A Fundamental(ly) European ‘right to be forgotten’
Can the Internet ever ‘forget’ personal details about us? Following today’s ruling by the Court of Justice of the European Union on the ‘right to be forgotten’, the answer to this question depends on where in the world we are.
Internet policymaking expert Roxana Radu takes a closer look at the implications of the Court's decision.
Today, the Court of Justice of the European Union (CJEU) ruled again on the ‘right to be forgotten’, a right it first established in 2014. As a continuation of the first ruling, the Court decided that de-referencing will only apply on EU territory. This long-awaited decision effectively allows Google, the dominant search engine operator, to continue to implement this as it was already doing. The CJEU established this right to be forgotten in the landmark ruling from 2014, when it created an obligation on search engine operators to de-index links present in search results containing an individual’s name under certain conditions: when it is so requested by the user and when the information was excessive, incomplete, inaccurate, or obsolete. Regardless of whether the information remained intact in the original source, Google was obliged to suppress links from the search results manually, after a balancing exercise of the right to privacy and of the right of the public to access the information concerned.
The CJEU ruling from 2014 offered little guidance on implementation, specifying only that there has to be a human review of the request, as opposed to an automated action. Under its own initiative, Google set up infrastructure and procedure to deal with de-referencing requests from data subjects, primarily consisting of a webform to be filled in by the complainant, supported by justifying documentation. As the court decision applied to European citizens only, Google decided to de-index links on European versions of the Google search, rather than searches performed on its global domains. By now, Google was asked to de-index more than 3.3 million links and approved 45 per cent of these requests. In practice, using IP address geolocation, searches on a person’s name within the EU might have certain URLs suppressed (a note at the bottom of the page would indicate so).
The ambiguities embedded in this course of action gave rise to additional questions, referred by the French Council of State to the CJEU back in 2017. By mentioning only ‘the list of results displayed following a search made on the basis of a person’s name’, the Court did not specify whether the suppression of links by the search engine operator has to be performed at a global, EU, or national level. The French inquiry pointed out that there were easy ways to circumvent the filtered list of results seen by European users and that being able to access that information outside of Europe resulted in an incomplete protection of a data subject’s right to privacy. The question of territorial enforcement of rules also brings into sharper focus the power of European authorities to set global rules for the Internet, amidst a heated debate around the use of anti-trust and privacy regulations to reign in the power of global technology giants.
Who decides what should remain in the public domain and what should be privately protected?
Today’s CJEU judgment acknowledges that many states around the world do not recognize the right to de-referencing and that the right to protection of personal data itself is not an absolute right: it requires balancing against other fundamental rights, according to the principle of proportionality. Here again, there is wide variation of freedom of information and privacy regulations around the world. Within the European Union itself, such a weighting may differ from member state to member state. Therefore, in the wording of the Court,
currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject […] to carry out such a de-referencing on all the versions of its search engine, but on the versions of that search engine corresponding to all the Member States.
The Court also notes that it ‘does not require, but does not prohibit’ the search engine operator from applying globally the suppression of URLs, opening the door for an alternative reality. While it is clear that Google prefers the differentiated treatment of personal information (full collection of links on its global version and filtered results on the European versions), other, smaller search engines operators might proceed differently. To envision a less dominant position of Google in the search engine market globally, we would need lower entry market barriers, including around the processing of de-referencing requests. Google itself offers no transparency over how it conducts the review of requests, how arguments are weighted, or who is involved in decision-making. Five years after it started implementing de-indexing on its European search results, the company has maintained opacity over the de-referencing infrastructure and personnel.
However, the CJEU ruling from today also empowers search engine operators to apply ‘measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request’.
Down the line, this allows Google to move beyond its current role as the arbiter of the interests of the public vs the individual. It gives the company – as the dominant and richest market player – further authority to impose technical barriers to impede Europeans from reaching global Google search results. Geo-blocking technologies, already used by Google since 2016, will most likely be complemented by additional private monitoring of users’ activity in the near future, which the Court indirectly legitimized today. This will have long-term implications for furthering the delegation of public responsibilities to private companies in the implementation of fundamental rights, already underway as Google took on a quasi-legal decision-making role in applying the ‘right to be forgotten’.
A worldwide ‘right to be forgotten’?
Our online profiles matter more than ever for our reputation, for our credibility, for our next job. And so do the roles assigned to public and private actors in Europe, increasingly entangled in the digital world. Search engines play a key role in making information accessible to the world, but also in processing and ranking it. Whereas the EU’s General Data Protection Regulation that has been in force since May 2018 recognizes a ‘right to erasure’, the application of this and similar rights on global platforms raises new challenges, as the arguments put forward for de-referencing on a worldwide scale showed today.
It remains to be seen how countries outside the EU will approach the ‘right to be forgotten’, how much they will diverge from the European logic, and ultimately, whether globally enforceable Internet rules are possible in the near future. For the time being, the Court's latest decision is a timely reminder of the national and regional protections offered by our digital 'right to be forgotten'.
Roxana Radu is a Postdoctoral Researcher at the University of Oxford’s Centre for Socio-Legal Studies, working on Internet regulation, algorithms and knowledge production in the public sphere. She is the author of the book Negotiating Internet Governance (Oxford University Press 2019).