November 8, 2023
With the current flow of digital information accumulating every second, preserved for all eternity in cyberspace, it is a no-brainer that a lot of people would want to leave some of their personal information unseen. This reality coupled with the fact that Google is one of the most popular, if not the most popular contemporary search engine, it is unquestionable that many individuals around the world would want to exercise their right to be forgotten with Google. In 2019, 4 years after the right to be forgotten has been established, at least 3.2 million URLs (Uniform Resource Locator) have been requested for delisting from Google . So what is the right to be forgotten? And what would you need to do to exercise this right with Google? The article aims to answer this very question.
In general, the right to be forgotten refers to the right of the data subject to the erasure of their information. Alongside the right to erasure, there is also the right to be delisted which applies to search engines such as Google.
The right to be delisted, in short, is a right of the data subject to request search engines to remove certain results relating to him/her from certain searches, this right often applies to information that is “inaccurate, inadequate, irrelevant or excessive”. For example: Mr. A is involved in a dispute with Mr. B, however, the dispute was settled quickly afterward. A few years after the dispute, Mr. A searches his name on Google and sees a number of articles regarding his dispute with Mr. B. Seeing that the dispute has been resolved and wanting to put his past behind him, Mr. A can request Google to remove the articles regarding the dispute from the results that show up when his name is searched on Google. To be clear, the information in the articles is not erased, they are still on the original sites, however, they are won’t appear in Google’s index and thus, there is a lower chance of them being seen. Moreover, this does not mean that the articles will not show up as results for other searches. In the example above, while the article will not show up when Mr. A’s name is searched on Google, it might still show up when Mr. B’s name is searched.
The right to be delisted was first established in May 2014 in the case “Google Spain v AEPD and Mario Costeja González” in which a Spanish man argued that information on a number of articles about him was obsolete and requested that Google remove his personal data from searches of his name. In the end, the European Court of Justice ruled in favor of his request on the basis that EU Directive 95/46/EC of 1995 gave individuals the right to ask search engines to delist certain results for searches related to a person’s name . The right was later codified in the General Data Protection Regulations (“GDPR”) which went into effect in 2018. Other countries such as Russia and Turkey have also enacted similar regulations . However, for the purpose of examining the right to be delisted, the article would only focus on the EU considering the right originated and was first codified in the EU.
First of all, the data subject must reside in a country that allows the right to be forgotten such as the EU since Google must respect the territorial scope of local laws. Consequently, in countries without laws regarding the right to be delisted, requests would be denied. This is done for the reason that there are countries that do not recognize the right to be forgotten. A prime example of such countries is the United States of America which considers the right to be forgotten as a hindrance to the right to freedom of expression stated in the First Amendment of the US Constitution.
On a side note, a person cannot apply for delisting if the content requested was created by that same person since they can freely adjust the privacy of their contents or erase them if need be which would be more effective than requesting Google to remove them for certain searches .
Also, personal data protection only applies to the processing of personal data. As such corporations and other legal entities are not eligible to request the delisting of contents for queries based on their corporate name .
In the EU, the Judgement of the European Court of Justice regarding the Case C – 131/12 “Google Spain v AEPD and Mario Costeja González” dated 13 May 2014 provided certain criteria that would be considered when the right to be delisted is invoked which include the following:
– Is the information in question inadequate?
– Is the information in question irrelevant?
– Is the information in question excessive?
– Is there a public interest in the information remaining publicly available in search results?
For the convenience of users, the request could be done completely digitally via Google’s online service by following the steps below :
Step 1: Access Google’s intuitive troubleshooter at g.co/legal;
Step 2: Select Google Search from the products list => Select Personal Information from the list => Select Right to be forgotten from the popup list;
Step 3: Fill out the form and submit it.
In the form, the person making the request must include the followings:
– Specific URLs of the contents that the person wishes to be delisted;
– Description of how the content is related to the person and they should be delisted;
– Search query that the person wishes to Google to delist the contents (i.e. name of the person). Search results for different names such as nicknames could also be delisted, provided that the name is proven to be linked to the identity of the person making the request;
– An email address where the person making the request could be reached.
Notes:
– The person making the request must fill in specific page URLs and not search links;
– The more information on the case the person making the request can provide, the easier it will be for Google to consider the request;
– Google might require the person to supplement information via emails before proceeding.
Such information on how the requests will be reviewed and the criteria (as mentioned above) that will be considered are detailed on Google support website page .
All requests shall be considered manually by at least 01 reviewer. Mainly, the review will be following the aforementioned criteria and weigh the public interest of the publicity of the contents being requested against the right of the person making the request. Factors such as: Role of the person making the request in public life, the source of the information, how old the content is, the effects of the content on Google’s users, the validity of the information, etc will be taken into consideration. The above factors are not absolute and in some cases might even contradict one another. As such, it would be difficult to ascertain the result of each individual request.
Delisting shall not affect the content on its respective web page. It only means that for certain queries, the requested web pages will not show up. Also, since Google respect the territorial scope of relevant local laws, the effect of delisting can only be observed within the applicable territories and shall not extend to those beyond them. If delisting is requested under the laws of country A, only results from the Google version of that country will be delisted, outside of country A, search results might show up normally.
One of the main criticisms of the right to be delisted of the EU is that it is not universal. In September 2019, the European Union’s Court of Justice (CJEU) issued a landmark ruling stating that Google, and by extension other search engines, do not have to extend “the right to be forgotten” to their search engines globally (CJEU’s 2019 decision). The ruling stemmed from a dispute between Google and the Commission Nationale de l’informatique et des libertés (CNIL) – the French data protection supervisory authority in 2015 in which Google was fined 100,000 Euro for refusing to delist results from its search engine globally. Google appealed to the CJEU arguing that EU’s authorities should not extend their privacy rules to the world since they might infringe on local laws such as the right to freedom of expression. Google also stated that its system allows users to be automatically directed to the version of Google suitable for their location as such the right to be delisted could be applied to certain regions while not affecting others. The CJEU then ruled in favor of Google . When applied to the right to be delisted, this means that search engines only have to remove search results from queries made within the EU, in other regions where EU laws do not apply, such results would come up as they normally would.
Conceptually, the reasoning behind the decision to limit the right to be delisted within the EU’s authority is logical. The EU cannot imposed it rules on territories outside of its control. At the same time, the right to be delisted is still enforced within the EU and on all those who enter the EU, thus protecting the personal data of EU’s citizens. The CJEU’s 2019 decision was indeed well-balanced. However, in the future, it would become increasingly difficult to maintain such an equilibrium.
Another valid criticism of the right to be delisted is that, in some circumstances, it would unfair for an article to be delisted simply because a portion of it contains personal information. For example, an online article detailing an incident involving multiple people could be delisted from search engines if one of the involved people requests the article to be delisted. This is problematic since it could negatively affect the access to information of entire communities. Furthermore, desisting entire articles because a portion of it contains personal information could deter journalists, reporters and news agencies from reporting complete news in fear of being delisted which, in turn, could affect the ability of the people to access information. Moreover, if other countries also apply the same right to be delisted, the uniformity of information in cyberspace would be threatened. A web search in one country could look completely different from one made in another country. This will severely hamper freedom of information and create disconnection between countries the cyberspace. Therefore, it is the author’s opinion that a method of standardization of the right to delisting would be integral to ensuring the future of cyberspace. While the matter is not prevalent at present, it certainly holds the potential to affect the freedom of expression and information access in the future.
Currently, there is one technology that diametrically opposes this right – Virtual Private Network (VPN). VPN is a tool that allows you to change your IP (Internet Protocol) address by rerouting the signal through a configured remote server operated by a VPN host . In layman terms, the signal from your computer would go through a VPN server before it goes to the website you are trying to access, from the viewpoint of the website, it would look as if the signal came from the server and not your computer. One of the main purposes of this technology is to bypass geo-restricted content on the Internet, one such restriction is the right to be forgotten. It could be said that the VPN was created to oppose such rights. For example: a user in the EU wishing to find all information on another person that has requested Google to delist certain results could use a VPN to change his/her IP address from the EU to the US in order to bypass the delisting in the EU. Currently, more than 1/3 of the world population has used a VPN and there are also no regulations against the use of VPN.
The use of VPN is not new and the concept of it has been around since 1996 . As such, the CJEU was also aware of the issue that is VPN in 2019 by stating that measures should be put in place to “prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, through a version of that search engine outside the EU, to the links which are the subject of the request for de-referencing.”[15] This is nothing more than a suggestion that is lackluster at best and downright meaningless at worst. Considering the growing number of VPN users around the world and in the EU, it is reasonable to assume that such suggestions will not be enough.
In the end, the matter of the VPN is an ongoing debate. It is hard to tell how VPN will evolve in the future other than that it will certainly grow bigger. The effect of VPN on the right to be delisted is clear but it would be hard for VPN to be suppressed without delving in the realm of censorship. Currently, the debate on the conflict between VPN and the right to be delisted has remained calm and has not boiled over. However, in the current age, change is the only certainty.
PrivacyCompliance
_________
[1] Bertram and others, ‘Five Years of the Right to be Forgotten’ (Google Research, 2019) <https://research.google/pubs/pub48483/> accessed on 19 December 2022.
[2] GDPR, Art 17.
[3] Konstantinos Kakavoulis, ‘The case Google Spain v AEPD and Mario Costeja Gonzalez of the Court of Justice of the European Union: A brief critical analysis’ (HomoDigitalis, 20 June 2018) <https://www.homodigitalis.gr/en/posts/2900> accessed 18 December 2022.
[4] Google, ‘Right to be Forgotten Overview’ (Google) <https://support.google.com/legal/answer/10769224?hl=en> accesseed 28 December 2022.
[5] Brock Cooper, ‘Google and the right to be forgotten’ (Search Engine Journal, 17 February 2022) <https://www.searchenginejournal.com/google-and-the-right-to-be-forgotten/438501/#close> accessed 19 December 2022.
[6] Google (n 3).
[7] ibid.
[8] ibid.
[9] ibid.
[10] Judgment in Case C-507/17, Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) (2019).
[11] Molly McGinnis Stine, ‘EU’s Top Court Makes Key “Right to Be Forgotten” Decision’ (LockeLord, November 2019) <https://www.lockelord.com/newsandevents/publications/2019/11/eus-top-court-makes-key#:~:text=On%2024%20September%202019%2C%20the,to%20its%20search%20engines%20globally.> accessed 20 December 2022.
[12] Kaspersky, ‘What is VPN? How it works, Types of VPN’ (Kaspersky) <https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn> accessed 21 December 2022.
[13] Aleksandar Kochovski, ‘The Top 25 VPN Statistics, Facts & Trends for 2022’ (Coudwards 23 August 2022) <https://www.cloudwards.net/vpn-statistics/> accessed 21 December 2022.
[14] Stine (n 10).
[15] Court of Justice of European Union, ‘PRESS RELEASE No 112/19’ (2019) <https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-09/cp190112en.pdf> accessed 21 december 2022.
Certified in Cybersecurity – a starting point in cybersecurity The Certified in Cybersecurity (CC) is an entry-level certification offered by (ISC)², the organization behind industry-leading credentials like CISSP. Launched to address the growing demand for skilled cybersecurity professionals, the CC certification is designed for individuals starting their careers in cybersecurity, providing foundational knowledge and skills. […]
Learn more
CRISC – Globally Recognized Information Security Certification A Certified in Risk and Information Systems Control® (CRISC®) certification demonstrates IT risk management expertise. By taking a proactive approach, the holder can enhance the organization’s business resilience, deliver stakeholder value and optimize risk management across the enterprise. By being CRISC certified, the holder will be ready to […]
Learn more
CISA – World-renowned IT Auditing Certification Certified Information Systems Auditor® (CISA®), world-renowned as the standard of achievement for auditing, monitoring, and assessing IT and business systems, also acknowledges the importance of emerging technologies. Achieving a CISA certification showcases expertise and asserts the holder’s ability to apply a risk-based approach to audit engagements. Addressing innovations like […]
Learn more