Thursday

23rd Sep 2021

Analysis

GDPR does not (yet) give right to global oblivion

  • If an EU citizen has established that his personal data should be removed, does that also apply to those accessing the internet outside the EU, like in Laos? (Photo: Jon Rawlinson)

EU citizens will see their 'right to be forgotten' online enshrined in EU law on Friday (25 May), but its effectiveness and reach will depend on a case which is still pending in front of the Court of Justice of the EU.

The general data protection regulation (GDPR), which will apply as of Friday, gives EU citizens the right to demand from companies or organisations to have their personal data removed, under certain circumstances.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

But it is not yet clear to what extent the right to have personal data erased or removed from search engine results will apply globally.

"This issue is just now pending in front of the Court of Justice: the reach, the applicability of the decisions by our data protection authorities," said a European Commission official on Wednesday, on condition of anonymity.

"We cannot apply our EU law extraterritorially. … How does it work in such a medium as internet?"

The provision in GDPR follows an earlier ruling by the Luxembourg-based EU court in 2014, which said that search engines had to remove results related to an EU citizen's name if they were "inadequate, irrelevant or no longer relevant".

However, the question is how such a right can be effectively applied in light the global nature of the internet.

The French data protection authority (DPA) was one of the most aggressive DPAs enforcing the right to be forgotten – which has since become known as 'delisting' or 'de-referencing'.

In 2016, it demanded that Google not only delist information from French citizens from the search engine's French version Google.fr, but also from Google.com and other non-French domain names - which, because of the global nature of internet, are available to French users too.

Google disagreed.

Last year, France's highest administrative court, the Council of State asked the Court of Justice of the EU for advice.

It asked if the right to be forgotten also requires a search engine to remove data from its domain services outside the EU.

The Council of State also asked if a company should use geo-blocking to comply with the right to be forgotten.

Geo-blocking is a technique via which a website checks the geographical location of the user requesting a page and blocks users from certain geographical areas.

This approach could lead to removed information still remaining available to users outside the EU.

That might not necessarily be a bad thing.

There is a tension between the right to be forgotten and human rights, in particular freedom of expression and freedom of information.

One unintended consequence of a rigid global application of the right to be forgotten could be a stifling effect on freedom of speech in the rest of the world.

However, geo-blocking is not foolproof and there are ways to circumvent it.

Feature

Nine lines that changed history - at least on the internet

Google has removed 800,000 search results across the EU following complaints from citizens, without the public knowing what has been removed, why it was removed or who complained. We revisit the case that rewrote history online.

EU sides with Google in data protection case

The European Commission suggests the French data protection watchdog overstretched its remit to make Google delist names on a global scale from search query results, as part of the 'right to be forgotten' rule in the EU's data protection regulation.

GDPR - a global 'gold standard'?

The new EU privacy rules are touted as a global 'gold standard' - but Mexico's former data commissioner warns some nations are far from ready.

News in Brief

  1. French ambassador to return to US after Macron-Biden call
  2. Borrell: EU needs armed force independent of US
  3. Polish region does U-turn on gay rights
  4. Johnson makes fun of French anger on submarine deal
  5. Ukraine vows 'tough response' after gun attack on top aide
  6. Poland again delays ruling on primacy of EU law
  7. EU to table emergency proposals on gas-price surge
  8. EU delays first set of anti-greenwashing rules

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. Nordic Council of MinistersNATO Secretary General guest at the Session of the Nordic Council
  2. Nordic Council of MinistersCan you love whoever you want in care homes?
  3. Nordic Council of MinistersNineteen demands by Nordic young people to save biodiversity
  4. Nordic Council of MinistersSustainable public procurement is an effective way to achieve global goals
  5. Nordic Council of MinistersNordic Council enters into formal relations with European Parliament
  6. Nordic Council of MinistersWomen more active in violent extremist circles than first assumed

Latest News

  1. More French names linked to Russia election-monitoring
  2. Negotiations set for new, tougher, EU ethics body
  3. Lead energy MEP silent on gas meetings before vote
  4. WHO makes major cut in 'safe' air-pollution levels
  5. EU negotiators defend high Covid vaccines prices paid to pharma
  6. The EU's 'backyard' is not in the Indo-Pacific
  7. French MEPs lead bogus EU monitoring of Russia vote
  8. Europeans think new 'Cold War' is here - but not for them

Join EUobserver

Support quality EU news

Join us