Please forget me!
EU-US parallelism on the right to be forgotten
20 March 2020
Is there anything which the Americans envy the Europeans about the Internet? The answer would seem 'yes' when it comes to the right to be forgotten, a right that is afforded in the EU under Article 17 of the GDPR and that was substantiated in a famous 2014 ruling of the European Court of Justice (Case C‑131/12, so-called 'Google Spain'), which opened a new era in the relationship between individuals and search engines – above all, Google – which are compelled to remove links to data that is now outdated, incorrect or irrelevant but which, if not removed, would negatively affect a data subject's online reputation. A practice that has yet to take root in its fullness and that has yet to be perfected, but which does exist.
The right to be forgotten applies to EU domain names only, EU Court of Justice says
After the European Court of Justice, in 2014, ruled that Google, at the request of its users, is obliged to deindex and delete content that has become obsolete or harmful to the privacy or reputation of an individual, now the same Court (case C-507/17) lays down another important principle: the search engine's obligation is limited to European domains only (so google.it, google.de, google.fr, google.es, google.uk, etc.). Google.com, on the contrary, is not subject to that duty, because it is a U.S. domain, so that the Court of Justice lacks jurisdiction.
In a (borderless) world that is structurally interconnected in the form of a (digital) network, a reference to territorial barriers may appear rather anachronistic, and the goals pursued by the GDPR would seem to be cut short, if it was not for the fact that we are starting to see episodes that raise hopes for something more, as follows.
The Italian Data Protection Authority's first attempt to widen the scope of a deindexation order to all domains of a search engine, irrespective of jurisdiction
In December 2017 the Italian Data Protection Authority ordered Google to deindex the URLs regarding an Italian citizen from all search results, both in the European and non-European versions of the search engine.
The concerned person (an Italian residing in the United States) had applied for the de-indexing of several European and non-European URLs referencing anonymous messages or short articles (published on forums or amateur sites) that he considered to be seriously offensive to his reputation, on grounds that these writings even reported false information about his health and about alleged offences he would have perpetrated in his capacity as a university professor but for which he had never been investigated or charged.
For the first time, a national administrative authority orders a search engine to enforce the data subject's right to be forgotten in all versions (including non-EU domains) of the search engine.
In deciding in favour of deindexing, the Data Protection Authority considered that the 'continuing availability' on the web of incorrect and inaccurate content had a 'disproportionately negative impact' on the applicant's privacy.
The decision to apply the deindexing order would appear an attempt to help a data subject to enjoy an effective enforcement of his right to be forgotten (as opposed to a more formalistic approach taken by the Court of Justice), however the Italian approach may pose enforcement issues, should the search engine refuse to comply with a EU order to deindex non-EU domains.
As things currently stand, the debate on how to ensure protection of Article 17 of the GDPR is far from being closed, and we may expect more to come, especially considering that the EU consultation on the draft Guidelines on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) came to a close in February 2020 with many stakeholders (including Google, which reported to have managed more than 900k deindexation applications over the past five years) having their say on the grounds subject to which the right should be granted.
The right to be forgotten in the U.S.
While the EU is at a stage where authorities and stakeholders try to fine tune the scope of application of the right to be forgotten, on the other side of the Atlantic this right is only beginning to be developed.
Until very recently, the U.S. had no law providing for an American equivalent to the GDPR's right to be forgotten. The closest the country had to providing for such a right was a law in California—a state generally considered to be at the forefront of the country's privacy developments—called the "eraser" law, which in 2015 began requiring the operator of an internet website, online service, online application, or mobile application to remove certain content or information posted on their site, service, or application. This law bore some resemblance to the GDPR, but its application was very limited: it did not cover content posted by a third party, and the right only applied to minors (persons under the age of 18) residing in the state of California.
The same year the eraser law became effective, a consumer advocacy organization, Consumer Watchdog, sought to establish a broader national right to be forgotten. The year prior, Consumer Watchdog wrote to Google, asking it to voluntarily extend the EU's right to be forgotten to users in the United States. When this did not work, the organization tried to shoehorn a right to be forgotten into the Federal Trade Commission Act's general prohibition on unfair and deceptive trade practices.
Writing to the Federal Trade Commission (FTC)—the general U.S. regulator for consumer protection—Consumer Watchdog complained that Google, by describing itself as a champion of user privacy while not offering the right to be forgotten, was engaging in deceptive behaviour. That this right, which Consumer Watchdog called a "key privacy tool," was offered in the EU but not in the US made the behaviour even more egregious.
The complaint fell on deaf ears, however, and the FTC took no action against Google for failing to offer a right to be forgotten. As a result, until earlier this year the only U.S. data subjects with a right to be forgotten were California residents under the age of 18. This changed earlier this year, however, when California implemented the California Consumer Privacy Act (CCPA).
We have written extensively elsewhere [CCPA takes Shape , California's New Privacy Law] about the CCPA and its importation of GDPR principles into the U.S., but for the purposes of this discussion, what is notable about the law is the inclusion of a right to be forgotten that clearly parallels this right under the GDPR. Under the CCPA, California residents have the right to request that a business and its service providers delete their personal information, subject to certain exceptions similar to those under the GDPR, such as complying with another legal obligation or using the data for research purposes.
The California law may signal an important shift in privacy rights in the U.S. Many other states as well as the federal government have sought to follow California's lead by considering similar comprehensive data privacy legislation, including the right to be forgotten. This development comes not a moment too soon, as invasions of the reserved sphere of the individual becomes increasingly frequent and intrusive as the data available online grows exponentially. Yet despite the American public's increasing demand for the right to be forgotten, it remains to be seen how effective such a right will be, particularly once this fledgling principle comes into contact with a bulwark of the American legal system, namely the First Amendment right to free speech.
That will be a topic for another day.
Filippo Maria Volpini, Legal Intern, contributed to the writing of this article.