In a landmark ruling, the European Court of Justice—Europe’s highest court—dealt Google a clear win by placing a territorial limit on the “right to be forgotten” in the EU. The court’s holding in Google v. Commission nationale de l’informatique et des libertés (CNIL) clarifies that a search engine operator that is obligated to honor an individual’s request for erasure by “de-referencing” links to his or her personal data (i.e., removing links to web pages containing that personal data from search results) is only required, under the GDPR, to de-reference results on its EU domains (e.g., google.fr in France and google.it in Italy), and not on all of its domains globally.

However, in the same ruling, the Court also stated that the GDPR applies to Google’s data processing on all of its domains globally (by virtue of such processing comprising “a single act of processing”). Therefore, an EU Member State’s supervisory authority and courts are free to treat the ECJ’s EU-wide de-referencing requirement as a “floor” and go one step further, requiring search engines to implement the right to be forgotten on all of its domains worldwide, including those outside the EU.

Background – The Right to Be Forgotten

The right to be forgotten—codified at Article 17 of the GDPR—grants individuals the right to obtain erasure of their personal data without undue delay, where, for example, the data are no longer necessary for the purpose for which they were collected or processed. However, the right is not unlimited; exceptions apply if the processing is deemed necessary for the exercise of freedom of expression, compliance with a legal obligation, public interests such as public health, scientific or historic research, or the establishment or defense of legal claims.
Continue Reading

The government in Indonesia has warned the world’s biggest social media providers that they risk being banned in that country if they don’t block pornography and other content deemed obscene.

A member of the House of Lords has proposed an amendment to the U.K.’s data protection bill that would subject technology companies to “minimum standards

Live Webinar: June 6, 2017 at 12:00 PM (ET) / 9:00 AM (PT)

The May 2018 compliance deadline for the EU’s new General Data Protection Regulation (GDPR) is fast approaching and—with non-compliance penalties of up to €20 million or 4% of annual global turnover at stake—you cannot afford to miss the deadline.

Please join Socially