasons for not complying with it. Again, a number of reasons can be given including freedom of expression and of information, legal necessity, or considering the user’s request to be unfounded or excessive.
What the ruling does this week is re-visit the question of absoluteness. That a user’s right to erasure is not absolute, and indeed that there are limits to jurisdiction and to the extent to which one country or group of countries can impose their values and laws on those of others. To quote the ruling the “operator of a search engine is not required to carry out a de-referencing on all versions of its search engine”. In other words, should an EU citizen submit a request for erasure, the search engine operator is only obliged to erase a person’s name from versions of that search engine that correspond to the Member States of the EU, e.g. Google.fr, Google.de etc. The search engine is not necessarily required to remove information from versions of its search engine that correspond to non-Member States of the EU. For example, if an act of data processing has made the personal data accessible from within the US, that information will in principle still be accessible to a user within that jurisdiction(s).
In short, the European Court of Justice has determined that a user’s right to privacy is limited by geography, national boundaries, and therefore a specific public — as are the obligations of data controllers’ e.g. those of search engine operators. What in turn the ruling also raises is the perennial issue of whether the Internet is a place for universal access to information or a differentiated landscape of interacting parts.
NB: It is worth bearing in mind that the above ruling is not affected by Brexit. The UK has its own version of the GDPR!