Tag: right-to-be-forgotten
16. December 2020
The Administrative Court of Stockholm announced on November 23rd, 2020, that it had rejected Google LLC’s appeal against the decision of the Swedish Data Protection Authority (Datainspektionen) determining Google’s violations of the GDPR. Google as a search engine operator had not fulfilled its obligations regarding the right to be forgotten (RTBF). However, the court reduced the fine from a total of SEK 75 million (approx. € 7,344,000) to SEK 52 million (approx. € 5,091,000).
Background to the case was the Swedish DPA’s audit in 2017 concerning Google’s handling of requests on delisting, which means removal of certain results from a search engine. The DPA concluded the inspection by ordering Google to delist certain individuals’ names due to inaccuracy, irrelevance and superfluous information. In 2018 the DPA initiated a follow-up audit because of indications that Google had not fully complied with the previously issued order. It resulted in issuing an administrative fine of SEK 75 million in March 2020.
The DPA raised attention to the fact that the GDPR increases the obligations of data controllers and data processors as well as strengthens the rights of individuals, which include the right to have their search result delisted. Though, Google has not been fully complying with its obligations, as it has not properly removed two of the search result listings that the DPA had ordered to delete. In one case Google has done a too narrow interpretation of what web addresses to remove, in the other case Google has failed to remove it without undue delay.
Moreover, the DPA criticized Google’s procedure of managing delisting requests and found it to be undermining data subjects’ rights. Following the removal of a search result listing, Google notifies the website to which the link is directed. The delisting request form, directed to the data subject raising the request, states that information on the removed web addresses can be provided to the webmaster. This information has to be seen as misleading since the data subject is made to understand that its consent to the notification is required in order to process the request. Therefore, such practice might result in individuals refraining from exercising their right to request delisting, which violates Art. 5 (1) lit. a) GDPR. What’s more, in the opinion of the DPA the delisting notifications to the webmasters are not covered by legal obligations according to Art. 6 (1) lit. c), 17 (2) GDPR, nor legitimate interests pursuant to Art. 6 (1) lit. f) GDPR. Also, Google’s routine of regularly sending information to webmasters constitutes processing of personal data being incompatible with the purpose for which the data was originally collected. This practice infringes Art. 5 (1) lit. b), 6 (4) GDPR.
Google appealed the decision of the DPA. Though, the Swedish Administrative Court of Stockholm reaffirmed the DPA’s opinion and confirmed Google’s violations of the GDPR.
The court stated that the process concerning delisting requests must facilitate for the individual to exercise its rights. That means, any process that restricts the individuals’ rights may violate Art. 15 through 22 GDPR. The court also specified why the personal data had been processed beyond their original purpose. Since the notifications are only sent after Google has removed a search result, the purpose of the processing has already expired when the notification is sent. Thus, the notification cannot be considered effective in achieving the purpose specified by Google.
Google shall now delist specific search results and cease to inform webmasters of requests. Also, Google must adapt its data subject rights procedure within eight weeks after the court’s judgment has gained legal force.
23. October 2020
The Norwegian Data Protection Authority (Datatilsynet) has issued the Norwegian Public Roads Administration (Statens vegvesen) a fine of EUR 37.400 (NOK 400.000) for improprieties related to the use of the monitoring system installed on toll ways in Norway. They concerned processing personal data for purposes that were noncompliant with the originally stated and for not erasing video recordings after 7 days from their registration.
The penalized entity is the controller of a system processing personal data obtained from the area of toll roads in Norway. This system records personal data which especially enable the identification of vehicles (and hence their owners) that pass through public toll stations. The primary purpose of processing these personal data was to ensure safety on public roads and to optimize the operation of the tunnel and drawbridges in the county Østfold. The Norwegian Public Roads Administration however, used the recordings particularly in order to document improper fulfilments of concluded contracts by certain subjects. According to the Norwegian Data Protection Authority, such procedure is unlawful and not compliant with the originally stated purposes.
The Norwegian Public Roads Administration was also accused of infringements related to deletion of personal data in due time. In accordance with Norwegian regulations, recordings from monitoring (and thus personal data) may be stored until the reason for its storage ceases, but no longer than 7 days from recording the material. In the course of proceedings it turned out that the monitoring system did not have the function of deleting personal data at all. Therefore, the Norwegian Public Roads Administration was not able to fulfil its obligation according to Art. 17 GDPR. The lack of this functionality additionally indicates that the controller, while implementing the monitoring system, also omitted the requirements specified in Art. 25 GDPR.
Taking into account these circumstances, the Norwegian Data Protection Authority stated a violation of the mentioned GDPR regulations.
27. September 2019
In a landmark case on Tuesday the Court of Justice of the European Union (CJEU) ruled that Google will not have to apply the General Data Privacy Regulation’s (GDPR) “Right to be Forgotten” to its search engines outside of the European Union. The ruling is a victory for Google in a case against a fine imposed by the french Commission nationale de l’informatique et des libertés (CNIL) in 2015 in an effort to force the company and other search engines to take down links globally.
Seeing as the internet has grown into a worldwide media net with no borders, this case is viewed as a test of wether people can demand a blanket removal of information about themselves from searches without overbearing on the principles of free speech and public interest. Around the world, it has also been perceived as a trial to see if the European Union can extend its laws beyond its own borders.
“The balance between right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world,” the court stated in its decision.The Court also expressed in the judgement that the protection of personal data is not an absolute right.
While this leads to companies not being forced to delete sensitive information on their search engines outside of the EU upon request, they must take precautions to seriously discourage internet users from going onto non-EU versions of their pages. Furthermore, companies with search engines within the EU will have to closely weigh freedom of speech against the protection of privacy, keeping the currently common case to case basis for deletion requests.
In effect, since the Right to be Forgotten had been first determined by the CJEU in 2014, Google has since received over 3,3 million deletion requests. In 45% of the cases it has complied with the delisting of links from its search engine. As it stands, even while complying with deletion requests, the delisted links within the EU search engines can still be accessed by using VPN and gaining access to non-EU search engines, circumventing the geoblocking. This is an issue to which a solution has not yet been found.
3. June 2016
The Belgian Court of Cassation confirmed the broad interpretation of the “right-to-be-forgotten” by a Belgian Court of Appeal.
The case was initiated by a person who fought against a Belgian newspaper because it did not comply with a request to remove an article from 1994 from its online archives regarding a car accident causing the death of two persons in which the individual was involved.
The Court of Appeal ruled that disclosing the name of the individum in the article was not in public interest and that is why it was damaging the reputation of the relevant individual. Therefore, it ordered the newspaper to anonymize the online version of the article.
However, the newspaper contested the Court of Appeal’s judgment and brought the case before the Belgian Court of Cassation.
The Court of Cassation decided that the publication of articles in newspapers’ online archives can be considered as a new disclosure of facts of an individual’s judicial past, which could potentially infringe the individual’s right-to-be-forgotten. Furthermore, the Court of Cassation confirmed that the online publication of the non-anonymized article years after the accident could have caused damages to the individual’s reputation. Therefore, the Court of Cassation decided that the right to privacy of the relevant individual could justify an interference with the newspaper’s right to freedom of expression and that in this case the newspaper has to remove all references to the individual from the article in its online archives.
17. May 2016
Two years ago, the Court of Justice of the European Union established the “right to be forgotten”. An organization named Reputation VIP launched a website, forget.me, that should help consumers in Europe submitting requests to Google and Bing.
Based on the consumer submissions through the site, 130,000 URLs, the company released a new report on the trends of the outcome of the requests of the “right to be forgotten” related to geographic location and success rates of those requests.
The study shows, that with regard to geographical means the top three countries from which requests originate are Germany, the UK and France. In more detail it is to say, that more than half of all requests came from Germany and the UK.
With respect to the success rates of the mentioned requests the report states, that Google denies about 70 percent to 75 percent of them.
Furthermore, the study shows, that Google most frequently denies removal requests concerning professional activity. Whereas the type of request is in 61 % of the cases due to an invasion of privacy.
20. April 2016
The New York Times reports that crisicism is raised among European data protection regulators and politicians on Google’s secretive process for deciding whose “right to be forgotten” cases end with a stricken link and whose do not. The lack of the company’s transparency is not the only concern regarding how a private organization has autonomy in these cases instead of the government. Furthermore, Google has ruled on double the amount of national authorities’ privacy judgments. “If Europe really wanted to regain control over personal data, giving Google this type of power is an odd outcome,” concluded Oxford University’s Luciano Floridi.
The criticism is also raised as a result of a general growing discontent from both European regulators and politicians due to the fact that national data protection agencies sometimes lack the financial, technical and human resources to handle the substantial increase of “right to be forgotten” requests, according to regulatory officials and legal experts.
29. March 2016
The French Data Protection Authority (“CNIL”) fines Google for data protection violation. In May 2014, the European Court of Justice had decided, that citizens could request search engines to delist inadequate or irrelevant web search results of themselves; the so-called “right-to-be-forgotten” was born.
The CNIL has now fined the US search engine 100.000 Euros over the right-to-be-forgotten, since Google just delisted web search results regionally, for instance only accross their European websites, such as google.fr and not also on the google.com website. By delisting web search results of a person only regionally, the data subject will practically not be able to exercise her/his right-to-be-forgotten efficiently. Search engines should instead delist search results from all their domains.
