今年九月25日, 歐洲法院(歐洲法院)發表了兩項關於執行歐盟被遺忘的權利的裁決。

對台灣人來說，被遺忘權是個很陌生的名詞，但對老外公司來說，卻是一個很重要的概念。

被遺忘權（Right to be Forgotten）是一種在歐盟內部存在的人權概念。簡而言之，即人們有權利要求移除有關於自己的負面信息或過時的個人身分資訊搜尋結果；但因為產生了與言論自由間的衝突，與可能產生網際網路審查的疑慮，因此引發了爭議，且法律框架仍不明確，當前只有在歐盟實行。

雖然被遺忘權只有在歐盟執行，但對跟歐洲等地貿易的公司來說，卻是非常重要的項目。
如何找出公司內部散落的資料，並妥善處理？這是 IT 人員的新挑戰。

Google vs. CNIL: EU Court Limits Right to be Forgotten to Member States

On 25 September, the European Court of Justice (ECJ) issued two rulings on the implementation of the EU’s right to be forgotten. The case had US-tech giant Google facing off against France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) in a long-standing dispute over global injunctions issued on the basis of the right to be forgotten.

The ECJ ruled in favour of Google, holding that, while CNIL can compel the search engine to remove links for offending material for users located in Europe, it may not do so globally. The second decision, less widely publicised, concerned the handling of sensitive data which will require the creation of a notice-and-delist regime for especially sensitive categories of information, such as health data and criminal records.

The ECJ did not dismiss global injunctions all together, but simply made a ruling based on existing EU legislation at the time the case was put forward which, it concluded, did not give France the authority to request global injunctions, but, at the same time added that EU Law did not prohibit the practice. It is worth noting that, because the case was brought to the attention of the court in 2017, the ruling is based on Directive 95/46, not the General Data Protection Regulation (GDPR), which only came into effect on 25 May 2018.

Google VS CNIL

The right to be forgotten was the result of a ruling by the Court of Justice of the European Union (CJEU) against Google in May 2014 that stated that an individual had the right to request that old, inaccurate or irrelevant data be removed from search results and referred in general to the delisting of links by search engines.

Taking into account the ruling, Google began granting EU data subjects the right to be forgotten. However it first limited delisting to EU Member States domains such as Google.de, Google.fr etc. rather than its global search engine Google.com. When pushed by legislators, chiefly among them France’s CNIL in 2015, it also implemented geo-blocking technologies to prevent links whose delisting had been requested from appearing to EU-located individuals even on its global search engine. The links however were still accessible to internet users outside the EU.

CNIL insisted that the injunction should be global and issued Google with a €100,000 fine which the company contested bringing up the issue of censorship.

Right to Privacy VS Right to Freedom of Information

The main issue with the right to be forgotten, brought up by both civil society groups and several governments, is the possibility that it can be used as a tool of censorship. The fear is that, by enforcing the right to be forgotten, data protection authorities are encroaching on the right to freedom of information.

The ECJ itself although ruling in favour of Google in this case, did not close the door on global injunctions. In fact, it left it wide open. The ECJ stated that, in light of national standards of protection of fundamental rights, authorities of the Member States can weigh a data subject’s right to privacy and the protection of personal data concerning them against the right to freedom of information, and, where appropriate, request that the search engine operator carry out a de-referencing concerning all versions of that search engine.

This essentially means that data protection authorities will be able to impose global injunctions if they can prove that the personal data whose delisting is being requested does not interfere with the right to freedom of information.

How Does the Ruling Impact Compliance Efforts of Companies Outside the EU?

Companies outside the EU saw the ECJ’s ruling as a win against what is seen as an attempt by EU law makers of overreaching through extraterritoriality clauses in legislation such as the GDPR. However, the ECJ ruling is unlikely to impact companies that do not deal with publically available information.

The question of the right to freedom of information and how it can differ from country to country was at the heart of the debate around the Google VS CNIL case. If an organization collects information for commercial purposes, chances are it’s not publically available and therefore whether its deletion is being requested or not is of no consequence to internet users’ right to freedom of information.

Companies must also keep in mind that the right to be forgotten as enforced through the 2014 CJEU ruling is not the same as the GDPR’s right to erasure. Forgotten in this case refers to deindexing from public search engines, not the deletion of the content the search engines linked to. Erasure meanwhile refers to the deletion of personal information upon a data subject’s request.

In Conclusion

While Google may have won the day, its fight against CNIL is far from over. The tech giant will soon be up against France’s data protection authority in another case which will see Google contesting a €50 million fineissued by CNIL in January 2019 for lack of consent on ads. This time though, the case will be judged under the GDPR and its decision may indeed change the face of data protection compliance.