Saturday

24th Jul 2021

Analysis

GDPR does not (yet) give right to global oblivion

  • If an EU citizen has established that his personal data should be removed, does that also apply to those accessing the internet outside the EU, like in Laos? (Photo: Jon Rawlinson)

EU citizens will see their 'right to be forgotten' online enshrined in EU law on Friday (25 May), but its effectiveness and reach will depend on a case which is still pending in front of the Court of Justice of the EU.

The general data protection regulation (GDPR), which will apply as of Friday, gives EU citizens the right to demand from companies or organisations to have their personal data removed, under certain circumstances.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

But it is not yet clear to what extent the right to have personal data erased or removed from search engine results will apply globally.

"This issue is just now pending in front of the Court of Justice: the reach, the applicability of the decisions by our data protection authorities," said a European Commission official on Wednesday, on condition of anonymity.

"We cannot apply our EU law extraterritorially. … How does it work in such a medium as internet?"

The provision in GDPR follows an earlier ruling by the Luxembourg-based EU court in 2014, which said that search engines had to remove results related to an EU citizen's name if they were "inadequate, irrelevant or no longer relevant".

However, the question is how such a right can be effectively applied in light the global nature of the internet.

The French data protection authority (DPA) was one of the most aggressive DPAs enforcing the right to be forgotten – which has since become known as 'delisting' or 'de-referencing'.

In 2016, it demanded that Google not only delist information from French citizens from the search engine's French version Google.fr, but also from Google.com and other non-French domain names - which, because of the global nature of internet, are available to French users too.

Google disagreed.

Last year, France's highest administrative court, the Council of State asked the Court of Justice of the EU for advice.

It asked if the right to be forgotten also requires a search engine to remove data from its domain services outside the EU.

The Council of State also asked if a company should use geo-blocking to comply with the right to be forgotten.

Geo-blocking is a technique via which a website checks the geographical location of the user requesting a page and blocks users from certain geographical areas.

This approach could lead to removed information still remaining available to users outside the EU.

That might not necessarily be a bad thing.

There is a tension between the right to be forgotten and human rights, in particular freedom of expression and freedom of information.

One unintended consequence of a rigid global application of the right to be forgotten could be a stifling effect on freedom of speech in the rest of the world.

However, geo-blocking is not foolproof and there are ways to circumvent it.

Feature

Nine lines that changed history - at least on the internet

Google has removed 800,000 search results across the EU following complaints from citizens, without the public knowing what has been removed, why it was removed or who complained. We revisit the case that rewrote history online.

EU sides with Google in data protection case

The European Commission suggests the French data protection watchdog overstretched its remit to make Google delist names on a global scale from search query results, as part of the 'right to be forgotten' rule in the EU's data protection regulation.

GDPR - a global 'gold standard'?

The new EU privacy rules are touted as a global 'gold standard' - but Mexico's former data commissioner warns some nations are far from ready.

News in Brief

  1. Macron changes phone after Pegasus spyware revelations
  2. Italy to impose 'vaccinated-only' entry on indoor entertainment
  3. EU 'will not renegotiate' Irish protocol
  4. Brussels migrants end hunger strike
  5. Elderly EU nationals in UK-status limbo after missed deadline
  6. WHO: 11bn doses needed to reach global vaccination target
  7. EU to share 200m Covid vaccine doses by end of 2021
  8. Spain ends outdoor mask-wearing despite surge

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. Nordic Council of MinistersNineteen demands by Nordic young people to save biodiversity
  2. Nordic Council of MinistersSustainable public procurement is an effective way to achieve global goals
  3. Nordic Council of MinistersNordic Council enters into formal relations with European Parliament
  4. Nordic Council of MinistersWomen more active in violent extremist circles than first assumed
  5. Nordic Council of MinistersDigitalisation can help us pick up the green pace
  6. Nordic Council of MinistersCOVID19 is a wake-up call in the fight against antibiotic resistance

Latest News

  1. Far left and right MEPs less critical of China and Russia
  2. Why is offshore wind the 'Cinderella' of EU climate policy?
  3. Open letter from 30 embassies ahead of Budapest Pride
  4. Orbán counters EU by calling referendum on anti-LGBTI law
  5. Why aren't EU's CSDP missions working?
  6. Romania most keen to join eurozone
  7. Slovenia risks court over EU anti-graft office
  8. Sweden's gang and gun violence sets politicians bickering

Join EUobserver

Support quality EU news

Join us