What is the ‘Right to be Forgotten’?
The ‘right to be forgotten’ stems from the 2014 decision in the landmark ‘Google Spain’ case. This case found that European Union (EU) citizens have the right to demand data about them be deleted from a search engine if, among other grounds, consent to hold the data has been revoked and the data is no longer required. This right was enshrined into article 17 of the General Data Protection Regulation (GDPR) entitled the ‘right to erasure’.
The 2019 decision
After the 2014 decision, Google introduced a geo-blocking feature preventing users within the EU from viewing de-referenced links in accordance with the right to erasure, however, this allowed users on other versions of the platform outside the EU to view the de-referenced links.
In 2015 CNIL, a French privacy regulator served a notice ordering Google to apply the right to be forgotten onto all versions of its platform. The 2019 case of Google Inc v CNIL is the result of Google challenging this notice. CNIL argued that Google was in breach of the right to erasure by permitting users outside the EU to view the de-referenced links.
The European Court of Justice’s decision in Google Inc v CNIL determined that there is a territorial limitation to the ‘right to be forgotten’. Upon a successful request for removal of a web link from an applicant in the EU, search engines are only required to remove de-referenced web links from view of those within the EU and are not required to remove the links from access globally.
The 2019 decision brings up two points, the territorial restrictions of the ‘right to be forgotten’ and the specific considerations for the exercise of this right.
The European Court of Justice deemed that there is currently no obligation for search engine operators to enact approved requests of de-referenced web links on all versions of the search engine. Although it appears that this case has seemingly curbed the extraterritorial application of the ‘right to be forgotten’, the court stated that although current EU law does not require the de-referencing to apply to all versions of a search engine, this practice may not be prohibited.
The ‘right to be forgotten’ doctrine does not exist in Australia, instead privacy laws are governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP), which provide some protection to have personal information corrected per APP 12 and 13. The Australian Law Reform Commission previously entertained the idea of the right to be forgotten, calling for feedback on a proposal in 2014 for Australia to adopt a similar version, this proposal was ultimately dropped.