Click here to listen to the audio.

California Consumer Privacy Act (CCPA) and the so-called European "right to be forgotten" are hot topics as summer turns to autumn.

Is the CCPA Tough Enough?

With the CCPA coming into effect on January 1, amendments to modify it abound in the legislature. Stay tuned for a final Act! Even so, the driving force behind the Act’s passage, Alistair Mactaggart, is not trusting the legislature. He’s floated a ballot initiative to strengthen data privacy, with a focus on sensitive personal information. Watch for voters to decide if the final version of the Act is privacy-tough-enough, as they will most likely decide directly what California’s law will be in 2020 at the same time they vote on America’s president.

The EU’s "Right to be Forgotten"

Media announced a victory for Google from the European Court of Justice, with headlines saying something like this – the "right to be forgotten" under GDPR cannot be enforced outside the European Union and its 28 (soon to be 27?) countries. That’s a shallow analysis. The ECJ’s September 24 ruling was on Google’s request for a preliminary ruling on appeal from the French Government’s 2014 order that Google delink globally its search engine from sites containing embarrassing or out of date information. The ECJ held that Google, and so search engines generally, should enforce the so-called “right to be forgotten” about EU residents only with the EU, so that global search engines like Google may continue to link to sites outside the EU. But the Court’s direction goes further, saying that search engines must “seriously discourage” internet users from going onto a non-EU version to find the information required to be delinked within the EU. Since the 2014 ECJ decision against Google that forced it to delink sites at a Spanish resident’s request, Google received about 850,000 requests, resulting in 45% of 3.3 million links being deactivated within the EU. Those links can now be safely shown to users outside the EU, but Google will need to define what it means to “seriously discourage” users from going to non-EU sources for such sites.

Consider what happened to an Italian media site that carried police reports – a now dead site called PrimaDaNoi. For thirteen years it lasted but fell victim to the complaint of an Italian restaurant owner who stabbed his brother in a 2008 brawl but was not convicted of a crime. He demanded that the website remove its story about the incident. An Italian judge agreed the information was stale and not in the public interest and awarded 10,000 Euros from damage to the individual’s reputation and restaurant business. The website shut down in 2018, but the owner continues to appeal the Italian ruling in the European Court of Human Rights. His protest? How can government order a business to remove truthful information gained from a police report? How to balance freedom of the press with individual privacy seems a task now for courts and a risk for all website and media businesses.