Protecting the Right to be Forgotten
Final paper for Technology and Law, CUNY School of Law, Spring 2023

Europe

In the preceding section we noted that the right to privacy and the right to be forgotten are distinct but overlap. Because both rights share foundational values of personal autonomy and freedom, in this section we will briefly discuss European privacy law and then look at how the right to be forgotten grew from that.

Privacy regulation in Continental Europe is derived from 17th and 18th century laws of honor and insult, originally settled by dueling, writes Yale Law Professor James Q Whitman.1 In “The Two Western Cultures of Privacy: Dignity Versus Liberty,” Whitman characterizes European privacy law as an aspect of dignity, where its two fundamental values are honor and respect.2 In the 20th century, European privacy law was further shaped by the horrors of World War II and the Stalinist Era, notes Center for Democracy and Technology Fellow Omer Tene.3 Today, despite and because of Europe’s history of government intrusion, many residents of Europe rely on regulatory protection of their privacy rights.

European Convention on Human Rights

Article 8 of the European Convention on Human Rights (ECHR) (“Right to respect for private and family life”) provides that “(1) Everyone has the right to respect for his private and family life, his home and his correspondence.”4 The ECHR was signed in 1950, not long after the end of World War II, and enacted in 1953.

European Union Data Protection Directive

In 1995, the European Union (EU) enacted the Data Protection Directive (Directive), which regulated the processing of personal data within the European Union (EU) and the free movement of such data.5 The Directive, which was replaced by the GDPR, broadly defines personal data as “any information relating to an identified or identifiable natural person.” In addition to a person’s address, credit card number, bank statements, and other personal information, in the EU “personal data” includes a person’s criminal record. The Directive defines “processing” as “any operation or set of operations […] performed upon personal data.” The Directive’s premise was that personal data should not be processed at all unless it was processed for a legitimate purpose. The responsibility for compliance rested on the data controller. The Directive, however, was written before the expansion of the internet, and by the turn of the 21st century it was clear that new legislation was needed. Before it was fully drafted, a ruling in a lawsuit brought before the Spanish Supreme Court created case law that established the right to have a data controller erase personal information under certain circumstances, and influenced how the right to be forgotten came to be codified in European law.

Google Spain v AEPD and Mario Costeja González (2014)

In 2014, the Court of Justice of the European Union (CJEU) ruled that an internet search engine operator is responsible for the processing of personal information on web pages published by third parties and, under certain circumstances, must remove that information upon request.

The case that led to this ruling was Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, which started in 1998 with a government-ordered publication of public information in the Spanish newspaper La Vanguardia, about an auction. The announcement was a Boletin Oficial de Estado (official state bulletin) announcement informing the public that a property belonging to Mario Costeja González was going up for forced sale arising from social security debts. The announcement was published on the order of the Spanish Ministry of Labour and Social Affairs and its purpose was to attract bidders to the auction, as prescribed by law. Eleven years later, in 2009, Costeja contacted La Vanguardia to complain that the announcement about the property sale and social security debt still came up in internet searches, and asked that the information be removed. La Vanguardia replied that it could not erase his data because it was an official announcement. Costeja then asked Google Spain to remove links to the announcements. Google Spain forwarded Costeja’s request to Google Inc., registered in California. Google Inc. did nothing. Costeja filed a complaint with the Agencia Española de Protección de Datos (Spanish data protection agency) (AEPD). The AEPD rejected the complaint against La Vanguardia but upheld the complaint against Google Spain and Google Inc. pursuant to the Directive.

Google Spain and Google Inc. appealed before the Audiencia Nacional (National High Court of Spain), arguing that (1) Google Inc. was outside the scope of the Directive and its subsidiary Google Spain was not responsible for the search engine; (2) there was no processing of personal data within the search function; (3) even if there were processing, neither Google Inc. nor Google Spain was a data controller; and (4) in any event, the data subject (Costeja) did not have the right to have lawfully published material erased. The Audiencia Nacional referred the case to the CJEU. Because new points of law were involved, the CJEU sought the opinion of an Advocate General. Advocate General Niilo Jääskinen from Finland delivered his non-binding opinion in 2013, finding that (1) Google Inc. and Google Spain were within the scope of the Directive; (2) Google was not a data controller because processing was carried out in a haphazard, indiscriminate and random way; and (3) the rights of freedom of information and expression took precedence over the right to erasure. The Advocate General urged the court not to allow case-by-case resolution of this kind of conflict as these could lead to the “automatic withdrawal of links to any objected contents or to an unmanageable number of requests handled by the most popular and important Internet search engine service providers.”6

On May 13, 2014, the CJEU ruled that an internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties, upholding a right of erasure. The court found that Google was a data controller within the scope of the Directive (the court adopted a literal interpretation of the Directive’s definition of “processing” as “any operation or set of operations […] performed upon personal data”). Regarding the territorial scope of the Directive, the court observed that Google Spain is a subsidiary of Google Inc. on Spanish territory and, therefore, an “establishment” within the meaning of the Directive. The court rejected Google Inc.’s argument that it was not processing data in Spain because promoting and selling advertising space by its subsidiary Google Spain was processing within the meaning of the Directive. The court thus endorsed the Advocate General’s view that Google Inc. and Google Spain should be treated as a single economic unit.

The CJEU took into account Costeja’s right to privacy deriving from articles 7 and 8 of the Charter of Fundamental Rights of the European Union (CFR).6  The court further ruled that the Directive allows the data subject to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation.  The court found that Article 12(b) of the Directive, relating to the data subject’s right of access to the data, allows the data subject to request erasure of data which “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed.”7 The data does not have to be inaccurate and it is not necessary that the information be prejudicial to the data subject. The court ruled that a data subject’s rights must in general override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name.”8 If the data subject were a public figure, the public interest may outweigh the individual right.

Google removed the links to the newspaper article about Costeja and created an online form which can be used by EU residents to request the removal of links. As Jääskinen feared, Google was immediately swamped. On the first day of the link removal service, it received over 12,000 requests from people asking Google to remove links about them from its search results.9

General Data Protection Regulation (GDPR) Article 17 Right to erasure (‘right to be forgotten’)

General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. In Article 17 of the GDPR, the right to be forgotten is not actually called the right to be forgotten. It’s called the “right to erasure (‘right to be forgotten’).” (sic) Article 17(1) provides that “[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where […] (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based10 […] (c) the data subject objects to the processing pursuant to Article 21(1)11 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2)12; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; [and] (f) the personal data have been collected [from data subjects under 16 years old without parental consent as] referred to in Article 8(1).13” Article 17(2) provides that if the controller made the personal data public, they are obliged to take reasonable steps to inform controllers which are processing the personal data that the data subject has requested erasure.

There are some exceptions. Article 17(3) provides that data subjects do not have a right to erasure if processing is necessary (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing; (c) for reasons of public interest in the area of public health; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)14 if the erasing the data subject’s data renders impossible or seriously impairs the achievement of the objectives of that processing; or (e) for the establishment, exercise or defense of legal claims.

This is very solid law. With the GDPR, Europe has positioned itself in a better place than most countries to respond to advances in digital technologies by increasing protections of individual rights. While not all Europeans are happy with the law (my mother-in-law complains that she can’t find anything out about anyone anymore), residents of Europe, including many residents of Europe who were formerly convicted of crimes, are protected from the loss of autonomy that comes from a lack of control over personal data and related harms. On the other side of the spectrum, companies that want to earn money buying and selling data are not happy, and the press push back a lot. Proponents of the right want to expand protections even more. For example, the Digital Services Act (DSA) (2022)15 is a new set of regulations that require data processors to share a lot of data with regulators, including information about their algorithms. Germany’s Network Enforcement Act (NetzDG) (2017)16 requires social media companies to remove illegal content within a certain timeframe, including content that promotes hate speech, terrorism, or other harmful behavior.

Google LLC v. CNIL (2019)

In Google LLC v. CNIL17 the CJEU held that EU law does not require a search engine to de-list search results on all of it domains. However, a search engine is required to de-list search results on domains for all EU member states if ordered to de-list search results in one or more than one EU member state. In Google LLC v. CNIL, the President of the Commission nationale de l’informatique et des libertés (CNIL), the French data protection authority, served formal notice on Google that, when honoring a request to de-list search results, the company must apply the removal globally, rather than just to the domain of the requester’s residence. Google refused, and limited removal only to the EU Member States. Although the Court found that EU law does not require de-listing on all of a search engine’s domains, it left open the possibility for Member States to order global removal.18

Next section: United States

Footnotes

  1. Whitman, James Q. “The Two Western Cultures of Privacy: Dignity Versus Liberty.” Yale Law Journal, vol. 113, no. 6, April 2004, privacy.comparativelaw.yale.edu/article/two-western-cultures-privacy-dignity-versus-liberty. Accessed 14 May 2023. Yale law school research paper available at SSRN: https://ssrn.com/abstract=476041 or http://dx.doi.org/10.2139/ssrn.476041↩︎

  2. Id. ↩︎

  3. Tene, Edward. “Privacy in Europe and the United States: I Know It When I See It.” Center for Democracy and Technology, 27 June 2011, cdt.org/insights/privacy-in-europe-and-the-united-states-i-know-it-when-i-see-it/. Accessed 14 May 2023. ↩︎

  4. Council of Europe. “European Convention on Human Rights - Article 8: Right to respect for private and family life.” Council of Europe, www.coe.int/en/web/human-rights-convention/private-life. Accessed 14 May 2023. ↩︎

  5. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. No longer in force, Date of end of validity: 24/05/2018; Repealed by 32016R0679. Latest consolidated version: 20/11/2003. eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046. Accessed 14 May 2023. ↩︎

  6. Article 7 of the CFR (“Respect for private and family life”) provides that “[e]veryone has the right to respect for his or her private and family life, home and communications.” Article 8 (“Protection of personal data”) provides that (1) “[e]veryone has the right to the protection of personal data concerning him or her; and (2) “[s]uch data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.” The CFR, which enshrines political, social, and economic rights for EU citizens and residents into EU law, was drafted and proclaimed in 2000 and came to have full legal effect in 2009. Charter of Fundamental Rights of the European Union 2012/C 326/02. Official Journal of the European Union C 326/391. eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT. Accessed 14 May 2023. ↩︎ ↩︎2

  7. “Judgment of the Court in Case C‑131/12 (Costeja)”. CJEU. curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631. Accessed 15 May 2023. ↩︎

  8. Id. ↩︎

  9. Google form to remove data under GDPR (google doesn’t make it easy and this is a big problem if you think of digital literacy learning curves): support.google.com/legal/troubleshooter/1114905?rd=1&sjid=5700060935764874949-NA#ts=1115655 ↩︎

  10. Article 6(1)(a) of the GDPR provides that “[data] processing shall be lawful only if […] the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Article 9 of the GDPR prohibits “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” unless “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to [above] may not be lifted by the data subject.” ↩︎

  11. Article 21(1) gives data subjects the right to object to processing of personal data concerning him or her which is based on point (e) (public interest) or (f) (legitimate interest) of Article 6(1), including profiling. ↩︎

  12. Article 21(2) gives data subjects the right to object to processing of personal data are for “direct marketing purposes, […] which includes profiling to the extent that it is related to such direct marketing.” ↩︎

  13. Article 8(1) provides that it is unlawful to provide personal data of persons under 16 without parental consent. ↩︎

  14. Article 89(1) puts the burden on the processor, providing that if “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […] can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.” ↩︎

  15. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance). PE/30/2022/REV/1. OJ L 277, 27.10.2022, p. 1–102 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV). In force. ELI: http://data.europa.eu/eli/reg/2022/2065/oj ↩︎

  16. Network Enforcement Act (Netzdurchsetzunggesetz, NetzDG). German Law Archive. germanlawarchive.iuscomp.org/?p=1245. Accessed 17 May 2023. ↩︎

  17. C‑507/17, Google LLC v. CNIL, 2019 EUR-Lex CELEX No. 62017CJ0507 (Sept. 24, 2019). Curia, 2019, curia.europa.eu/juris/document/document.jsf?docid=218222&doclang=EN. Accessed 17 May 2023. ↩︎

  18. Wong, Serena. Ed. Chris Murray. “Google v. CNIL: EU Rules that Right to be Forgotten Does Not Apply Globally.” Jolt Digest, 17 Oct. 2019, jolt.law.harvard.edu/digest/google-v-cnil-eu-rules-that-right-to-be-forgotten-does-not-apply-globally. Accessed 17 May 2023. ↩︎