The most intriguing right that the General Data Protection Regulation (AVG or GDPR) introduced is without a doubt the “right to be forgotten”.
It is on the basis of this right that you, as a data processing company, may be asked to delete or personal data or ask a third party to have such data deleted anywhere on the internet. In theory, because in reality, search engines like Google are not very inclined to actually execute the flood of “unlinking requests” they receive. An apparently similar right requires Internet Service Providers to remove illegal content upon request.
Two recent judgments of the European Court of Justice deal with the question of whether or not and to what extent an unlinking request should be honoured by the Googles and Facebooks of this world.
We briefly discuss both judgments below. At first glance, they seem rather contradictory to each other, but that is just an impression. Read along …
Right to be forgotten
The right to be forgotten is the right to not only request the deletion of personal data by a company, government or organization, but to also ask at the sale time that the data controller asks everyone with whom he or she has shared the data to remove every link and to delete every copy or reproduction of that personal data.
Contrary to popular belief, the right to be forgotten is most certainly not absolute. In the first place, the controller can, in a whole series of cases, refuse to delete data. Moreover, the right to request removal from third parties (i.e. removal by Google or removal from social media) is in no way an obligation. The Belgian Data Protection Authority says to that effect on its website that the controller “has no obligation of result” and that the wording “the right to forgetfulness creates far too great expectations”.
Nevertheless, each of us has the basic right to request the deletion of our data, not only by a particular company, but in all places where that company has shared our data.
Practical difficulties and legal uncertainty
The right to be forgotten poses a lot of practical problems and questions. Two of them were recently solved by the European Court of Justice in two completely different legal questions, but both linked to the right to get data deleted from the internet and the right to see illegal content removed.
Google does not have to remove “outside EU” search results
In a first case, the ECJ decided at the end of September that Google is not obliged to remove links on all versions of its search engine worldwide, but only on those versions of its search engines that target the EU Member State. Google was summoned in this case by the French Data Protection Authority CNIL, which demanded that Google delete certain data worldwide, something that Google had refused.
Google was in other words confirmed in its reasoning by the European Court of Justice: Google does not have to delete data outside the EU. As a result, information that can no longer be found via Google.be can still be found online for those who search through Google.com (and keep their location data hidden from Google).
This decision erodes to a large extent the entire right to be forgotten, of course. Permanent removal of data on the internet has become a utopia in so far as this is not the case anyway …
But Facebook must intervene worldwide
Barely a week later, on October 3, 2019, that same European Court ruled that Facebook, as a so-called Internet Service Provider, may be required by a national court to remove defamatory content worldwide (at least to the extent that the law of the countries concerned would to allow).
Isn’t that the exactly opposite decision?
Well, at first glance, yes, but there is logic behind these seemingly contradictory decisions.
Both decisions concern disputes about different legislation. The Google case was about the right to be forgotten under GDPR and the European Court of Justice found that GDPR can only be enforced within the EU (or better the EEA, including Norway, Liechtenstein and Andorra), while the Facebook case concerned the application of the Electronic Commerce Directive, which was previously included in Belgium in the Electronic Commerce Act and nowadays in Book XII of the Economic Law Code. This law regulates the question whether an Internet Service Provider can be obliged to block illegal content (in this case defamatory content) worldwide. After all, the Electronic Commerce Directive contains an obligation for such ISPs to remove or block illegal content, and the ECJ judges that a national court can perfectly judge that Facebook must do everything it can to also remove such illegal content outside the EU.
What does that mean in practice?
At first glance both decisions are contradictory, but that is only an impression.
The precise consequence of both judgments is that the removal of personal data under the GDPR’s right to be forgotten is not worldwide, but as soon as there is illegal content involved (defamation in the case of this Facebook judgment, but also fraud, child pornography or, counterfeiting to name but a few), a national court can impose worldwide measures on an Internet Service Provider.
The latter does not automatically mean that the content will disappear worldwide. After all, when executing a removal order in foreign countries, a lot depends on local legislation.
In other words: a data subject can request the removal of his or her data from the search results within the EEA. Whoever wants to see data deleted outside of that can only do so when it comes to illegal (criminal) content.