The ‘Right to Be Forgotten,’ Globally? How Google Is Fighting to Limit the Scope of Europe’s Privacy Law
On Tuesday, Google will try to convince Europe’s top court that the EU should not be pushing its own privacy laws on the rest of the world. The case marks the culmination of a long-running battle within Europe—but depending how the court rules, the implications could be global.
Here’s what you need to know about this latest stage of the “right to be forgotten” saga.
What’s the right to be forgotten?
Back in 2014, the Court of Justice of the European Union (CJEU) ruled that Google (GOOGL) had to remove links to out-of-date information about a Spanish man, because he wanted to be free of people learning about his bankruptcy more than a decade before, every time they searched for his name.
It was a bombshell ruling that enabled people to demand the removal of millions of links to information that is “inaccurate, inadequate, irrelevant or excessive.” The right is commonly called the “right to be forgotten,” though it is really a right to be delisted—Google can’t tell websites to remove the offending information.
Although there was a lot of pushback, particularly from the media, the right has so far mostly worked out in practice. Yes, some people try to have information about them delisted when it shouldn’t be—memorably, a pair of murderers recently tried their luck—but there is a public interest exemption to stop that happening.
The big downside here is that Google has to decide what is and isn’t in the public interest—it has effectively become a privatized judiciary, which is worrisome to say the least. But again, the system does seem to be working for now.
So what’s the problem?
The issue here is the territorial scope of the delisting. Google has many national versions of its search engine around the world, so how far should a right-to-be-forgotten ruling go, geographically speaking?
According to the French privacy regulator, CNIL, Google has to go all the way, every time. In mid-2015, CNIL told Google that it was not enough to remove a link about a French citizen from the French version of the site, google.fr, nor even from other EU versions such as the German google.de. Rather, the watchdog said, Google has to remove the link from every version, including the U.S.-serving google.com.
CNIL’s argument was that it was still possible for someone in France or Germany or some other EU country to visit a non-EU version of the search engine and find the offending link. Alright, said Google, how about we hide the link for google.com visitors whom we can detect are located in the EU? No dice, said CNIL, because a European could use a virtual private network (VPN) or some other location-hiding tool to see what they shouldn’t.
In 2016, the regulator fined Google, which complained to France’s supreme administrative court, which referred the case up to the Court of Justice of the European Union last year. And so here we are.
Imposing EU privacy law… seems familiar…
You’re probably thinking of how the EU’s newest privacy law, the General Data Protection Regulation (GDPR), forces companies around the world to follow EU rules if they want to do business in the bloc. And yes, the GDPR is a great example of the EU exporting its privacy rules—but in a more subtle way.
A global player such as Google or Facebook serves people around the world, so if it has to radically revamp its privacy systems to meet its legal obligations in Europe, it makes sense for it to offer the same privacy-enhancing settings to users in the U.S. and elsewhere. Otherwise, it would have to tell Americans that it respects Europeans’ privacy rights more than theirs, which isn’t a good look. Maintaining separate systems would also be fiendishly complicated.
But what’s happening with the right to be forgotten could create an even more explosive situation, because it’s not just about privacy rights—it’s about a type of censorship.
What if Google loses this?
Google argues that, if the French privacy watchdog wins the case, the result may be a “global race to the bottom.” After all, if EU law can dictate what someone in the U.S. can or cannot see online, then why shouldn’t the Chinese get to demand that Americans or Brazilians—or Europeans, for that matter—can’t find articles about Tiananmen Square?
That’s a compelling argument. Just looking at the EU and the U.S., both accept privacy and free-speech rights, but where the two rights clash, the territories prioritizes them differently—the U.S. generally opts for free speech and the EU generally sees privacy as more important. Just because it is technically possible for someone in the EU to cheat Google’s systems into offering up a different set of results, does that justify the EU imposing its own legal system on Americans? Doing so would infringe on the rights guaranteed to Americans by their own laws.
According to The Wall Street Journal, Google will say the right-to-be-forgotten system works in almost every case, when someone is conducting a search from France. It will also argue that the EU is obliged to avoid this sort of jurisdictional clash, where possible.
Ultimately, the CJEU will have to decide whether enforcement of the right to be forgotten has to be absolute, or whether Google (and other search engine providers) can take a more proportionate approach, in order to let people enjoy the rights given to them by the countries where they live.
The stakes here are incredibly high. It will take some months for the court to reach its decision, so look out for a potentially game-changing decision some time next year.