The right to be forgotten is a relatively recent development in data protection and privacy law. In 2014, the Court of Justice of the European Union (‘CJEU’) ruled that search engine operators are obliged to remove links to search results against a person’s name, if those results are ‘inadequate, irrelevant, or excessive’ in relation to the initial purposes of publication.^[1]

Search engines were found to essentially be the dominant gatekeepers of information, with the ability to significantly increase the exposure of a person beyond that which individual websites publishing the information could do. For this reason, the court concluded that search engines can significantly affect the fundamental rights to privacy and to data protection that is enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’). 

This seminal judgment, which I will refer to in this article as ‘Google Spain’, led to an extraordinary change: individuals could apply to search engine operators to have listing results removed. A month after the ruling some 100,000 delisting requests were made; to date, Google has received almost one million requests to delist almost four million links.^[2]

The right to be forgotten has been further entrenched by the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), which now includes a separate right to erasure in Article 17. It is important to note that the right to be forgotten in fact encompasses the right to erasure and the right to delisting. The former applies to any controller of personal data, to whom an erasure request may be made under certain circumstances. This is not limited to search engine operators. Individuals can request that any organisation – and in certain circumstances individuals – erase their personal data. The right to delisting applies to search engine operators, who are unable to delete the information itself, but can ensure that the source does not appear in its search engine’s results when the person’s name is entered.

After the Google Spain ruling there were a number of important further decisions in the CJEU that clarified the application of the right to be forgotten. The first was GC and Others v Commission nationale de l’informatique et des libertés (‘CNIL’) C-136/17, which considered the lawfulness of processing of sensitive data by a search engine operator.The second was Google LLC v CNIL C-507/17, which determined the territorial scope of the right to be forgotten. These rulings established:

• Search engine operators, once they receive a delisting request of sensitive (or GDPR ‘special category’) data, must assess whether or not the continued availability via a search engine is strictly necessary for the right of freedom of information under Article 11 of the Charter; and,
• The right to be forgotten does not go beyond the borders of the European Union. Google is not obliged, once it receives a valid request to delist a result from one of its European domain extensions (e.g. .co.uk. or .fr), to extend the removal to non-European domains such as google.com in the United States.

The majority of cases that have come to the national courts, or brought to a national supervisory authority, have involved the removal of information about past criminal convictions. In M.L. and W.W. v Germany [2018] ECHR 554, the European Court of Human Rights (‘ECtHR’) considered the question of whether or not the refusal of a media organisation to anonymise archived online material was a violation of Article 8 of the European Convention on Human Rights (‘the Convention’). 

In 1993, the applicants had been convicted of murdering a well-known actor. In 2007, as their release from prison approached, they made requests to several media organisations to anonymise archived material about their trial; the organisations refused. The ECtHR was of the view that the naming of the applicants in the articles was relevant for the credibility of the publications, and that the digital archiving of reports was an important ancillary function of the press. The court also noted that the applicants had  recently attempted to have their trial reviewed, bringing themselves back into the public’s attention. Accordingly, there had been no violation of Article 8 of the Convention.

In the United Kingdom, the High Court case NT1 & NT2 v Google LLC^[3] involved two individuals who wanted links to newspaper articles and other references to their convictions delisted from Google’s search engine results against their names. Mr Justice Warby (as he was then) considered: whether or not the fact that their convictions were ‘spent’ for the purposes of the Rehabilitation of Offenders Act 1974 was relevant, their role in public life and if the journalism exemption applied to Google. I have previously written a summary of this case on my blog, available here.

Aside from criminal convictions, other issues have also arisen. Most recently, in Germany, a right to be forgotten case reached its highest court. A managing director of a welfare organization asked Google to remove links to news articles published in 2011. These reported that he had taken sick leave just before it was discovered that the organisation was in serious financial trouble. Germany’s Federal Court of Justice upheld Google’s refusal to delist the articles deciding that the rights of Google, internet users, the public and the press outweighed the individual’s privacy and data protection rights.^[4]

A second delisting case in Germany was referred to the CJEU.^[5] Two individuals responsible for a financial services company wanted Google to remove links to several negative reports about their investment model. The reports were written by a company in the US whose stated aim is to contribute to fraud prevention by promoting transparency. The individuals claim however that the US company is blackmailing companies such as theirs, by publishing false negative reports, and then offering to delete them for payment. The Federal Court of Justice suspended the proceedings and referred questions to the CJEU:

• to what extent should the clarification of the truth of information made public by the original publisher be explored; and 
• are photos that appear in thumbnails in a search result against a person’s name, even if the context of the link between the publisher and the person in the photo is not revealed, within the scope of Article 17.

In July, Belgium’s data protection authority (‘DPA’) fined Google €600,000 for not complying with a valid right to be forgotten request.^[6] Google had refused to delist articles that associated an individual with a political party, and those that mentioned a harassment complaint. The DPA found that the articles about his political association were still relevant. However, it concluded that Google should have removed links referring to the harassment complaint as soon as it had received evidence from him that a decade ago the complaint had been declared unfounded. Google’s delisting form was also criticized, and the company was ordered to revise it to clarify which entity is the relevant data controller.

Whilst to date cases have been dominated by delisting requests, Article 17 of the GDPR also enables individuals to request erasure of their personal data. In June, a company in Denmark was criticized by the DPA for failing to delete photos and video footage of a former employee from its promotional materials. The company had obtained consent from the individual during his employment, but after he had left, he requested that the images were deleted. Three months passed, but the company still had not done so. The DPA found that it had failed to delete his personal data ‘without undue delay’ as is required under Article 17(1) of the GDPR.^[7]

I have recently written a guide on the right to be forgotten, which covers the conditions for making or refusing a right to be forgotten request, a review of important case law, and other issues. It is available from Amazon here.

If you are interested in any further information or advice, please contact my clerks on 020 3179 2023 or privacylawbarrister@proton.me

---

^[1] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Court of Justice (Grand Chamber), Case C-131/12, 13 May 2014.

^[2] Google Transparency report, available here: https://transparencyreport.google.com/eu-privacy/overview?hl=en_GB

^[3] NT1 & NT2 v Google LLC (the Information Commissioner intervening) [2018] EWHC 799 (QB).

^[4] Decision VI ZR 405/18 of July 27, 2020, available here: https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020095.html;jsessionid=B28DB86150C3A99936E82DDD3E391ABA.2_cid368?nn=10690868

^[5] Decision VI ZR 476/18 of July 27. Ibid footnote 4.

^[6] https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf

^[7] Datilsynet press release, 12 June 2020, available here: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/jun/ny-afgoerelse-klage-over-manglende-sletning