In the recent case of Google v CNIL (C-507/17) the European Court of Justice (ECJ) has sided with Google, by confirming the “right to be forgotten” only requires Google to delete a relevant user’s personal data on European Union (EU) versions of Google’s search engine. Although the decision was made in the search engine context, it will apply more generally in the employer-employee relationship.
Good news then for employers and operators of online services. Less good news though for individuals, as curtailing the territorial scope of the erasure right will inevitably make it more challenging to manage online reputations and other personal information globally (outside the EU). Given the global scope and reach of the internet, does it make sense to find the relevant data is still available outside the EU, even though the same data has been removed in the EU following a successful personal data erasure right request? The mind boggles.
In this article, I’ll try to unscramble the recent ECJ decision and consider the impact on employers.
The right to be forgotten
Employees have a wide range of data protection rights. One of these is the (qualified) right to be forgotten, which is now codified in Article 17 of the General Data Protection Regulation (GDPR). This right is often misunderstood. Employees have the right to require an organisation that holds their personal data to delete data, without undue delay, where its retention no longer complies with GDPR requirements (for example, the data is no longer required for the purpose for which it was collected or processed).
This is a qualified right, as exceptions apply if the processing is deemed necessary for exercise of the freedom of expression, compliance with a legal obligation, public interest or the establishment or defence of legal claims.
In 2014, the ECJ ruled (in the “Google Spain” case) that Google was required to delete personal data it held relating to a Spanish individual, who had made a request to Google to “be forgotten”.
In response to Google Spain, Google began de-referencing the links to third-party websites (i.e. the relevant search results) containing this particular user’s personal data. However, it only did this on its EU domains and not across all the worldwide versions of the Google search engine.
The French data protection authority, the CNIL, disagreed with this EU-based approach and instead held that Google should in fact de-reference the search results of all of its domains globally. Consequently, the CNIL fined Google 100,000 Euro for this breach. Google disputed the fine in a French court. The French court then asked the ECJ for a preliminary ruling to clarify whether the de-referencing in question is required at a national, European or worldwide level.
The ECJ agreed with Google that in this context, Google was only required to de-reference all of its EU Member State domains. The decision made clear that the GDPR was not intended for the right to be forgotten to apply globally. The ECJ emphasised that whilst the GDPR is intended to provide rights to protect personal data throughout the EU, this is by no means unqualified and should be balanced against other fundamental rights, such as the freedom of expression and information.
Whilst this might be good news for global employers and indeed corporates more generally, it doesn’t quite end there. The ECJ also acknowledged that although the EU does not strictly require global de-referencing, it equally does not prohibit it. In practice, this means that while Member States are free to balance individual rights and the freedom of expression and information, a local supervisory authority or court may come to its own conclusion on de-referencing and whether it has an EU or global impact. This balancing exercise is likely to vary significantly around the world – indeed many countries outside the EU do not have an equivalent right to personal data erasure or approach it differently.
In addition, the ECJ made it clear that data protection rules also require Member States generally to have sufficiently effective measures to ensure data subjects’ privacy. As such, whilst global de-referencing is not required, Google should implement measures that effectively prevent an internet user accessing search results using a version of Google based outside the EU.
Impact of decision on employers
The right to be forgotten is perhaps not exercised by employees as often as their numerous other data rights. Nevertheless, this has not and will not stop employees making such a request if there is a difficult employer-employee relationship; as a precursor to litigation; as part of settlement strategy or even if, as a former employee, they want to sever all ties with their former employer. In such circumstances it’s all the more important for employers to be aware of what qualifies as a valid request to be forgotten (or not, as the case may be).
In any event, and regardless of whether an employee has made a request to be forgotten, as an employer you should regularly take stock of the employee data you hold. Ensure you comply with the GDPR requirement that data should not be kept longer than is absolutely necessary, by deleting data which is no longer required for the purpose for which it was originally processed.