The European Court of Justice has ruled that Google doesn’t have to apply the right to be forgotten globally.
The right, which was enshrined in EU law in 2014, allows data subjects to request that organisations delete personal data related to them if it’s no longer accurate or relevant.
A year after the right took effect, France’s data protection regulator, the CNIL (Commission nationale de l’informatique et des libertés), ordered Google to comply with individuals’ requests to remove certain search listings.
Google responded by blocking the search results from EU residents, but it refused to delete them outright. The EU’s top court ultimately agreed that the tech giant had no obligation to comply, as the right only applies in the EU.
Google initially sought to comply with the CNIL’s request by introducing a geo-blocking feature that prevents European users from viewing delisted sites.
The technology is designed to hide search results that contain sensitive personal information that the individual doesn’t want publicly known, like an ill-advised tweet or a criminal conviction.
Google has used geo-blocking extensively in response to individuals exercising their right to be forgotten. It says it has received more than 845,000 requests to remove search results, and found that almost half met the necessary criteria to be delisted.
This includes removing the results from its European sites, such as google.co.uk, as well as from google.com if it detects that the search is being carried out from within the EU.
However, Google was unwilling to go beyond geo-blocking and delete the information outright, claiming that the law didn’t apply to its users outside the EU.
It also refused to pay a €100,000 (about £89,000) fine that the CNIL had tried to levy, a decision that was justified by the court ruling.
“Since 2014, we’ve worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people’s rights of access to information and privacy,” Google said in a statement following the ruling.
“It’s good to see that the court agreed with our arguments.”
A data privacy precedent
There has been global interest in the European Court of Justice’s ruling, as it has huge ramifications for the way search engines respond to requests to delete personal data.
Had the decision gone the other way, it could have been viewed as an attempt by the EU to police the way organisations outside the Union handle personal data.
Instead, it sets a precedent for the application of the right to be forgotten outside the EU.
“Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject […] to carry out such a de-referencing on all the versions of its search engine,” the European Court of Justice ruling said.
The court issued another ruling, stating that links that relate to an individual’s sex life or criminal conviction don’t automatically need to be deleted upon request, as the information might still be considered relevant.
However, it did concede that organisations should be careful when processing this information and that pages containing such information should fall down the list of search results over time.