Skip to main content

Landmark GDPR Case: Google and the Right to be Forgotten

Landmark GDPR Case: Google and the Right to be Forgotten
GDPR, privacy

The General Data Protection Regulation (GDPR) and other laws in the European Union (EU) give its residents the right to be forgotten. But the EU’s highest court recently said that right only exists within the EU itself. Google and other search engines can still display that private information on websites based in the U.S., China, and elsewhere around the world.

EU Gives European Residents the Right to Be Forgotten

Directives and regulations passed by the European Parliament have given individuals the “right to be forgotten” since 2014. When the GDPR went into effect in 2018, those protections for individual privacy online got stronger, at least for the residents of many European countries.

The GDPR “right to erasure” says that individuals have the right to have personal data erased from websites and search engines if:

  • It is no longer necessary for its original purpose
  • The person withdraws their consent (if consent was required)
  • There are no overriding legitimate interests to hold the data
  • The person objects the use of personal information for direct marketing purposes
  • The company collected the data unlawfully
  • The company is court-ordered to do so
  • The information collected is on a child

All a person needs to do to exercise this right is to notify the holder of the website or search engine verbally or in writing that they want their personal data removed. It is then up to the company to weigh that request against its own rights and responsibilities to:

  • Exercise the right to freedom of expression and information
  • Comply with a legal obligation
  • Act in the public interest or as an official authority
  • Archive information of public interest, scientific or historical research, or statistics (if it would be seriously affected by the erasure)
  • Legal claims or defenses

The company may also refuse to comply with a request for erasure if it is unfounded or excessive.

Google Says GDPR De-Referencing Requirements Only Apply Within the EU

Small companies and website holders have enough trouble complying with individual GDPR requests to be forgotten. For international search engine Google, the requests are piling up. Since it applied its right to be forgotten policies in May 2014, it has received 845,000 requests for removal, applying to 3.3 million web addresses. It has delisted approximately 45% of those links. To limit its workload, Google took to limiting de-refencing to domains within the EU – including search results on Google.fr, Google.co.uk, and Google.de – but not on other sites, like Google.com.

The French Data Protection Authority (Commission nationale de l’informatique et des libertés or CNIL) didn’t like that answer. It issued a formal notice against Google on May 21, 2015, citing it for violating the GDPR’s right to be forgotten.  When Google refused to expand the scope of its de-referencing, the CNIL issued an adjudication on March 10, 2016, fining Google €100,000 for the offense. Google appealed the case up to the highest level: the Court of Justice of the European Union.

EU Court Directs Search Engines to Hide Websites with Non-EU Domains

The Court of Justice issued its ruling on September 24, 2019. It said that Google was not required to de-reference domains outside the EU. The court said:

"Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject... to carry out such a de-referencing on all the versions of its search engine."

The court acknowledged that the right to be forgotten had to be balanced against other interests, including the freedom of information, and that that balance wouldn’t be the same worldwide. Still, the decision did essentially say that a worldwide de-referencing was the best practice.

It also said that to comply with the GDPR, Google had to do more than simply de-register the private information from EU sites. Google was directed to pair de-referencing with measures to prevent or seriously discourage EU residents from gaining access to versions of the search engine or links that contain the de-referenced information – essentially to hide versions of those websites with non-EU domains.

This decision affects how GDPR will be applied against big internet businesses, and small companies collecting data for their businesses. If your company does business in the EU, you should sit down with a Provisio Technology Solutions web solutions specialist today. We help you create company best-practices to stay on the right side of the regulations. Contact us today to schedule meeting with a web solutions specialist.