On Tuesday, September 24, 2019, the European Court of Justice issued two rulings that further defined the right to be forgotten under European laws. The right to be forgotten, also known as the right to erasure, is a fundamental tenant of the General Data Protection Regulation (GDPR). The right allows, among other things, consumers to object to the processing of their data and request erasure. Both cases decided on Tuesday involved Google, which has reportedly received requests to remove more than 3 million links pursuant to this right.
The first case decided on Tuesday arose in 2016 after France’s privacy watchdog CNIL fined Google for refusing to de-list links globally upon request. As a policy, Google only deletes links within the European Union, stating that most searches occur on country-specific sites such as Google.fr. Google and its supporters argued that individuals should not be able to determine what information appears about them in other countries. The European Court of Justice agreed with Google, finding that the right to be forgotten cannot be enforced outside of the European Union.
In the second ruling of the day, the Court found that certain categories of data deserve special consideration from businesses when they receive a right to be forgotten request. The case was brought by individuals whose requests to remove links were denied by Google. The Court gave a mixed ruling, acknowledging that privacy considerations must be weighed against the public’s right to know, but stating that businesses should give careful consideration to requests to remove certain categories. These categories include, for example, religion, political belief, sex life and past criminal convictions. It is not yet clear how Google and other businesses will interpret and implement this decision.
These cases are a notable development in defining the broad rights given to European data subjects. In each case, the Court must balance individual privacy rights with the public’s right to information. While the privacy laws are different in the United States, some of these GDPR interpretations may well serve as examples for how practitioners will evaluate and apply analogous provisions under the California’s Consumer Privacy Act (CCPA) and other U.S. privacy laws.