Sunday

11th Apr 2021

Analysis

GDPR does not (yet) give right to global oblivion

  • If an EU citizen has established that his personal data should be removed, does that also apply to those accessing the internet outside the EU, like in Laos? (Photo: Jon Rawlinson)

EU citizens will see their 'right to be forgotten' online enshrined in EU law on Friday (25 May), but its effectiveness and reach will depend on a case which is still pending in front of the Court of Justice of the EU.

The general data protection regulation (GDPR), which will apply as of Friday, gives EU citizens the right to demand from companies or organisations to have their personal data removed, under certain circumstances.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

But it is not yet clear to what extent the right to have personal data erased or removed from search engine results will apply globally.

"This issue is just now pending in front of the Court of Justice: the reach, the applicability of the decisions by our data protection authorities," said a European Commission official on Wednesday, on condition of anonymity.

"We cannot apply our EU law extraterritorially. … How does it work in such a medium as internet?"

The provision in GDPR follows an earlier ruling by the Luxembourg-based EU court in 2014, which said that search engines had to remove results related to an EU citizen's name if they were "inadequate, irrelevant or no longer relevant".

However, the question is how such a right can be effectively applied in light the global nature of the internet.

The French data protection authority (DPA) was one of the most aggressive DPAs enforcing the right to be forgotten – which has since become known as 'delisting' or 'de-referencing'.

In 2016, it demanded that Google not only delist information from French citizens from the search engine's French version Google.fr, but also from Google.com and other non-French domain names - which, because of the global nature of internet, are available to French users too.

Google disagreed.

Last year, France's highest administrative court, the Council of State asked the Court of Justice of the EU for advice.

It asked if the right to be forgotten also requires a search engine to remove data from its domain services outside the EU.

The Council of State also asked if a company should use geo-blocking to comply with the right to be forgotten.

Geo-blocking is a technique via which a website checks the geographical location of the user requesting a page and blocks users from certain geographical areas.

This approach could lead to removed information still remaining available to users outside the EU.

That might not necessarily be a bad thing.

There is a tension between the right to be forgotten and human rights, in particular freedom of expression and freedom of information.

One unintended consequence of a rigid global application of the right to be forgotten could be a stifling effect on freedom of speech in the rest of the world.

However, geo-blocking is not foolproof and there are ways to circumvent it.

Feature

Nine lines that changed history - at least on the internet

Google has removed 800,000 search results across the EU following complaints from citizens, without the public knowing what has been removed, why it was removed or who complained. We revisit the case that rewrote history online.

EU sides with Google in data protection case

The European Commission suggests the French data protection watchdog overstretched its remit to make Google delist names on a global scale from search query results, as part of the 'right to be forgotten' rule in the EU's data protection regulation.

GDPR - a global 'gold standard'?

The new EU privacy rules are touted as a global 'gold standard' - but Mexico's former data commissioner warns some nations are far from ready.

News in Brief

  1. Turkey blames EU for sexist protocol fiasco
  2. France to close elite civil-service academy
  3. Covid-19 cases in UK drop 60%, study finds
  4. White House urges 'calm' after Northern Ireland riots
  5. Italy's Draghi calls Turkey's Erdoğan a 'dictator'
  6. Slovakia told to return Sputnik V amid quality row
  7. EU risks €87bn in stranded fossil fuel assets
  8. Obligatory vaccination not against human rights, European court says

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. Nordic Council of MinistersDigitalisation can help us pick up the green pace
  2. Nordic Council of MinistersCOVID19 is a wake-up call in the fight against antibiotic resistance
  3. Nordic Council of MinistersThe Nordic Region can and should play a leading role in Europe’s digital development
  4. Nordic Council of MinistersNordic Council to host EU webinars on energy, digitalisation and antibiotic resistance
  5. UNESDAEU Code of Conduct can showcase PPPs delivering healthier more sustainable society
  6. Nordic Council of MinistersWomen benefit in the digitalised labour market

Latest News

  1. The Covid bell tolls for eastern Europe's populists
  2. Four deaths after taking Russian Sputnik V vaccine
  3. Post-Brexit riots flare up in Northern Ireland
  4. Advice on AstraZeneca varies across EU, amid blood clot fears
  5. Greenland election could see halt to rare-earth mining
  6. After 50 years, where do Roma rights stand now?
  7. Why Iran desperately wants a new nuclear deal
  8. Does new EU-ACP deal really 'decolonise' aid?

Join EUobserver

Support quality EU news

Join us