The right of the data subject to have his or her data erased (or in other words the right to be forgotten) is one which every EU citizen already has by virtue of the Data Protection Directive (95/46/EC.) This right will only be further strengthened by the enforcement of the upcoming General Data Protection Regulation (GDPR).
Data Subjects (being the subjects of the personal data) can instruct Data Controllers’ (the entity that determines the purposes for which and the manner in which any personal data are, or are to be, processed) to remove their data in specified situations.
Such entities include online search engines. In the case of Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, Google had refused to remove web links to a newspaper whose web pages had contained a Spanish national’s personal details.
The ECJ considered various factors such as; The sensitivity of the information, the nature of the information and the interest of the public in having that information. Ultimately, they found that Google was a Data Controller for the purposes of the Directive. This conclusion arose because of its search functions. Google retrieves, records and organises personal data which it then stores and discloses to users through its search lists.
It was found that when data became inadequate or irrelevant even when it was published legitimately, individuals still had the right to request the search engine provider not to make data searchable by name.
The French data protection regulators, Commission Nationale de l’Informatique et des Libertes (CNIL) has taken this one step further. It found that despite Google’s effort comply by delisting search results across all its websites including Google.com; when accessed from the country which the request had originated, was insufficient.
The right to privacy could not depend on the, “geographic origin of those viewing the search results”. Therefore, a request to remove data in such situations requires removal to all links being removed, from all websites, globally.
This will of course become even more interesting to see what happens once the GDPR is formally introduced subject to whatever happens with Brexit moving forwards.
Please contact us for further assistance in any aspect of your data protection matters.