EU's Right to Be Forgotten Could Come Under Heavy Challenge

Restricting Web Domain Ownership Data: While the GDPR is a boon for privacy, its restrictions on personal data access can hinder law enforcement’s ability to find intellectual property thieves. When it comes to looking up ownership rights to web domain names in order to combat infringement, EU law enforcement may hit a roadblock. Access to the Internet Corporation for Assigned Names and Numbers’ (ICANN) WHOIS database is restricted. In light of this problem, some in the IP community have suggested creating an accreditation program for web domain owners to help law enforcement better manage infringement cases. But it’s still an open question about how this problem will ultimately be solved.

Elephants may never forget, but they still got nothing on Google—and thanks to a recent opinion rendered by Europe’s top court, that may not be changing any time soon.

An advocate general in the European Court of Justice opined that Google should not be mandated to extend the right to be forgotten to users outside the European Union, meaning that the search engine wouldn’t have to honor a request from, say, John Doe of New Jersey to have his email address removed from the results pool.

The opinion could potentially be the first of many serious attempts to curtail the scope of one of the more controversial aspects of the European Union’s General Data Protection Regulation (GDPR), which has already run afoul of free speech advocates and presents yet another difficulty to surmount for businesses attempting to comply.

“It will not surprise me very much if the courts take a pretty narrow view on right to be forgotten because of all these other issues that are relevant, like the First Amendment and public interest,” said Kirk Nahra, a partner at Wiley Rein.

The EU’s right to be forgotten traces its roots back to a 2014 European Court of Justice case involving Google, which concluded that personal data must be erased if the subject withdraws his or her consent absent any other legal grounds for processing. Those same tenants are now packaged inside the GDPR.

On January 10, 2019, Advocate General Macej Szpunar issued an opinion in response to another case involving Google and French data regulator CNIL, which fined the search engine $115,000 for not removing certain search links from every international version of its platform.

Szpunar’s opinion specifically took issue with the possibility that applying the right to be forgotten on a global scale could potentially open the door to censorship by nations that don’t share the EU’s enthusiasm for free speech.

“Who’s to say, for example, that a court in a military dictatorship wouldn’t be able to declare that since you guys in Europe are imposing deletion requirements in countries outside Europe that if we require content to be deleted from search engines that you must also respect that?” asked Polsinelli shareholder Jarno Vanto.

Vanto considers Szpunar’s argument to be interesting because it attempts to position privacy as something that can occasionally be superseded by concerns like free speech.

The GDPR attempts to address the issue head on by requiring data controllers to weigh the data subject’s right against public interest in the data, which in some cases is more nebulous than others.

“We can all come up with the distinction of the history of what you bought at the Gap versus your criminal history,” Nahra said.

Sure, forcing Google to remove links across every single iteration of its platform would expend a lot of operational manpower, but the search engine is also host to voices that might otherwise go without a microphone.

“Google will benefit because they don’t have to exercise the deletion throughout all of it’s different domains, but who also benefited at the same time were human rights organizations, journalists and others who have the need to access that information,” Vanto said.