They say that the internet never forgets… well, it looks like things are about to change.

Introduction

Privacy law was seen in a new light in two landmark judgements given by the Court of Justice of the European Union (CJEU). The judgements will act as a significant precedent when it comes to shaping of Indian legislations and case law on the issue of privacy, which is why it is important to understand its direction.

Google v. Spain (2014)

This well-known judgement caused a wave that led to the publicity of the Right to be Forgotten. In the present case, the Plaintiff had filed the suit against the publisher of a newspaper as well as Google LLC, for the article that was published in 1998. The article pertained to a real estate auction that featured the Plaintiff’s name and could easily be found by a simple Google search. The Plaintiff had sought his personal information to be redacted from the article, as well as for Google to remove any search results that referenced the article.

The CJEU determined that upon receiving adequate notice from an individual, search engines must remove links to a webpage that contains any personal information which is ‘inadequate, irrelevant or no longer relevant, or excessive’. The Court also held that a person has the right to de-list their personal information from the internet, and that the search engine operator was largely responsible to uphold such right, while also balancing other considerations such as public interest, and the right to information. This judgement was made in compliance with the old law, which was the Data Protection Directive.

The case is particularly important due to the fact, that the information on the Plaintiff that was published was not only published 16 years ago, but also because it falls within the ambit of the Freedom of Expression and Information. However, the ruling was in favor of the Plaintiff as the failure to do so would result in the violation of his basic right to privacy.

The European Union’s General Data Protection Regulation (GDPR)

Subsequently, the old law (Data Protection Directive) was replaced by the General Data Protection Regulation (GDPR), enacted to stand as the primary law regulating and protecting the personal data of the EU citizens.

This regulation mentions the Right to be Forgotten (also known as the Right to Erasure); request the controller to delete their personal data without undue delay, subject to certain guidelines and restrictions of course. This regulation governs how data must be collected, processed, and deleted, and gives guidelines as to when an individual can make a request to an organization for erasing their personal. This indicated that the same is not an absolute right.

The right to be forgotten is stated in Recitals 65 and 66, and in Article 17 of the GDPR. Article 17 basically encapsulates that a person (data subject) who wished to delete their personal data, shall be able to do so by notifying the controller who is obligated to delete such personal data without undue delay. “Undue delay” is subjective but is about a month. As the action is of very sensitive nature, reasonable steps are to be taken to ensure that the person requesting erasure is the data subject itself.

The regulation puts forth the terms of how private information and sensitive personal information of individuals will be protected based on the concepts of Consent, the Right to Access, the Right to be Forgotten, and more. The key features and details of this regulation have been covered under a previous post.

Google v. CNIL (2019)

Subsequently, in this landmark case, it was observed that the Court was concerned with the territorial scope of delinking requests. Delinking requests in this case means to remove the links from the results displayed following a search conducted based on a person’s name, and for it to apply to all of the search engines’ domain name extensions.

In the present case, The Commission Nationale de l’informatique et des Libertés (CNIL) (the French data protection authority) had made a request to Google, to erase  certain personal data from all of their domain names and its extensions, i.e. ‘globally’, which Google refused to do. This process is referred to as “de-linking”. A notice was then furnished by the CNIL, which was ignored, thus leading to the filing of the suit.

In the present case, the CNIL had contended that an order for delinking must be enforced by Google ‘globally’, or on all of Google’s domain name extensions, which differ as per jurisdictions; due to the fact that the services that are rendered by Google in each jurisdiction, differs from country to country based on the laws of the land that affect it. Google argued that it was sufficient to de-link only within the EU member States or within the geo-location of the data subject.

The CJEU held that EU law did not mandate that the de-linking request must be followed globally but must at least de-link the impugned links on all versions of the search engine corresponding to EU member States.

Based on this case, one can see that the same has connotations in very many situations. For example, if an Indian citizen goes to France and puts his personal information online, the same would be regulated under the GDPR as it would be within its jurisdiction. However, if the same Indian citizen decided to erase the personal information from Google, the same would only be effective to the extent of the Google domain names designated within the EU and not outside.

So, it would be possible to access the same personal information on Google in the jurisdiction of India for instance, but not in the EU. And as the GDPR is only applicable to the EU citizens and the jurisdiction of the EU, it would not be possible for the Indian citizen to remove his personal information from the domain names of Google that are designated in India.

Observations

Based on the above, it is easy to draw the following conclusions:

  1. The fact that de-linking globally is not exactly applicable always but can be enforced based on case to case basis. The same would seemingly depend on the extent of reach of the information, the balancing of public interest and the right to information, as well as the extent of damage that it is liable to cause/has caused the individual.
  2. The application of the above right is restricted to the jurisdiction of EU. This offers a big loophole in the effectiveness of the said right, as the personal information that the GDPR strives to protect would be available and accessible in other jurisdictions.
  3. Added to that, the system of erasure of personal information seems to be a long and tedious one. As the regulation does not allow any and all personal data to be erased, the data subject would first have to be clear as to whether the information they seek to erase would be feasible. Then the data subject would have to give a notice in the prescribed manner to the concerned controller for the deletion of the personal information, after which the identity of the data subject would have to be sufficiently verified, and only then the request may or may not be accepted by the controller (subject to the content of the request and the understanding of the controller). Now if the controller accepts the notice, the erasure would happen within 30 days or more, depending on each case. However, if the controller refuses, one would have to use the expensive and even more time-consuming method of filing a case.

The Right to be Forgotten

The right to be forgotten has gained significance mostly since the internet does not forget. Before that, there was no actual exercise or real recognition of such a right especially when it is read with the right to privacy. Hence, its significance grows exponentially with the expanding reach of the internet, and the extent of automation that the world is driving towards. This also means that the meaning and scope of the right to be forgotten will only grow with time, and with its new application in each case.

The right to be forgotten seems to be the cosmetic equivalent of the human tendency to forget, but on the internet. For example, just from the above cases, what can one say about its effect on journalism? (Let’s keep that discussion for another time, shall we?)

Conclusion

In conclusion, with reference to the time of non-internet based personal information and sharing of such information, it is safe to say that the right to be forgotten claims even more significance within the purview of the internet by adding a prominent new dimension to the scope of the right to privacy. The two EU judgements give clarity to certain aspects of such a right and gives a fair idea of what needs improvement.

I mean, any day seems like a good day if one can tell the internet to “Forget it!”.

Summary