Journal of Law and Legal Studies

Abstract

An average internet user in today’s world, can search and find any information on the surface web with relative ease. The World Wide Web continues to grow and expand technologically and this has also seen an influx of users. Popular search engines like Google, Bing and, Yahoo! can be accessed across the world by billions of users who can search for any information. While the increasing access to the web is growing, there is also a growth of collection and processing of personal data of internet users who browse several websites. To put a curb on this collection and processing, the European Union (hereinafter, “the EU”) had implemented the “Right to be Forgotten” which allows the citizens of the EU to ensure their information is delinked and delisted from websites and search engines respectively. This right however is not absolute in the sense that it does not protect users outside the borders of the EU.

 

I.              Introduction

The year 1989 saw the inception of the World Wide Web and since then it has flourished. The first search engine was called "Archie Query Form" and was invented in 1990[i]. This was followed by the creation of a "Virtual Library" and CERN, in 1991. "Yahoo!" was created in 1994 and it was a search engine where users could see an assortment of web pages and each had a small description of the site. By the end of 1998, we had Google. The invention of new search engines brought about newer advances in the field of technology and allowed the users to, pin down with more precision, search content. These advances allowed more and more users to access the web and in the first five years since the beginning of the inception of the World Wide Web, there was an average of 640,000 users who accessed the web daily and among these were 27,000 new users per hour[ii].

People accessing the web are advised to remain cautious and not to reveal their personal information as "once something is there, it is there forever". This, however, was not acceptable to the European Courts. In 2014, the Court of Justice of the European Union (hereinafter, "the CJEU"), laid down that the citizens of the EU have the right to ensure their personal information are delisted from the search engines when this information are "inaccurate, inadequate, irrelevant, or excessive, considering the purpose of the processing…"[iii] This ruling has since been called the "Right to be Forgotten"[iv]. 

II. The "Right to be Forgotten"

A Spanish man by the name of Mario Costeja Gonzalez, in 2010, filed a complaint with the Spanish Data Protection Agency, or "Agencia Espanola de Proteccion de Datos" (hereinafter "AEPD")[v]. He had searched his name on Google and came upon an article from 1998 published in a newspaper titled La Vanguardia which talked about him auctioning off his property to cover his social security debts. He filed the case against the said newspaper, Google Spain SL, and Google Inc. According to Gonzalez, this publication and it is available readily on the web was a violation of his right to privacy as per the provisions of the European Union's Data Protection Directive. He said that this matter is not relevant anymore as it had been solved a decade ago. He requested the newspaper to "be required either to remove or alter their article so that the personal data relating to him no longer appeared to use certain tools made available by search engines in order to protect the data"[vi]. He also requested Google Spain and Google Inc. to delist the article related to the newspaper.

When it came to Mr. Gonzalez's claim related to the newspaper La Vanguardia, the AEPD rejected his claims, however, they upheld the claims when it came to Google Spain and Google Inc. As per AEPD, the article published in the paper "was legally justified as it took place upon order of the Ministry of Labor and Social Affairs and was intended to give maximum publicity…"[vii] On the other hand, the AEPD held that search engine operators should follow the data protection laws and rules as they carry out the task of data processing and they are responsible for it as they are the intermediaries here.

This decision of the AEPD was appealed to by Google to Spain's High Court which asked the CJEU certain questions which were:

"a. Whether EU rules apply to search engines if they have a branch or subsidiary in a Member State;

  b. Whether the Directive applies to search engines; and

  c. Whether an individual has the right to request that their personal data be removed from search results…"[viii]

The CJEU finally ruled on May 13^th, 2014, four years after the complaint was filed initially.

The questions posed to the CJEU were answered when it gave the ruling. It ruled that the directive applies to all the search engines because they are "'controllers' involved in the 'processing of personal data'". The CJEU also ruled that as Google Spain worked and operated from within the EU, and hence falls within its jurisdiction, it had "an obligation in certain cases to remove the links to pages displayed by third parties, even if the information published by those third parties is itself lawful"[ix]. The third question was answered when the CJEU held, citizens of the EU can put forward requests to ensure their personal information should be delisted from search engines within the EU.

The Court held, as per the provisions of Article 6 of the European Union's Data Protection Directive, all the data should be accurate, relevant, and up to date. According to the Court, the balance should be maintained when it comes to the protection of an individual's privacy and the right of the public to access data for public interest, and this should be based on a case-by-case basis. 

It said that all personal data should be removed "where the data subject has withdrawn his consent and there is no other legal ground for processing if the data subject has objected and there are no overriding legitimate grounds for the processing"[x]. Further, the Court held that all personal data should be removed if the search engine if the EU or any Member State mandates it as per their law or if the data processing was done against the law in the first instance.

The outcome of Google Spain SL v. Agencia Española de Protección de Datos was that, in the following four years, Google received more than three million requests for removal of URLs among which Google delinked approximately 45% of the results from the EU search engines[xi].If these requests were granted by the search engine and delisted, then the link cannot be made available through the search engine. However, if the request is not granted then the individual can go to the Data Protection Authority (hereinafter, "the DPA") to appeal against the decision of the search engine.

The duty of the search engine, here, is to only delist the information which contains the name of the person concerned. "As a consequence, the relevant information can still be accessed directly through the link, or when searched for with alternative keywords as it remains available on the original website unless a separate request for erasure is successfully directed at that separate data controller"[xii]. It means that while the search engine cannot be used to search the delisted content using the name of the concerned person, their information could still be found on the original web page or simply by searching the topic involved. The latter happened in the case of Gonzalez where the article posted in the newspaper talking about auctioning off his property would not show up in results when his name was searched, but the search for the topic itself showed the article still. As a result, the right to be forgotten is not absolute as delisting is not fully effective.

After the ruling of the CJEU in the case Google Spain SL v. Agencia Española de Protección de Datos in 2014, France's privacy protection agency, CNIL, had persuaded the search engines that they should not remove the data from EU based sites, as well as sites from countries outside the EU. In 2015, CNIL told Google.com and other engines to delist pages that had "damaging or false information about a person" irrespective of the location and it was "only this drastic solution, it argued, could ensure the effective protection of data subjects' rights."[xiii]

Google refused to comply with what CNIL requested and argued against censoring the search results in countries outside the EU. In 2016 "Google introduced a geo-blocking feature that prevents European users from being able to see delisted links". However, according to the CNIL, this feature is not fully according to the right to be forgotten because "where results are merely delisted from EU domains, the information can still be accessed through other domains or by using circumvention methods such as a virtual private network (VPN)"[xiv]. Because Google refused to comply, CNIL imposed a fine of €100,000 as it had violated the right to be forgotten. This imposition of the fine was challenged by Google and they argued: "that European authorities shouldn't extend their own privacy rules across the globe". If laws of the EU were made applicable on companies based outside their jurisdiction, then it would force these companies to go against the laws of their jurisdiction.

A. General Data Protection Regulation, 2018

In 2018, it was brought to light, Cambridge Analytica had gathered personal information and data of over 87 million users of Facebook. This collected data was used to sway the public during the 2016 presidential campaign in the United States[xv]. This transgression helped expose how the personal data of individuals could be misused. After the news of this scandal broke out and while the case of CNIL v. Google was still ongoing, the EU, on 28^th May 2018, passed the strongest set of data protection rules and regulations.

This was titled General Data Protection Regulation (hereinafter "the GDPR"). This GDPR revamped how a person's data would be collected by businesses and organizations. The right to be forgotten was included in the GDPR "to all entities that 'offer' goods and services in the EU or 'monitor' the behavior of EU residents, even if the entity is located outside the EU"[xvi]. This means that if there is a business or an organization that is located outside the jurisdiction of the EU, however, is still used by citizens of the EU, such businesses and organizations have to comply with the rules set out in the GDPR.

The GDPR also includes within its ambit, not just search engines, but also other providers who operate within the EU. Such businesses, organizations, or individuals should all collect data as per the rules set out as they all are considered either a "controller" or a "processor" of the personal data collected.

A "'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." [xvii]Therefore, as per GDPR, all organizations are controllers if they determine how the data is collected even if they personally do not collect the personal information and data. This social media sites and online shopping sites.

A processor means "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller". A processor should keep a record of how the data is being collected in compliance with the GDPR rules[xviii].

The GDPR, not only widened the scope of the organizations which fall under the ambit of GDPR's control but also increased the scope of what is meant by sensitive data. Personal data means "any information relating to an identified or identifiable natural person"[xix]. The "information" here includes "name, an identification number, location data". The definition also includes "factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person", including "genetic data, information about religious and political views, sexual orientation and more"[xx].

Article 6(1) of the GDPR puts forth a set of six reasons under which a controller can lawfully process an individual's data. These include situations where the controller has an obligation under a valid contract, when the data processing is required in the "vital interest of the data subject or of another natural person"[xxi], when the data to be processed is done so for the public interest, when the data to be processed is done because the controller has a lawful and legitimate interest, or if the controller has valid consent.

B. Google LLC v. CNIL Ruling of 2019

The 2018 GDPR code and the 2014 ruling in the Google Spain case helped strengthen the data protection laws for EU citizens, however, the geographic extent and reach of these regulations were still under scrutiny and a lot remained unanswered.

After the 2014 ruling in the Google Spain case, Google received multiple delisting requests and started delisting information of EU citizens from domains of Google within Europe only, for example, domains like google.fr, google.it, google.de, etc.[xxii] This delisted information, however, was not delisted on domains of Google based in other countries.

In 2015, the CNIL had requested Google to delist the information regarding EU citizens from all domains, and not just those based in the EU. In response to this, Google introduced the feature of geo-blocking[xxiii]. This is a technology that does not allow users from the EU to access the delisted links as it works based on IP address and if the said address originates within the EU, then the delisted link is not visible. However, if the IP address originates from a country outside the EU, then the delisted data would be available.

CNIL was disgruntled with the geo-blocking feature and believed the rights of the citizens can only be protected if the information is delisted from domains worldwide and not just the EU. Therefore, CNIL fined Google a sum of €100,000 to help ensure Google complies with their demands[xxiv].

This issue came up before the CJEU where they now had to decide if the right to be forgotten should be expanded beyond the jurisdiction of the EU. This saw different opinions from different states in the Commission. Poland, Ireland, and Greece along with a few non-profit organizations supported the arguments placed forward by Google that the regulation of the EU cannot be expanded worldwide.

In September of 2019, the CJEU held that the right to be forgotten cannot be implemented and imposed on countries outside the jurisdiction of the EU. The court reasoned that "the right to be forgotten 'is not an absolute right'"[xxv] and this right should be balanced with the right of a person to access information freely via a search engine against the right to protect the data of an EU citizen.

The CJEU made it clear that the "controllers" who work from within the EU must observe the privacy regulations and law of the EU "by using measures that 'effectively prevent or, at the very least, seriously discourage' an internet user inside the EU from accessing search results that were removed"[xxvi].

Therefore, it is observed that the ruling of CJEU in 2019, made it clear that the right to be forgotten cannot be implemented beyond the EU. However, the members of the EU have the right to request search engines or organizations to delink sites in special and certain circumstances. Furthermore, the websites which operate outside the EU, have to take cautious steps to ensure that delinked information cannot be accessed within the EU.

III. Executing The Right To Be Forgotten

After the ruling of 2014 made in the case of Google Spain, the CJEU assigned the duty of removing the information from the search engines on the search engines themselves. The ruling put the spotlight on the search engines as they located the information of the subject but did not put any regulatory focus on the first source of the information, like articles or paper websites.

If an EU citizen wants their information delisted or deleted, they have to request the organization, in either writing or by verbal means, and the organization usually has a period of a month to respond[xxvii].

The transference of the duty of receiving delisting requests has been given to the search engine companies and this gives these companies an authority to determine what they believe is private information. To carry out this duty, Google constituted an internal team that receives and reviews the requests for delisting information from EU citizens. When this team reviews the requests they consider "the validity of the content at issue, the identity of the requestor, and the source of the information"[xxviii]. After this information are all considered, the search engines, including Google, will delist or delete the submission they received, if they think such submission is "inadequate, irrelevant or no longer relevant, or excessive"[xxix].

If the submission to delist a link goes through and Google accepts to delist or delete the link submitted for review, then a subject's legal course of action is complete. However, if the search engine company refuses to remove the information, then the subject can take recourse by way of an appeal to their local Data Protection Agency which fines the company, forcing them to comply with the request made.

A. European Union and Geo-Blocking feature

Websites use the tool called geo-blocking which helps to determine the location of the internet user, also known as the IP address, which ensures the user can be blocked from accessing the website. To comply with GDPR codes, Google has implemented the use of a geo-blocking feature[xxx].

According to Google, this tool is 99 percent effective in determining the location of the EU users and in blocking them from accessing delisted and delinked information from the search engine results[xxxi].

This tool is used by Google not only in the EU but also in some states in the United States, namely Texas and Illinois. Geo-blocking is used in these states to block the use of apps that uses facial recognition technology. Google's geo-blocking tool tracks the IP address of users in those states and blocks apps that use facial recognition technology[xxxii].

B. Is Geo-Blocking Accurate?

Peter Fleischer, who is Google's Senior Privacy counsel, has assured that the geo-blocking tool is effective up to 99 percent when it comes to blocking the access of EU citizens to delisted information[xxxiii]. However, this tool of Google is very easy to bypass by either turning off the device's location or by using a Virtual Privacy Network (hereinafter "VPN") which helps the individual access apps and websites blocked in their region.

VPN's are virtual private networks that utilize public networks, for example, the internet, to help link websites and users. These private networks encrypt the data collected from the users and make sure the user's original location is hidden. There are types of VPNs that can hide the connection of the user and keep them anonymous on the internet, so much so that their IP address cannot be figured out by their Internet Service Providers. There are also some more types of VPN that allow the user to access go-blocked content as is most commonly seen that users use these VPNs to bypass geo-blocked features to access sites like Netflix and Spotify[xxxiv].

These virtual private networks are easy to discover and utilize. A simple search on any search engine will show thousands of results of VPN apps and sites which people can use to disguise their location and bypass geo-blocked content. An example of this would be the Google Arts and Culture app which was released in 2018 by Google. This app had a facial recognition algorithm that allowed users to take a selfie which would then be compared to similar portraits from museums across the world. Residents of Texas and Illinois would not be able to access this app as apps that use facial recognition technology are geo-blocked in the area.[xxxv] However, within 2 weeks of the release of the said app, a website published an article that talked about two means which can be used to bypass this geo-block. The first was that the device's location can be turned off. And, the second was that people can use VPNs to circumvent the block and access the app[xxxvi].

Even though Google's Senior Privacy counsel has stated the geo-block feature has a 99 percent efficacy rate, it does not allow for the possibility of people using VPNs to evade geo-blocked content. The Google Arts and Cultural app was geo-blocked in the two states of the U.S. but by the use of VPNs, this restriction was side-stepped. The reason behind CNIL asking the right to be forgotten to be implemented globally to protect the rights of the EU citizens was because of the advances being made in the field of VPN technology which could easily transgress the rights of the EU citizens.

IV. Conclusion

Every year there is significant progress that takes place in the sphere of technology. Over the years, the internet has grown at a rapid pace, connecting more and more users across the world, with advanced tools which help people maneuver the web. Google now operates in 219 countries and helps to link people across the world[xxxvii].

The population of the world is 7.7 billion and among this, 3.5 billion people use the internet. Social media sites like Facebook have gained tremendous momentum and they have approximately 2.4 million users.

The growth in technology means, people who have access to the internet can find out any specific information they want about other people by easily looking them up on the various search engines. A lot of these search results may carry information that is no longer accurate or dated and old. Negative information might harm a person's reputation or the information might be used for identity theft purposes.

During the last several years, different governments across the globe have shown different responses to the ease of access to personal information on the web. Countries like China, Russia, and North Korea have some of the strictest censorship laws on the internet. Yet, in those countries too, regular citizens have bypassed the "great firewall" via VPNs and accessed sites like Twitter, which is banned in China[xxxviii].

When EU citizens exercise their right to forgotten and request the delinking and delisting of their personal data, it is only done for domains based in the EU. For any domains outside the EU, the web page is simply geo-blocked based on the citizens' EU address and if the address shows them to be within the jurisdiction of the EU. If a person, here, uses a VPN, they can easily bypass the said geo-block and access the content. Paid services like ExpressVPN has server locations in 160 areas and around 30,000 IP addresses and people who avail this service can easily change their device location from one area to another in a different part of the world, by connecting to the internet first.[xxxix] This is useful because the user's data is encrypted and they are anonymous on the web.

With how easily a person can mask their device location, it is impossible to geo-block content from a person. It does not matter if the information has been delisted from regional domains of the search engine, and not the main domain, which can be accessed by bypassing the geo-block. EU citizens who have access to VPNs can access all geo-blocked data by searching the information up on search engines that are outside the EU. Therefore, unless the information is completely deleted from all search engines globally, an EU citizen's right to be forgotten is not only "not an absolute right" but also a right that is impossible to achieve.