Google’s victory in a landmark right to be forgotten case asks more questions than it answers, according to legal and technology experts.
The European Court of Justice (ECJ) ruled yesterday that the search giant only needs to remove links from its services inside the EU in order to comply with legitimate right to be forgotten/right to erasure requests.
French privacy regulator CNIL had demanded that Google remove links globally to pages containing false or damaging info on a person, in a case dating back to 2015.
Part of Google’s argument for not removing info outside the EU was that the law could be exploited by oppressive governments to cover up abuses and control the flow of information, much as China does with its Great Firewall censorship apparatus.
“Since 2014, we've worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people's rights of access to information and privacy,” the search giant said of the result. "It's good to see that the court agreed with our arguments."
However, some argued that the ruling undermines the right to be forgotten by failing to institute the law globally.
“Google is normally able to detect visitors from Europe to its global search engines and block them from seeing certain web pages containing sensitive information about individuals from queries made using their names,” explained Simon Migliano, head of research at Top10VPN.
“However, anyone connected to a VPN server located outside Europe will evade such detection and be able to view those results regardless of any 'right to be forgotten' decision in place. This loophole highlights the significant limitations of geo-restricting contentious web content in this day and age.”
Mishcon de Reya data protection adviser, Jon Baines, added that there are still question marks over what happens to the UK if it leaves the EU without a deal.
“Will UK search engine domains retain links to information removed from EU search engine domains? Or might the UK decide ultimately to give effect to delinking decisions made in the EU? Private individuals, as well as businesses, will want urgent clarification on this from government,” he argued.
EU citizens have been able to request information on them be removed from the web since 2014. However, since then, the GDPR has made it easier for EU citizens to request that such information be expunged from the web, with its right to erasure clause. Providers have a month to respond to a verbal or written request.
Ron Moscona, a partner at international law firm Dorsey & Whitney, explained that the ruling has failed to add clarity on how and when the GDPR should be limited in scope to within the EU.
“The provisions of Article 3 of GDPR that define its territorial effect clearly extend the legal rights and obligations of GDPR, in many circumstances, to the processing of personal data outside the EU including by entities operating outside the EU,” he said.
“Today’s decision of the EU court does not address these broader territorial issues.”