At the bottom of every UK Google search page, there is a message that few people (save the legally astute) ever take much notice of: Some results may have been removed under data protection law in Europe. Learn more. For those who do choose to learn more and click on the link, Google outlines a key ruling by the Court of Justice of the European Union (CJEU) which affects the privacy of every EU citizen.
‘How are you implementing the recent Court of Justice of the European Union (CJEU) decision on the right to be forgotten?
The recent ruling by the Court of Justice of the European Union has profound consequences for search engines in Europe. The court found that certain users have the right to ask search engines like Google to remove results for queries that include the person’s name. To qualify, the results shown would need to be inadequate, irrelevant, no longer relevant, or excessive.
Since this ruling was published on 13 May 2014, we’ve been working around the clock to comply. This is a complicated process because we need to assess each individual request and balance the rights of the individual to control his or her personal data with the public’s right to know and distribute information. If you have a removal request, please fill out this web form.’
The 2014 decision by the CJEU came in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González. This landmark judgment held that an Internet search engine operator (Google) has responsibility for processing personal information which appears on web pages published by third parties.
It required Google to consider individual requests to remove links to web pages resulting from a search on their name, better known as ‘the right to be forgotten’ – even though the CJEU did not specify this phrase in its judgment. By the time GDPR came into effect in May 2018, Google had received requests to remove more than 2.43m URLs since May 2014, and removed roughly 43 percent of them.
Of these, 1,000 were “frequent requesters,” according to Google, often “law firms and reputation management services,” which made up 15 percent of all requests – most often these involved celebrities, closely followed by politicians.
A specific ‘right to be forgotten’ was also mooted in GDPR. But between the 2012 draft and the final published version this shifted to a right to request erasure for a set of specific reasons. Instead, GDPR is predicated on a broad sweep of aims, giving individuals control of their personal data and preventing companies from being able to collect, store, process or sell this data without their knowledge and consent.
Penalties for non-compliance are savage: up to €20m or 4% of annual global turnover – whichever is greater. As one of the world’s most stringent legal frameworks governing data protection, no single piece of legislation has ever kept so many lawyers so busy for so long throughout an entire continent. GDPR advice has created millions of billable hours for law firms right across the 28 EU member states.
But now the EU club has been reduced to 27 members. In the complex legal aftermath of Brexit, Google is one of the first companies trying to untangle the mess. At the end of February, Google announced that the data and user accounts of its British users would be shifted from Ireland to the US.
The decision to move them out of the Irish jurisdiction was determined by the lack of clarity over whether Britain will follow GDPR, or adopt different rules concerning the handling of user data: if it had left its UK customers in Ireland, Google might therefore risk double-jeopardy for EU fines and other sanctions resulting from any breach since it would be subject to both UK and EU laws.
Google’s move may be followed by other US tech giants, such as Facebook. Both companies’ European operations are headquartered in Ireland, as are nine of the top ten US tech companies. Since Ireland remains part of the EU it continues to be subject to GDPR, so Google’s relocation of British data and user accounts to the US will put them beyond the reach of GDPR enforcers.
As the Guardian put it. ‘’This will leave the sensitive personal information of tens of millions not covered by Europe’s world-leading GDPR and therefore with less protection and within easier reach of British law enforcement.”
But this is directly contradicted by Google’s statement: “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information,” Google said. “The protections of the UK GDPR will still apply to these users.”
Speaking at the World Economic Forum in Davos in January, Google CEO Sundar Pichai went further, promising to protect users’ information and stating that “privacy is at the heart of what we do.”
He added: “Users come to Google at very important moments, ask us questions, we deal with people’s sensitive information in Gmail, Google Photos and so on, and so we have to earn their trust. Today, we do it by giving them control and transparency and choice around it.” Pichai said that privacy “cannot be a luxury good” describing GDPR as a “great template” which could provide guidance for other countries contemplating privacy-focused data regulations.
It is anticipated that the recent Cloud Act in the US will make it easier for British authorities to obtain data from US companies. Simultaneously, Britain and the US are on track to negotiate a much-heralded free trade agreement. Even so, the US has one of the weakest privacy protection regimes of any major economy: no overarching legislation governing privacy exists.
Meanwhile Boris Johnson’s chief Brexit negotiator, David Frost, has insisted that the ability to break free from the EU’s rulebook was essential to the purpose of Brexit, stating that the democratic consent of the British public would “snap dramatically and finally” if the UK continued to be tied to EU rules.
So might the UK bin GDPR alongside red EU passports? Until the end of the Brexit transition period (31 December 2020), EU GDPR will continue to apply in the UK. After that, the UK will become a third country for the purposes of international data transfers and a revised GDPR, known as the UK GDPR, will come into force. Initially, this will largely mirror the EU GDPR, but over time there may be divergence, which might potentially become significant.
Trying to predict how the UK’s regulatory landscape will change over the coming decade is a fool’s game: the battle between divergence and alignment with EU regulations has yet to be fought in earnest. For example, the UK’s current stated position is to resist EU demands for the European Court of Justice (ECJ) to have a say over UK trade after Brexit.
What this all means for privacy, GDPR and the right to be forgotten is distinctly unclear. The UK might take the roads followed either by the EU or the US. Alternatively, it might pursue its own path and choose a third way option. Whichever course it follows, an independent Britain will not want to be too far out of step as the value of data increases exponentially and the law invariably struggles to keep pace.
Dominic Carman, journalist, writer and legal commentator. www.dominiccarman.com