Europe’s highest court, The European Court of Justice ("ECJ") in Luxembourg, ruled on two cases last week involving GDPR’s right to be forgotten as it applies to information available on the internet. In the first ruling, the court held that the privacy rule cannot be applied outside the European Union. In the second, the court said the right to freedom of information must be balanced against the right to privacy and specifically the right to have links related to certain categories of personal data automatically deleted.
Right to Be Forgotten Limited to EU
Google has applied the right to be forgotten since 2014 on search results that appear within the EU, but not elsewhere. In 2015, French privacy regulator CNIL ordered Google to remove search results globally and levied a fine when the firm did not comply.
Google challenged the order and fine and the ECJ ruled that the regulation does not provide "an absolute right," and cannot be applied outside the European Union, further stating, "currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject... to carry out such a de-referencing on all the versions of its search engine."
The ruling has broad implications because it underscores the idea that one nation or bloc cannot impose rights or restrictions on another – at least when it comes to privacy on the internet. The ruling also has the potential to spark a shift in the intensity of compliance activity.
No Auto-Removal for Sensitive Information
In the related second ruling, the ECJ held that certain types of data are not subject to automatic removal from search results – even if they are highly sensitive.
The court instead ruled that, although a high standard should be applied, these results may remain if the public’s right to the information was strong.
ECJ decisions are not subject to appeal, and courts within European Union nations must abide by them. The full text of the ruling and opinion may be found on the ECJ website.