Saturday

4th Jul 2020

Analysis

GDPR does not (yet) give right to global oblivion

  • If an EU citizen has established that his personal data should be removed, does that also apply to those accessing the internet outside the EU, like in Laos? (Photo: Jon Rawlinson)

EU citizens will see their 'right to be forgotten' online enshrined in EU law on Friday (25 May), but its effectiveness and reach will depend on a case which is still pending in front of the Court of Justice of the EU.

The general data protection regulation (GDPR), which will apply as of Friday, gives EU citizens the right to demand from companies or organisations to have their personal data removed, under certain circumstances.

Read and decide

Join EUobserver today

Support quality EU news

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

But it is not yet clear to what extent the right to have personal data erased or removed from search engine results will apply globally.

"This issue is just now pending in front of the Court of Justice: the reach, the applicability of the decisions by our data protection authorities," said a European Commission official on Wednesday, on condition of anonymity.

"We cannot apply our EU law extraterritorially. … How does it work in such a medium as internet?"

The provision in GDPR follows an earlier ruling by the Luxembourg-based EU court in 2014, which said that search engines had to remove results related to an EU citizen's name if they were "inadequate, irrelevant or no longer relevant".

However, the question is how such a right can be effectively applied in light the global nature of the internet.

The French data protection authority (DPA) was one of the most aggressive DPAs enforcing the right to be forgotten – which has since become known as 'delisting' or 'de-referencing'.

In 2016, it demanded that Google not only delist information from French citizens from the search engine's French version Google.fr, but also from Google.com and other non-French domain names - which, because of the global nature of internet, are available to French users too.

Google disagreed.

Last year, France's highest administrative court, the Council of State asked the Court of Justice of the EU for advice.

It asked if the right to be forgotten also requires a search engine to remove data from its domain services outside the EU.

The Council of State also asked if a company should use geo-blocking to comply with the right to be forgotten.

Geo-blocking is a technique via which a website checks the geographical location of the user requesting a page and blocks users from certain geographical areas.

This approach could lead to removed information still remaining available to users outside the EU.

That might not necessarily be a bad thing.

There is a tension between the right to be forgotten and human rights, in particular freedom of expression and freedom of information.

One unintended consequence of a rigid global application of the right to be forgotten could be a stifling effect on freedom of speech in the rest of the world.

However, geo-blocking is not foolproof and there are ways to circumvent it.

Feature

Nine lines that changed history - at least on the internet

Google has removed 800,000 search results across the EU following complaints from citizens, without the public knowing what has been removed, why it was removed or who complained. We revisit the case that rewrote history online.

EU sides with Google in data protection case

The European Commission suggests the French data protection watchdog overstretched its remit to make Google delist names on a global scale from search query results, as part of the 'right to be forgotten' rule in the EU's data protection regulation.

GDPR - a global 'gold standard'?

The new EU privacy rules are touted as a global 'gold standard' - but Mexico's former data commissioner warns some nations are far from ready.

News in Brief

  1. EU grants Remdesivir conditional authorisation
  2. French prime minister and government resign
  3. France lied on Nato naval clash, Turkey claims
  4. EU highlights abuses in recent Russia vote
  5. Belgium bids to host EU mask stockpile
  6. France shamed on refugees by European court
  7. French and Dutch police take down criminal phone network
  8. EU launches infringement case on Covid-19 cancelled trips

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. Nordic Council of MinistersNEW REPORT: Eight in ten people are concerned about climate change
  2. UNESDAHow reducing sugar and calories in soft drinks makes the healthier choice the easy choice
  3. Nordic Council of MinistersGreen energy to power Nordic start after Covid-19
  4. European Sustainable Energy WeekThis year’s EU Sustainable Energy Week (EUSEW) will be held digitally!
  5. Nordic Council of MinistersNordic states are fighting to protect gender equality during corona crisis
  6. UNESDACircularity works, let’s all give it a chance

Join EUobserver

Support quality EU news

Join us