History of the Right to be Forgotten

 
The right to be forgotten was recognized in the Court of Justice of the European Union in 2014. But that was neither the start or the end of the history of the right to be forgotten. The legal battles began well before the CJEU’s decision and continue to present.

An early case involving the legal right to be forgotten against the search engines played out in Argentina. Argentine pop star Virginia Da Cunha won a decision in a trial court in 2009 against Google and Yahoo requiring them to remove Internet search results improperly associating her with pornography or prostitution. The appeals court reversed the decision in 2010 and Argentina’s Supreme Court of Justice ultimately ruled in favor of the search engines at the end of 2014.

However, while the case was playing out in South America, Europe was also pushing for advancement of the right to be forgotten as part of the then developing GDPR.

In 2014, the Court of Justice of the European Union found within the existing EU Data Protection Directive the right to be forgotten. It found the law required a halt to online publication of results that were no longer relevant after a certain amount of time had passed and the individual wanted them removed. Google was found to be a data controller that had to respect the right of the individual to control their own data.

The decision also made waves because it set a precedent for the EU’s ability to enforce the ruling against an American company even though its servers are based outside of Europe (whether in California or elsewhere). In the lawsuit, Google argued that none of the data-crunching happened in Spain; it contended it only had a sales office there so the EU data protection law did not apply.

Since the decision, Google has received more than 2.5 million requests from Europe to remove information. For some, Google removes the information. It says it has done this in about 43% of the requests it has received. For others, it determines that the information is in the public interest and they indicate that they aren’t going to remove it.

Google and France have been in a significant legal battle since 2014 over the scope of the right to be forgotten, which is now before the ECJ. France wants requests granted under the right to remove information from the search engine around the world. It has argued that the right is meaningless if it can be seen by an individual located in the United States or by anyone in Europe who can fake their IP address. Google has limited the right and fought France’s efforts to expand it, granting the right to be forgotten first just for Google’s European domains and then for any user based in Europe.

Google is taking its first two right to be forgotten cases to trial in the United Kingdom in 2018. Both individuals are business people who were convicted of offenses which are now covered by an English law designed to rehabilitate criminals that says they can be ignored and don’t have to be disclosed to employers unless they meet one of a few exceptions.

In the United States, there is still no right to be forgotten, most likely in part due to the First Amendment. However, New York State briefly introduced a bill to create the right, requiring search engines to remove content about individuals that was innaccurate, irrelevant, inadequate or excessive. The bill identified this information as the sort of content where there had been a significant lapse of time since publication, it was no longer material to current public discourse, and it is causing demonstrable harm to the requester’s professional, financial, reputational or other interest. The bill excluded convicted felonies, legal matters involving violence, and matters of significant current public interest in which the requester’s role is central and substantial to the matter.

In Europe, the right to be forgotten will be substantially strengthened by the GDPR. Article 17 of the GDPR provides the Right to Erasure, which permits a data subject to request a controller to delete personal data concerning him or her without undue delay.

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.