Pages

Apr 14, 2016

Strengthened "Right to Be Forgotten" Is Now Permanent in E.U., and Will Likely Affect U.S.

Passage of a new General Data Protection Regulation by the Parliament of the European Union means that "the right to be forgotten," created in a 2014 decision by the European Court of Justice, is now a permanent part of EU law. And the new regulation includes specific language to apply to any website in the world that includes or handles data from EU residents, including those based in the United States.

The "right to be forgotten," which in based on a European notion of privacy that is much broader than the concept of privacy that has been recognized in the United States, arose when a Spanish lawyer sought to remove Google search results linking to 2008 legal notices listing his apartment for sale after it was seized for unpaid taxes.

The European Court of Justice held that Google was obligated to remove the search links, while it also held that the Spanish newspaper that published the original ads was not required to remove them. The standard for requiring removal, the court said, was whether retention of the information was "no longer necessary in the light of the purposes for which they were collected or processed." The court also held that there was an exemption for material published "solely for journalistic purposes," and for information about promient public people, since the public interest in disclosure outweighs the person's right to privacy.

After initially resisting the ruling, Google and other search engines have now established systems for Europeans to request removal of links to material that falls under the court's decision on their sites directed at and used primarily in E.U. countries.

But E.U. officials have not been satisfied with this, and have endeavored to have such removals be effective on all of the search engines' sites worldwide: including in the United States, where imposition of such an requirement by the government would most likely be found unconstitutional.

Now, with passage of the new General Data Protection Regulation, they have done it. The new regulation -- which must be adopted by most E.U. member states in their own law by 2018 -- applies to any sites with information about Europeans, no matter where they are based. It also expands the rule to apply beyond search engines to all sites, including social media sites such as Facebook. So, for example, a European resident could request removal of some or all of their information from any site entirely.Companies that do not comply can face fines of up to four per cent of their global revenue for the previous year, or €20 million ($22.5 million), whichever is higher.

The "right to be forgotten" could also become an issue in adoption of the "Privacy Shield" agreement recently negotiated by the U.S. and the E.U. to cover transfers of personal data back and forth across the Atlantic, an everyday occurrence in this wired era. (In fact, just today a E.U. advisory group on privacy issues recommended that the E.U. reject the agreement because of surveillance concerns.)

In environmental law, researchers have described a "California effect" in which California's strict environmental regulations have become a de facto national standard. With the E.U.'s passage of the General Data Protection Regulation with an expansive "right to be forgotten," the European Union may end up playing such a role in internet regulation, with effects around the world, including the United States.