Reymond: The future of the European Union “Right to be Forgotten”

INTRODUCTION

On May 13, 2014, the European Court of Justice (ECJ) rendered its now well-known Google Spain decision, in which it deduced from European data protection law, a right for individuals to remove search results displaying personal information that has become out-dated or irrelevant in such a way as to harm their privacy rights.¹ Though this right has come to be known as the “Right to be Forgotten”, it is in all actuality closer to a “Right to be Delisted”, being limited to search results appearing when searching for a person’s name.²

Today, the EU Right to be Delisted (RTBD) stands —in two ways— at a crossroads. First, the French Conseil d’Etat, following a years-long dispute between Google and the French data protection authority, the Commission Nationale de l’Informatique et Libertés, has queried the ECJ for a preliminary ruling to provide some much-needed guidance on the implementation of the right, and, in particular, whether removal of search results should be performed locally in the EU or in a global manner. Second, the recent entry into force of the General Data Protection Regulation (GDPR) raises the issue of whether and how its Article 17, which contains a “Right to Erasure / Right to be Forgotten”, should affect current delisting practices.

The present contribution looks to detail the impact of both of these developments upon the future of the RTBD in the European Union. In particular, it will be highlighted that, due to the lack of guidance on both procedural and substantive matters, the current implementation model of the RTBD, based on private ordering, lacks means of scalability. Therefore, the scope expansions contemplated by these two recent developments run the risk of leading the RTBD towards a practical breakdown. With this finding in mind, the contribution will submit an alternate implementation model, inspired by existing ADR systems.

The paper will begin with a short presentation of the legal concept known as the “Right to be Forgotten”, and will subsequently set out the details of the Right to be Delisted as formulated by the ECJ in its Google Spain decision. Each of the two aforementioned developments will then be analysed in turn, leading to a broader assessment of their possible impact upon the future of the Right to be Forgotten in Europe. The author’s submission will be detailed in the conclusion.

THE CONCEPT OF THE RIGHT TO BE FORGOTTEN

The term “Right to be Forgotten” refers to a legal concept resting on the premise that one should not be indefinitely held to past mistakes, misdeeds, or embarassing situations. Its scope of application covers many different kinds of situations: a young adult starting her professional career wanting pictures depicting her teenage party-going years to be removed from social media; a start-up CEO trying to prevent the press from discussing her past failed ventures so as to attract investors; an ex-convict wanting to start her life anew without being constantly reminded of her past misconduct.³ Rather than being seen as a right to be forgotten in the literal sense, the right should instead be understood as an acknowledgement of society’s capacity for forgiveness and empathy regarding past mistakes. In the specific context of online communications, the Right to be Forgotten has been depicted as a right to “digital redemption” or at least as a much-needed protection against the Internet’s capacity to act as an always available archive of human memory.⁴

The exercise of the Right to be Forgotten is traditionally balanced against the fundamental rights of free speech and of the public’s right to information;⁵ for instance, in the case of the ex-convict mentioned above, her right to start a new life may, depending on the severity of her past offence, be limited by the need for those within her new social circle to be informed and kept safe.

Expressions of the Right to be Forgotten have existed in different shapes and forms in the domestic legal systems of the Member States of the European Union, in both the online and the offline context and through various means such as personality rights (e.g., defamation law) and data protection laws.⁶ Given, however, that privacy laws have yet to be harmonised across the Member States of the European Union⁷ aside from a handful of general guidelines laid down by the jurisprudence of the European Court of Human Rights,⁸ there is currently no unified response to the issues raised by the Right to be Forgotten in Europe.⁹

GOOGLE SPAIN AND THE EU RIGHT TO BE DELISTED

It is in this context that the ECJ deduced from European data protection law a specific expression of the Right to be Forgotten in its landmark Google Spain decision of May 13, 2014.

The case concerned Mario Costeja González, a Spanish national, who, in 1998, was forced to sell off assets in a public auction so as to recover social security debts. Ten years later, while searching for his own name on Google, he found that the top search result led to a notice advertising that auction, which was published back then by local newspaper La Vanguardia and which was available on its online archive.¹⁰ Finding that the display of such out-dated and embarrassing information as a top result harmed his personality rights, especially now that he was in better financial shape, he applied to have both the notice removed by La Vanguardia, and the search result removed by Google.

To ground his claim, Mr Costeja González relied on the principles contained in Articles 12 (b) and 14 § 1 (a) of the 1995 Data Protection Directive.¹¹ These provisions grant a so-called data right to erasure, which allow data subjects, i.e., persons whose data is processed, the right to object to and order the rectification, erasure or blocking of instances of processing of personal data deemed unlawful under the Directive. This is particularly the case where the data controller, i.e., the person responsible for the processing, no longer needs the data for the purpose of its processing, and for instance when the client of a given business requests that his or her customer file be erased from the business’ records.

Mr Costeja González’ request was rejected by the Spanish Data Protection Authority —Agencia Española de Protección de Datos— because the publication of the auction notice by that newspaper was lawfully mandated by Spanish law and was thus privileged under Article 7 (c) of the Directive. However, that authority, considering that Google enjoyed no such privilege as regards the display of its search results, ordered the search engine to take down the offending search result.¹²

The latter conclusion was controversial insofar as it was not clear whether the right to erasure granted by Articles 12 (b) and 14 § 1 (a) of the Directive included the right to request the takedown of initially lawful, yet out-dated, data; in other words, whether the right to erasure of data included a Right to be Forgotten.¹³ Thus, Google appealed the decision before the Audiencia Nacional, which then made a request to the ECJ for a preliminary ruling, asking the Court inter alia whether the Directive granted such an extended right to erasure.¹⁴

In its decision, the ECJ considered that the right to erasure also covered out-dated data given that “even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed. That is so in particular where they appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed”.¹⁵ Furthermore, the Court recognised that search engines played a “decisive role” in the public’s perception of individuals as they render the dissemination of personal information “accessible to any internet user making a search on the basis of [a] data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published”.¹⁶

The ECJ thus ruled that search engines were, upon request, bound to remove any search results displayed upon searching a name and leading to “inadequate, irrelevant or no longer relevant” personal data. It further ruled that such delisting requests were to be individually collected, and examined by the search engines themselves, in particular so as to balance the issuer’s right to privacy against the public’s right to information in each individual case.¹⁷ Finally, the Court conferred upon the Data Protection Authorities of each Member State (DPAs) a supervisory role over the search engines’ delisting practices, notably providing them with the authority to receive appeals where a search engine refuses to honour a delisting request.¹⁸

On November 26, 2014, the Article 29 Data Protection Working Party, which was the official explanatory body of the Data Protection Directive,¹⁹ published a series of nonbinding guidelines on the RTBD.²⁰ Among several clarifications on the personal and material scope of the right, the Working Party set out a basic list of delisting criteria.²¹

Though the RTBD has since been implemented by all major search engines, including Bing²² Google,²³ and Yahoo!,²⁴ much of the current discussions surrounding the topic have focused on the standards and practices of Google, a fact which is unsurprising given the latter’s dominance in the search engine market. As reported by Patrick Teffer, the vast majority of link deletion requests in 2015 were filed with Google and not with competing search engines.²⁵ And though Google regularly publishes a transparency report containing statistics and general information about its practices,²⁶ it does not report its individual decisions. Furthermore only around 2% of Google’s refusals have been met with an appeal to a national DPA, case law has indeed been scarce.²⁷ In this sense, it might not be exaggerated to say that the main judge and architect of the RTBD is, as of today, Google itself.²⁸ Though this de facto centralisation has been criticised as providing the company with too much power,²⁹ this situation has had the benefit of stabilising the practice surrounding the RTBD, a much-needed development given the lack of guidance on the part of both the ECJ and the Working Party.³⁰

However, that stability is now disturbed by two challenges, which look to expand the scope of the RTBD further.

TWO DEVELOPMENTS

The Google Inc. case and the geographical scope of the RTBD

The first challenge awaiting the RTBD concerns a pending request for a preliminary ruling filed before the ECJ by the French Conseil d’Etat, made in the context of an on-going litigation process involving the French DPA, the Commission Nationale de l’Informatique et des Libertés (CNIL), and concerning the controversial —and as yet unresolved— issue of the scope of the delisting obligation imposed by the RTBD.

The background of the dispute is as follows: in its Google Spain decision, the ECJ, as mentioned above, ruled that search engines were “obliged to remove” search results displaying “inadequate, irrelevant or excessive” information. However, the Court failed to specify whether offending search results had to be removed locally —i.e., only for internet users located in the European Union— or globally.

Lacking guidance on this point, Google, when it launched its search removal form back in May 2014, adopted a Top Level Domain based distribution scheme, ensuring that only search results displayed by the European versions of its service, such as google.de or google.fr, were compliant with the RTBD. This implementation model, however, did not hard lock users to their location of access through geolocation, meaning that European users only needed to type a foreign version of Google, such as google.com or google.ca, into their address bar in order to access a full list of results and thus circumvent the RTBD.³¹

The Art. 29 Working Party Guidelines, published a few months later, characterised Google’s practice as inefficient and further interpreted the Google Spain ruling as requiring a global delisting scheme:

The ruling sets […] an obligation of results which affects the whole processing operation carried out by the search engine. The adequate implementation of the ruling must be made in such a way that data subjects are effectively protected against the impact of the universal dissemination and accessibility of personal information offered by search engines when searches are made on the basis of the name of individuals.

Although concrete solutions may vary depending on the internal organisation and structure of search engines, de-listing decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. In practice, this means that in any case de-listing should also be effective on all relevant domains, including.com.³²

Google, however, doubled down on its practice. Indeed, its chosen implementation model for the RTBD had in the meantime been approved by the Advisory Council on the Right to be Forgotten, an independent group that Google appointed for the purpose of shaping its delisting practices and which was composed of high-profile scholars, entrepreneurs and stakeholders, including United Nations Special Rapporteur Frank LaRue, Le Monde’s editorial director Sylvie Kauffmann and German Parliament representative Sabine Leutheusser-Schnarrenberger.³³

In its final report issued on February 6, 2015, the Advisory Council concluded that the interests of users located outside the European Union in accessing lawful content in their own jurisdiction, along with those of European users in having foreign search engine results available, outweigh the need for “absolute protection of a data subject’s rights”.³⁴ Furthermore, the Advisory Council noted that Google.com already automatically redirected users to their local search results and that “over 95% of all queries originating in Europe are on local versions of the search engine”. With the approval of their independent expert panel, Google thus soldiered on with its domain name-based scheme.

Things started to stir again in May 2016, when the CNIL engaged formal proceedings against Google, requesting that search results be delisted globally. This prompted the company to change its ways by locking users into their ‘home’ Google through the use of geolocation technologies. This effort, however, was deemed unsatisfactory by the CNIL, which, on March 24, 2016, imposed a €100,000 fine against the search engine.³⁵

Google appealed against the decision before the Conseil d’Etat. It also publicly criticised the CNIL’s position through an op-ed written by its Senior Vice President Kent Walker and published in the French newspaper Le Monde.³⁶ The piece, stating that Google had already complied with the Google Spain decision to the best of its abilities, argued that the CNIL in essence ordered that “its interpretation of French law protecting the right to be forgotten should apply not just in France, but in every country in the world” (emphasis original) and that, in view of the principle of comity between nations, such order “could lead to a global race to the bottom, harming access to information that is perfectly lawful to view in one’s own country. For example, this could prevent French citizens from seeing content that is perfectly legal in France”.³⁷

By decision of July 19, 2017, the Conseil d’Etat found that the case raised significant issues of interpretation of the Google Spain ruling, and forwarded three preliminary questions to the ECJ.³⁸ It first asked whether the RTBD required search engines to delist offending search results in a global manner, or whether it sufficed that the search results be delisted locally, i.e., only when generated for users located in the European Union. If the ECJ were to opt for a local, EU-specific, delisting scheme, the Conseil d’Etat alternatively asked whether such scheme was to be enforced by locking users into their home jurisdiction through means of geolocation technologies, or whether a softer TLD-based approach, such as Google’s initial implementation model, was acceptable.³⁹

Given the CNIL and the Working Party’s clear signals in favour of a global delisting scheme, it would not be too surprising to see the ECJ declare such a scheme as mandatory. However, Google’s criticism of this approach rings true insofar as the fact that the adoption of that option would have the practical effect of extending the reach of the RTBD, and thus, of EU data protection law, to situations in which it is geographically inapplicable. By doing so, it would offend the principle of comity between states.⁴⁰

The second option submitted to the ECJ, i.e., a regional delisting obligation enforced through means of geolocation technologies, should be preferred. This option would respect the fact that content targeted by the RTBD may be held as lawful in other jurisdictions. As regards effectiveness, circumvention of such a scheme would only be possible through the use of dedicated technical means, such as a VPN connection or a proxy service. This would be sufficient to safeguard the stated goal of the RTBD, which, rather than takedown of the offending publication, is the partial delisting of that content so as to prevent its wide dissemination to the public.⁴¹ In this sense, a recent ruling of the Spanish Audiencia Nacional seemed to opt in favour of this option.⁴²

That said, it should also be recognised that this discussion is, for all intents and purposes, nothing new. The question of the geographical scope of removal of unlawful content online has been a thorny issue in cyber law going all the way back to the seminal 2000 Yahoo! case, in which two French organisations sought the removal of auctions of Nazi memorabilia, which are prohibited under French law, from the website of the US-based company. In that case, the French Tribunal de Grande Instance de Paris, aware of the potential negative extra-territorial effects of a global injunction for the removal of that content, instead obliged Yahoo! to implement a regional, geolocation-based filtering scheme.⁴³ Thus, it is surprising to see the French CNIL deviate from this precedent by requiring that Google delist its search results globally.

The entry into force of the GDPR

On May 25, 2018, the General Data Protection Regulation entered into force, creating a unified legal framework for data protection in the European Union and thus displacing the Data Protection Directive. Among many innovations, the GDPR includes a “Right to Erasure / Right to be Forgotten”, which is contained in Articles 17 and 19.⁴⁴

In contrast to the limited nature of the RTBD as instituted by the ECJ in Google Spain, Article 17 of the GDPR foresees a general right of erasure of personal data, enforceable against data controllers at large, in particular when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed” and when “the data subject withdraws consent on which the processing is based […] and where there is no other legal ground for the processing”.⁴⁵ The material scope of Article 17 of the GDPR may thus be broader than that of the RTBD, as Article 17 is purported to apply to any instance of online personal data, thus going well beyond search results. Its personal scope may consequently be broader as well, as the burden of erasure would be fostered upon a wider range of online intermediaries, including social media, news websites, content providers and hosting providers.⁴⁶ Furthermore, paragraph 2 of Article 17 along with Article 19 markedly provide for an enhanced obligation of notification of the erasure to downstream data controllers, i.e., third parties to which the data targeted for erasure has been disclosed by the data controller, or which may reasonably be foreseen as processing said data for their own purpose.

According to this reading, the Right to be Forgotten in the GDPR should hereby replace and/or expand the existing regime instituted by the Data Protection Directive and Google Spain. However, whether this will actually be the case in the coming months, remains unclear.⁴⁷

On the one hand, the discussions conducted around the time of the GDPR’s drafting suggest that its Right to be Forgotten was meant to apply broadly to internet actors rather than remain confined to search engines. While the privacy issues posed by these search engines were most certainly mentioned during the discussions surrounding the drafting of the Regulation, not least because the Google Spain case was pending at the time, they were only mentioned as one example amongst others, such as Facebook.⁴⁸

On the other hand, the legislative intent behind the RTBF of the GDPR may be unhelpful precisely because the provision was drafted before the ECJ’s decision in Google Spain and did not account for the subsequent establishment of the RTBD. It may thus be argued that Google Spain, as it is being currently applied by search engines, is an iteration of the GDPR’s initial proposal, and that the entry into force of the latter Regulation does not significantly impact its implementation model. Indeed, given that the RTBD is still subject to refinement, as evidenced by the pending case mentioned above regarding its geographical scope, it seems unlikely that the slate will be wiped clean altogether by the entry into force of the GDPR.

Yet, there is a distinct lack of guidance regarding which changes, if any, are actually brought about by the transition between the two regimes. In this context, it is telling that while the entry into force of the GDPR has seen online intermediaries and businesses at large scramble to update their privacy policies and consent mechanisms,⁴⁹ major social media players such as Facebook, Flickr and Linkedin are yet to implement specific procedures for RTBF claims. In contrast, the RTBD seems to be followed by search engines as if no regime change had occurred.

RISK OF A PRACTICAL BREAKDOWN

As shown through the two challenges described above, the future of the RTBD remains uncertain. While its current formulation may yet remain in place, that model may just as easily become displaced by a broader Right to be Forgotten having an expanded personal and material scope. In other words, the practical implications of the RTBD could shift from the regional delisting of search results by search engines to the global takedown of content by all kinds of online services.

In the latter case, however, it is submitted that the current implementation model of the RTBD —which is based upon the individual compliance of search engines and which has formed itself mostly through Google’s on-going practice— is not ready for such an expansion as it lacks means of scalability.

For instance, regarding procedural matters, there are no mechanisms in place to ensure the consistency of outcomes across multiple search engines. It is even unclear whether such consistency is even desirable in the first place.⁵⁰ Furthermore, search engines currently decide upon delisting requests ex parte and based solely on the content of each submitted request. While such a procedure is already arguably deficient in terms of due process,⁵¹ it would clearly be insufficient in the context of requests for takedown of actual content rather than only search engine delisting, as such practice would run afoul of established principles regarding content takedown such as the Manila Principles on Intermediary Liability.⁵²

Regarding substantive matters, the criteria for delisting, as established by the Working Party’s guidelines, leave much room for discretion for individual search engines.⁵³ In addition, there lacks a unified methodology of ascertaining which substantive Member State law applies to the privacy and free speech elements of any given case.⁵⁴ As such, predicting whether any link is subject to removal is already a difficult exercise under the current regime, a situation that does not bode well for a possible expansion of the RTBD.

As detailed by Daphne Keller, the entry into force of the GDPR does not solve these issues. The erasure procedure foreseen by its Articles 17 and 19 relies heavily on individual and independent private ordering; it provides data controllers with extensive discretion when deciding on each individual erasure request and offers no safeguards so as to promote consistency of decisions, or compliance with the principle of due process.⁵⁵

There is thus a tangible risk that any expansion of the scope of application of the RTBD would result in a practical breakdown of its current implementation model.

PROPOSAL FOR A CENTRALISED ADR-STYLED MODEL

The above conclusion raises the question of how the RTBD can now be implemented in view of the new challenges it faces. The remainder of this piece will set out a number of potential solutions.

A first path would be to retain the current implementation model based on private decision-making and to correct its deficiencies. In this sense, Daphne Keller recommends that the procedural trappings of delisting and erasure be aligned with existing rules of European law regarding intermediary liability, contained in Articles 12 to 15 of the eCommerce directive and which provide for a notice and takedown procedure to curtail such liability.⁵⁶ Failing that, she suggests that intermediaries take inspiration from these provisions along with other established standards for notice and takedown procedures such as the Manila Principles on Intermediary Liability.⁵⁷

Regarding standard setting and effective oversight, Jacques De Werra —coining the term ‘Massive Online Micro-Justice’, or ‘MOMJ’— suggests that a possible model for inspiration lies in the Uniform Domain Name Dispute Resolution (UDRP) system, which since 1999, has served as a centralised dispute resolution organ for domain name disputes. As applied to the RTBD, he envisages a two-step decision-making process in which intermediaries would be placed at the first step, with an independent alternative dispute resolution body having jurisdiction on appeal. That body would be composed of industry representatives and DPA officers. It would offer proper due process, and have the additional tasks of overseeing the practice of intermediaries, punishing bad actors, and of developing commonly agreed-upon criteria for adjudication.⁵⁸

A second path would be to reconsider the RTBD’s implementation model as a whole. Among those advocating this approach, Eldar Haber is of the opinion that placing the burden of the RTBD on the metaphorical shoulders of internet intermediaries in the first place is a mistake, as such practice has the effect of providing private entities with the capacity to weigh in on issues that should only be decided on by courts or designated official authorities offering the sufficient guarantees of due process. His main proposal would see that intermediaries be entirely removed from the overall erasure process, with the task of adjudicating RTBD disputes being either provided to DPAs and courts or to specially appointed administrative agencies.⁵⁹

One solution worth exploring would be an expansion of the UDRP-style proposal put forward by De Werra. Instead of acting as an appeals mechanism, the alternative dispute resolution organ could be upgraded to the status of main centralised decision maker; in essence, the proposal would institute a truly international body offering requisite procedural safeguards. Requests for delisting and/or erasure would be made directly to that body, which would then decide on the issue and forward, if necessary, an order to all concerned intermediaries for the purpose of implementation. This model would handily solve the issues of scalability discussed above.

Such a model would also have the effect of liberating resources on the intermediaries’ side, since they would not need to create or maintain an ad hoc dispute resolution system. That benefit could then be put to use for the funding of the ADR body by imposing a payment obligation on intermediaries on a proportional “polluter pays” principle.

It could still be argued that the proposed model does not solve all of these issues. Indeed, an independent EU-created body as sole adjudicator of delisting requests may be subjected to an enormous administrative burden. Additionally, such a model would not diminish the uncertainty surrounding the privacy aspects of the RTBD, which are still formally contained in Member State law. To address these objections, two thoughts come to mind: for one thing, not all RTBD requests are complex cases involve the exercise of freedom of speech; it could thus be possible to imagine the hypothetical body being tasked with adjudicating, and thus filtering out, all of the “easy” requests: for instance, those that have no prima facie case, those that address pure data protection issues or those where the delisting criteria clearly point towards a solution. The remaining handful of “hard” requests —those where the balancing exercise becomes tricky— could then be forwarded to a competent national DPA or court for proper examination.

CONCLUSION

Though the Right to be Delisted has been part of EU data protection law since the ECJ’s May 2014 Google Spain decision, the operational details of the exercise of that right have remained, at best, unsettled. It is striking indeed that it is only now —four years later— that such fundamental issues such as the geographical scope of the obligation of delisting are beginning to yield concrete answers.

In this sense, it does seem that much of the current arrangements surrounding the RTBD have been the result of a de facto reaction by industry actors to the Google Spain ruling rather than a cohesive and principled effort to implement that ruling. The issues outlined through this contribution could thus be the symptoms of a more fundamental problem, and namely that there lacks a unifying vision for the future of the RTBD. Is it about delisting? Is it about erasure? Which online actors are concerned? What procedural safeguards should be implemented?

Now that the GDPR is in force, these remaining questions will need to be settled. Furthermore, to avoid a foreseeable breakdown, the implementation model of the RTBD will need to stop relying on the convenience of Google as a de facto centralised authority and be developed around a consistent and stable model, such as the institution of an ADR-style organism.

BIBLIOGRAPHY

Legislation, Policy Documents and Case law

Article 29 Data Protection Working Party. “Guidelines on the implementation of the Court of Justice of the European Union judgment on ‘Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González C-131/12’ WP 225, 14/EN”. November 26, 2014.

CNIL. Délibération n.° 2016-054. March 10, 2016.

Conseil d’État. Décision n.° 399922, Google Inc. July 19, 2017.

Cour de cassation de Belgique. P.H. c. O.G., Arrêt n.° C.15.0052F. April 29, 2016.

Cour de cassation de Francia. Première chambre civile, n.° de pourvoi: 15-17729. May 12, 2016.

Court of Justice of the European Union. (Google Spain SL y Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González). C-131/12, ECLI: EU:C:2014:317. May 13, 2014).

European Parliament and of the Council. “Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Official Journal of the European Communities L 281/31, November 23, 1995.

European Parliament and of the Council. “Directive 2000/31/EC, on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ‘Directive on electronic commerce’. Official Journal of the European Communities L 171/1. July 17, 2000.

European Union. “The EU General Data Protection Regulation (GDPR)”. Official Journal of the European Communities L119. May 14, 2016.

10.

House of Lords European Union Committee. “EU Data Protection Law: “A Right to be forgotten”?” Second Report of Session 2014-15, HL Paper n.° 40. July 30, 2014.

11.

M.L. and W.W. v Germany. (2018) ECHR 554.

12.

Mosley v United Kingdom. (2011) 53 E.H.R.R 30.

13.

Swiss Loi sur la protection des données. Article 15 (RS 235.1).

14.

Swiss Code Civil. Articles 28 y 28^a (RS 210).

15.

Swiss Federal Court. ATF 122 III 449 and 5C.156/2003. October 23, 2003.

Articles

16.

Ahmed, Farhaan Uddin. “Right to be Forgotten: A Critique of the Post-Costeja Gonzales Paradigm”. Computer and Telecommunications Law Review 21 (2015): 175-176.

17.

de Werra, Jacques. “Alternative Dispute Resolution in Cyberspace: The Need to Adopt Global ADR Mechanisms for Addressing the Challenges of Massive Online Micro-Justice”. Swiss Review of International and European Law 26, n.° 2 (2016): 289, 294-295.

18.

Gstrein, Oskar Josef. “The Cascade of Decaying Information: Putting the ‘Right to be Forgotten’ in Perspective”. Computer and Telecommunications Law Review 21, n.° 2 (2015): 46.

19.

Haber, Eldar. “Privatization of the Judiciary”. Seattle University Law Review 40 (2016): 115, 12-127.

20.

Hardy, Bruno. “Application dans l’espace de la directive 95/46/CE: la géographie du droit à l’oubli”. Revue Trimestrielle de droit européen 50, n.° 4 (2014): 879.

21.

Keller, Daphne. “The Right Tools: Europe’s Intermediary Liability Laws and the 2016 General Data Protection Regulation”. Berkeley Technology Law Journal 33, n.° 297, http://dx.doi.org/10.2139/ssrn.2914684.

22.

Hoboken, Joris van. “The Proposed Right to be Forgotten Seen From the Perspective of Our Right to Remember”. Report prepared for the European Commission, (May, 2013), http://www.law.nyu.edu/sites/default/files/upload_documents/VanHoboken_RightTo%20Be%20Forgotten_Manuscript_2013.pdf, 2-7.

23.

Powles, Julia. “The Case That Won’t Be Forgotten”. Loyola University Chicago Law Journal 47 (2015): 583, 591 et seq.

24.

Reymond, Michel. “Hammering Square Pegs into Round Holes: The Geographical Scope of Application of the EU Right to be Delisted”. Berkman Klein Center for Internet & Society at Harvard University Research Publication n.° 2016-12 (2016), 5-8 y 16-17.

25.

Rosen, Jeffrey. “The Right to be forgotten”. Stanford Law Review Online 54 (2012): 88, 90-92.

26.

Rustad, Michael y Sanna Kulevska. “Reconceptualizing the Right to be Forgotten to Enable Transatlantic Data Flow”. Harvard Journal of Law and Technology 28, n.° 2 (2015): 349, 365.

27.

Svantesson, Dan Jerker B. “The Google Spain Case: Part of a Harmful Trend of Jurisdictional Overreach”. European University Institute Working Papers, RSCAS 2015/45 (2015).

28.

Tamó, Aurelia y Damian George. “Oblivion, Erasure and Forgetting in the Digital Age”. Journal of Intellectual Property, Information Technology and Electronic Commerce Law 2 (2014): 77-82.

29.

van Alsenoy, Brendan y Marieke Koekkoek. “The extra-territorial reach of the EU’s ‘right to be forgotten”. ICRI Working Paper Series 20 (2015): 14-29.

30.

Wolfgang Schulz, Urs Gasser. “Governance of Online Intermediaries, Observations From a Series of National Case Studies”. The Berkman Klein Center for Internet & Society Research Publication Series, n.° 2015-5, (2015).

Doctrine

31.

Jones, Meg Leta. Ctrl+Z: the Right to be Forgotten. New York: New York University Press, 2016.

32.

Reymond, Michel. La compétence international en cas d’atteinte à la personnalité par Internet. Geneva: Schulthess Médias Juridiques SA, 2015.

The media, blogs, and Web Pages

33.

“Subhasta d’Immobles”. La Vanguardia, January 19, 1998. http://hemeroteca.lavanguardia.com/preview/1998/01/19/pagina-23/33842001/pdf.html.

34.

Boiten, Eerke. “Google’s lip service to privacy cannot conceal that its profits rely on your data”. The Conversation, (2015), http://theconversation.com/googles-lip-service-to-privacy-cannot-conceal-that-its-profits-rely-on-your-data-37592.

35.

Kottasovà, Ivana. “Your Inbox is Being Flooded With Emails About Privacy. Here’s Why”. CNN. May 1, 2018, http://money.cnn.com/2018/05/01/technology/gdpr-data-privacy-email-consent/index.html.

36.

Peguera, Miquel. “Right to be Forgotten and Global Delisting: Some News from Spain”. The Center for Internet and Society Blog, December 17, 2017, http://cyberlaw.stanford.edu/blog/2017/12/right-be-forgotten-and-global-delisting-some-news-spain.

37.

Powles, Julia. “Results May Vary: Borderdisputed on the frontlines of the ‘right to be forgotten’”. Slate (2015), http://www.slate.com/articles/technology/future_tense/2015/02/google_and_the_right_to_be_forgotten_should_delisting_be_global_or_local.html.

38.

Teffer, Peter. “Europeans give Google final say on ‘right to be forgotten’”. Euobserver, (2015).

39.

Walker, Kent. “Ne privons pas les internautes français d’informations légales”. Le Monde, (2016), http://www.lemonde.fr/idees/article/2016/05/19/ne-privons-pas-les-internautes-francais-d-informations-legales_4922590_3232.html.

40.

Walker, Kent. “A principle that should not be forgotten”. Google in Europe Blog, May 31, de 2018, https://europe.googleblog.com/2016/05/a-principle-that-should-not-be-forgotten.html.

Miscellaneous

41.

“Google’s Advisory Council”. Google. Accessed May 31, 2018, https://www.google.com/advisorycouncil/.

42.

“Google’s Advisory Council, Final Report”. Google (2015): 19-20, https://static.googleuser-content.com/media/archive.google.com/en/advisorycouncil/advisement/advisory-report.pdf.

43.

“Personal Information Removal Request Form”. EU Privacy Removal. Google. Accessed May 31, 2018, https://www.google.com/webmasters/tools/legal-removal-request/complaint_type=rtbf&hl=en&rd=1.

44.

Reding, Viviane. “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age”. Speech given in Munich on January 22, 2012.

45.

“Request to Block Bing Search Results in Europe”. Bing. Accessed May 31, 2018, https://www.bing.com/webmaster/tools/eu-privacy-request.

46.

“Request to block search results in Yahoo Search: Resource for European residents”. Yahoo Help. Accessed May 31, 2018, https://uk.help.yahoo.com/kb/search-for-desktop/requests-block-search-results-yahoo-search-resource-european-residents-sln28252.html?impressions=true.

47.

“Search removals under European privacy law”. Transparency Report, Google. Accessed May 31, 2018, https://transparencyreport.google.com/eu-privacy/overview?hl=en.

48.

“The Manila Principles on Intermediary Liability”. Accessed May 31, 2018, https://www.manilaprinciples.org.

Notes

[1] Court of Justice of the European Union, (Google Spain SL y Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González). C-131/12, ECLI:EU:C:2014:317 (May 13, 2014), hereafter referred to as “Google Spain”.

[2] On this distinction, see House of Lords, “EU Data Protection Law: a ‘Right to be Forgotten’?”, European Union Committee, 2^nd Report of Session 2014-15, July 30, 2014, 9; Urs Gasser, Wolfgang Schulz, “Governance of Online Intermediaries, Observations From a Series of National Case Studies”, The Berkman Klein Center for Internet & Society Research Publication Series n.° 2015-5, (2015): 4; Oskar Josef Gstrein, “The Cascade of Decaying Information: Putting the ‘Right to be Forgotten’ in Perspective”, Computer and Telecommunications Law Review 21, n.° 2 (2015): 46.

[3] The examples mentioned here are inspired by real-life delisting requests received by Google, see “Search removals under European privacy law”, Transparency Report, Google, accessed May 31, 2018, https://transparencyreport.google.com/eu-privacy/overview?hl=en.

[4] Meg Leta Jones, Ctrl+Z: the Right to be Forgotten (New York: New York University Press, 2016), 11-17; in this sense, see also Farhaan Uddin Ahmed, “Right to be Forgotten: A Critique of the Post-Costeja Gonzales Paradigm”, Computer and Telecommunications Law Review 21 (2015): 175, 176; Joris van Hoboken, “The Proposed Right to be Forgotten Seen From the Perspective of Our Right to Remember”, Report prepared for the European Commission, May 2013, http://www.law.nyu.edu/sites/default/files/upload_documents/VanHoboken_RightTo%20Be%20Forgotten_Manuscript_2013.pdf, 2-7.

[5] Jeffrey Rosen, “The Right to be forgotten”, Stanford Law Review Online 54 (2012): 88, 90-92.

[6] For a comparative overview of existing national expressions of the RTBF in EU national law, see Jones, “Ctrl+Z”, 29-39; Aurelia Tamó, Damian George, “Oblivion, Erasure and Forgetting in the Digital Age”, Journal of Intellectual Property, Information Technology and Electronic Commerce Law 2 (2014): 77-82; more generally, see also Van Hoboken, “The Proposed Right to be Forgotten”, 23-26. Outside of the EU Member States, though still of interest, the RTBF in Switzerland is traditionally anchored in personality rights and press law, with data protection law only providing erasure through reference to civil law remedies, see Articles 28 and 28a of the Swiss Code Civil (RS 210); Article 15 of the Swiss Loi sur la protection des données (RS 235.1); Swiss Federal Court, ATF 122 III 449 and Judgment 5C.156/2003 of 23 October 2003.

[7] For instance, the EU has yet to adopt a harmonised choice-of-law regime for personality torts in civil law. See Article 1 (g), Regulation (EC) n.° 864/2007 of the European Parliament and of the Council of July 11, 2007 on the law applicable to non-contractual obligations (Rome II); see also the Comparative Study carried out prior to the exclusion of privacy and personality torts from the Rome II Regulation and highlighting the diversity of EU regimes, JLS/2007/C4/028.

[8] See for instance Mosley v United Kingdom, [2011] 53 E.H.R.R 30; specifically on the RTBF, see the recent case of M.L. and W.W. v Germany, [2018] ECHR 554.

[9] Jones, Ctrl+Z, 44-45; Tamó and George, “Oblivion”, 82-83. In the context of press archives on the Internet, contrast for instance the two following cases, reaching different solutions on similar facts: Cour de cassation de Belgique, P.H. c. O.G., Arrêt n.° C.15.0052F, April 29, 2016, and Cour de cassation (France), première chambre civile, n.° de pourvoi: 15-17729, Mai 12, 2016.

[10] “Subhasta d’Immobles”, La Vanguardia, (1998), 23, http://hemeroteca.lavanguardia.com/preview/1998/01/19/pagina-23/33842001/pdf.html.

[11] European Parliament and of the Council, Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities L 281/31, November 23, 1995 (hereinafter: “Data Protection Directive”). It should, however, be specified that the claimant formally based his claim upon the “Ley Orgánica 15/1999, de 1 de diciembre de Protección de Datos de Carácter Personal”, which was the implementing law of the Data Protection Directive in Spain.

[12] “Google Spain”, 15-17.

[13] Eldar Haber, “Privatisation of the Judiciary”, Seattle University Law Review 40 (2016), 115, 12-127; Jones, Ctrl+Z, 41-42; Tamó and George, “Oblivion”, 72-73; 75; van Hoboken, “The Proposed Right to be Forgotten”, 7-11.

[14] “Google Spain”, 20. The first two questions referred to the CJUE, concerning the Data Protection Directive’s personal and geographical scope respectively, shall not be reported in this contribution. For the author’s analysis of these issues, see Michel Reymond, “Hammering Square Pegs into Round Holes: The Geographical Scope of Application of the EU Right to be Delisted”, Berkman Klein Center for Internet & Society at Harvard University Research Publication, n. ° 2016-12 (2016): 5-8 y 16-17..

[15] “Google Spain”, 93.

[16] Google Spain, § 36.

[17] Google Spain, § 76.

[18] Google Spain, § 77.

[19] On May 25, 2018, following the entry into force of the General Data Protection Regulation, this group was renamed the European Data Protection Board. See Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive), Official Journal of the European Union L119, May 14, 2016, 1, and spec. Articles 64, 65, and 68-74.

[20] Article 29 Data Protection Working Party, “Guidelines on the implementation of the Court of Justice of the European Union judgment on ‘Google Spain and Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González C-131/12’”, WP 225, 14/EN, November 26, 2014.

[21] See e.g., Article 29 Data Protection Working Party, “Guidelines”, 20, point 13.

[22] “Request to Block Bing Search Results in Europe”, Bing, accessed May 31, 2018, https://www.bing.com/webmaster/tools/eu-privacy-request.

[23] “Personal Information Removal Request Form”, EU Privacy Removal, Google, accessed May 31, 2018, https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&hl=en&rd=1.

[24] “Request to block search results in Yahoo Search: Resource for European residents”, Yahoo Help, accessed May 31, 2018, https://uk.help.yahoo.com/kb/search-for-desktop/requests-block-search-results-yahoo-search-resource-european-residents-sln28252.html?impressions=true.

[25] Patrick Teffer, “Europeans give Google final say on ‘right to be forgotten’”, Euobserver, (2015), https://euobserver.com/investigations/130590.

[26] “Search removals under European privacy law”, Transparency Report, Google, accessed May 31, 2018, https://transparencyreport.google.com/eu-privacy/overview?hl=en.

[27] Teffer, “Europeans”.

[28] Ahmed, “The Right to be Forgotten”, 179-180; Haber, “Privatisation”, 137-139; Jones, Ctrl+Z, 45; Julia Powles, “The Case That Won’t Be Forgotten”, Loyola University Chicago Law Journal 47 (2015): 583, 591 et seq.

[29] Eerke Boiten, “Google’s lip service to privacy cannot conceal that its profits rely on your data”, The Conversation, (2015), http://theconversation.com/googles-lip-service-to-privacy-cannot-conceal-that-its-profits-rely-on-your-data-37592; Powles, “The Case”, 594-606.

[30] Jacques de Werra, “Alternative Dispute Resolution in Cyberspace: The Need to Adopt Global ADR Mechanisms for Addressing the Challenges of Massive Online Micro-Justice”, Swiss Review of International and European Law 26, n.° 2 (2016): 289, 294-295.

[31] Jones, “Ctrl+Z”, 176; Powles, “The Case”, 596-597; Michael Rustad and Sanna Kulevska, “Reconceptualizing the Right to be Forgotten to Enable Transatlantic Data Flow”, Harvard Journal of Law and Technology 28, n.° 2 (2015): 349, 365.

[32] Article 29 Data Protection Working Party, “Guidelines”, 9.

[33] “Google’s Advisory Council”, Google, last accessed May 31, 2018, https://www.google.com/advisorycouncil/.

[34] Google Advisory Council, “Final Report”, (2015), https://static.googleusercontent.com/media/archive.google.com/en/advisorycouncil/advisement/advisory-report.pdf, 19-20.

[35] CNIL, Délibération n. °2016-054, March 10, 2016.

[36] Kent Walker, “Ne privons pas les internautes français d’informations légales”, Le Monde, (2016), http://www.lemonde.fr/idees/article/2016/05/19/ne-privons-pas-les-internautes-francais-d-informations-legales_4922590_3232.html; for an English translation, see “A principle that should not be forgotten”, Google in Europe Blog, May 31, 2018, https://europe.googleblog.com/2016/05/a-principle-that-should-not-be-forgotten.html.

[37] Walker, “A principle that should”.

[38] Conseil d’Etat, Décision n.° 399922, Google Inc., July 19, 2017.

[39] Conseil d’État, Décision n.° 399922.

[40] Bruno Hardy, “Application dans l’espace de la directive 95/46/CE: la géographie du droit à l’oubli”, Revue Trimestrielle de droit européen 50, n.° 4 (2014): 879, part IV; Jones, Ctrl+Z, 175-177; Julia Powles, «Results May Vary: Borderdisputed on the frontlines of the ‘right to be forgotten’», Slate, (2015), http://www.slate.com/articles/technology/future_tense/2015/02/google_and_the_right_to_be_forgotten_should_delisting_be_global_or_local.html; Dan Jerker B. Svantesson, «The Google Spain Case: Part of a Harmful Trend of Jurisdictional Overreach», European University Institute Working Papers, RSCAS 2015/45, (2015), Brendan van Alsenoy y Marieke Koekkoek, «The extra-territorial reach of the EU’s ‘right to be forgotten», ICRI Working Paper Series, 20/2015, (2015): 14-29.

[41] Contrast with Ahmed, “The Right to be Forgotten”, 178 (Though some may find the removal of links to information from Google’s search index to be sufficient, that would depend, however, upon the purpose for which the information is being used and whether mere removal from the search index would actually render it useless. Furthermore, the links in their entirety continue to exist without much hindrance and can be found by someone who has reasonable experience in web searching).

[42] Miquel Peguera, “Right to be Forgotten and Global Delisting: Some News from Spain”, The Center for Internet and Society Blog, December 17, 2017, http://cyberlaw.stanford.edu/blog/2017/12/right-be-forgotten-and-global-delisting-some-news-spain.

[43] Tribunal de Grande Instance de Paris, Ordonnance de référé du 20 novembre 2000, November 20, 2000. For a detailed comment by the present author, including further references, see Michel Reymond, La compétence international en cas d’atteinte à la personnalité par Internet (Geneva: Schulthess Médias Juridiques SA, 2015), 145-153.

[44] For a critical and in-depth look at the erasure mechanism contained in the GDPR, see Daphne Keller’s series of posts on the topic hosted by the Center for Internet and Society at Stanford Law School’s blog platform: “Intermediary Liability and User Content under Europe’s New Data Protection Law”, October 8, 2015; “The GDPR’s Notice and Takedown Rules: Bad News for Free Expression but not Beyond Repair”, October 29, 2015; “Notice and Takedown under the GDPR: an Operational Overview”, October 29, 2015; “Solving Data Protection Problems with eCommerce Directive Tools”, November 11, 2015; “Free Expression Gaps in the General Data Protection Regulation”, November 30, 2015; “Series Conclusion and Summary: Intermediaries and Free Expression under the GDPR in Brief and The Final Draft of Europe’s “Right to be Forgotten” Law”, December 17 2015. These articles are collectively available at http://cyberlaw.stanford.edu/blog/. Finally, see also Daphne Keller, “The Right Tools: Europe’s Intermediary Liability Laws and the 2016 General Data Protection Regulation”, Berkeley Technology Law Journal 33, n.° 297, http://dx.doi.org/10.2139/ssrn.2914684.

[45] GDPR, Article 17, 1, (a) and (b).

[46] Jones, Ctrl+Z, 48-50; Rustad and Kulevska, “Reconceptualising”, 367-370; Tamó and George, “Oblivion”, 72-73.

[47] Haber, “Privatisation”, 124-125; Keller, “The Final Draft”, second indent.

[48] Viviane Reding, “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age”, Speech given in Munich on January 22, 2012, 5; see also van Hoboken, “The Proposed Right to be Forgotten”, 26-29; Rosen, “The Right to be Forgotten”, 90-91.

[49] Ivana Kottasovà, “Your Inbox is Being Flooded With Emails About Privacy. Here’s Why”, CNN, May 1, 2018, http://money.cnn.com/2018/05/01/technology/gdpr-data-privacy-email-consent/index.html.

[50] Article 29 Working Party, “Guidelines”, 29; House of Lords, EU Data Protection Law, 15-16.

[51] Gasser and Schulz, “Governance of Online Intermediaries”, 8; Jones, Ctrl+Z, 43-46; contrast with Haber, “Privatisation”, 16-25, 43-46.

[52] The Manila Principles on Intermediary Liability, accessed May 31, 2018, https://www.manilaprinciples.org; Keller, “Bad news”, under “What’s Wrong with the GDPR’s Notice and Takedown Process”; “Notice and Takedown under the GDPR”, point 7; “Free Expression Gaps”, under Process and Public Resources to Protect Fundamental Rights.

[53] Ahmed, “The Right to be Forgotten”, 181-182.

[54] Reymond, “Hammering Square Pegs”, 37-41.

[55] See above, note 52.

[56] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), Official Journal of the European Communities L 171/1 (July 17, 2000), 1; in France, the Directive has for instance been transposed by the Loi n.° 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique; with its Article 6 implementing the notice and takedown regime for intermediaries.

[57] Keller, “Solving Data Protection problems”.

[58] De Werra, “Alternative Dispute Resolution in Cyberspace”, 289, 302-306.

[59] Haber, “Privatisation”, 164. See also Ahmed, “The Right to be Forgotten”, 182-183.

[1] Tribunal de Justicia de la Unión Europea. (Google Spain SL y Google Inc. vs. Agencia Española de Protección de Datos [AEPD] y Mario Costeja González). C-131/12, ECLI:EU:C:2014:317 (13 mayo, 2014). De ahora en adelante llamado “Google Spain”.

[2] Para esta distinción, véase House of Lords, “EU Data Protection Law: a ‘Right to be Forgotten’?”, European Union Committee, 2^nd Report of Session 2014-15, 30 de julio de 2014, 9; Urs Gasser, Wolfgang Schulz, “Governance of Online Intermediaries, Observations From a Series of National Case Studies”, The Berkman Klein Center for Internet & Society Research Publication Series, n.º 2015-5, (2015): 4; Oskar Josef Gstrein, “The Cascade of Decaying Information: Putting the ‘Right to be Forgotten’ in Perspective”, Computer and Telecommunications Law Review 21, n.º 2 (2015): 46.

[3] Los ejemplos mencionados aquí están inspirados por solicitudes de desindexación de la vida real que Google ha recibido, véase “Search removals under European privacy law”, Transparency Report, Google, consultado el 31 de mayo de 2018, https://https://transparencyreport.google.com/eu-privacy/overview?hl=en.

[4] Meg Leta Jones, Ctrl+Z: the Right to be Forgotten (New York: New York University Press, 2016), 11-17; en este sentido, véase también Farhaan Uddin Ahmed, “Right to be Forgotten: A Critique of the Post-Costeja Gonzales Paradigm”, Computer and Telecommunications Law Review 21 (2015): 175, 176; Joris van Hoboken, “The Proposed Right to be Forgotten Seen From the Perspective of Our Right to Remember”, Informe preparado para la Comisión Europea, (mayo de 2013), http://www.law.nyu.edu/sites/default/files/upload_documents/VanHoboken_RightTo%20Be%20Forgotten_Manuscript_2013.pdf, 2-7.

[5] Jeffrey Rosen, “The Right to be forgotten”, Stanford Law Review Online 54 (2012): 88, 90-92.

[6] Para una visión general comparativa de las expresiones nacionales existentes del derecho al olvido en las leyes nacionales de los países de la UE, véase Jones, “Ctrl+Z”, 29-39; Aurelia Tamó, Damian George, “Oblivion, Erasure and Forgetting in the Digital Age”, Journal of Intellectual Property, Information Technology and Electronic Commerce Law 2 (2014): 77-82; para información más general, véase también Van Hoboken, “The Proposed Right to be Forgotten”, 23-26. Por fuera de los estados miembro de la UE, aunque también de interés, el derecho al olvido en Suiza tradicionalmente está anclado en las leyes de la personalidad y de prensa, y la ley de protección de datos solo establece la supresión mediante referencia al derecho civil, véanse los artículos 28 y 28a del Código Civil de Suiza (RS 210); artículo 15 del Swiss Loi sur la protection des données (RS 235.1); Swiss Federal Court, ATF 122 III 449 y el fallo 5C.156/2003 del 23 de octubre de 2003.

[7] Por ejemplo, la UE aún no ha adoptado un régimen de elección de ley para agravios a la personalidad en el derecho civil. Véase artículo 1 (g), Reglamento (EC) n.º 864/2007 del Parlamento Europeo y del Consejo del 11 de julio de 2007 sobre las leyes aplicables a obligaciones no contractuales (Roma II); véase también el estudio comparativo realizado antes de la exclusión de los agravios a la privacidad y a la personalidad del Reglamento Roma II, y que resalta la diversidad de los regímenes de la UE, JLS/2007/C4/028.

[8] Véase, por ejemplo, Mosley v United Kingdom, (2011) 53 E.H.R.R 30; específicamente para el derecho al olvido, véase el caso reciente de M.L. and W.W. v Germany, (2018) ECHR 554.

[9] Jones, “Ctrl+Z”, 44-45; Tamó y George, “Oblivion”, 82-83. En el contexto de los archivos de prensa en internet, contrastar, por ejemplo, los dos casos siguientes, que llegaron a soluciones diferentes para hechos similares: Cour de cassation de Belgique, P.H. c. O.G., Arrêt n.º C.15.0052F, 29 de abril de 2016, y Cour de cassation (Francia), première chambre civile, n.º de pourvoi: 15-17729, 12 de mayo de 2016.

[10] “Subhasta d’Immobles”, La Vanguardia, (1998), http://hemeroteca.lavanguardia.com/preview/1998/01/19/pagina-23/33842001/pdf.html.

[11] Directiva 95/46/CE del Parlamento Europeo y del Consejo, del 24 de octubre de 1995, relativa a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos, Diario Oficial de la Unión Europea L 281/31, 23 de noviembre de 1995 (en adelante, “Directiva de Protección de Datos”). Sin embargo, es preciso especificar que el demandante basó formalmente su reclamación en la “Ley Orgánica 15/1999, del 1.º de diciembre de Protección de Datos de Carácter Personal”, que era la ley que implementaba la Directiva de Protección de Datos en España.

[12] “Google Spain”, 15-17.

[13] Eldar Haber, “Privatization of the Judiciary”, Seattle University Law Review 40 (2016): 115, 12-127; Jones, “Ctrl+Z”, 41-42; Tamó y George, “Oblivion”, 72-73, 75; van Hoboken, “The Proposed Right to be Forgotten”, 7-11.

[14] “Google Spain”, 20. Las primeras dos preguntas referidas al TJUE, sobre el alcance personal y geográfico de la Directiva de Protección de Datos no se reportarán en esta contribución. Para un análisis de estas preguntas, véase Michel Reymond, “Hammering Square Pegs into Round Holes: The Geographical Scope of Application of the EU Right to be Delisted”, Berkman Klein Center for Internet & Society at Harvard University Research Publication, n.º 2016-12 (2016): 5-8 y 16-17.

[15] “Google Spain”, 93.

[16] “Google Spain”, 36.

[17] “Google Spain”, 76.

[18] “Google Spain”, 77.

[19] El 25 de mayo de 2018, tras la entrada en vigor del Reglamento General de Protección de Datos, este grupo fue rebautizado Comité Europeo de Protección de Datos. Véase el Reglamento relativo la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos y por el que se deroga la Directiva 95/46/CE (Reglamento General de Protección de Datos), Diario Oficial de la Unión Europea L119, 14 de mayo de 2016, 1, y en particular los artículos 64, 65, y 68-74.

[20] Grupo de Trabajo del Artículo 29, “Guidelines on the implementation of the Court of Justice of the European Union judgment on ‘Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González C-131/12’”, WP 225, 14/EN, 26 de noviembre de 2014.

[21] Véase, por ejemplo, Grupo de Trabajo del Artículo 29, “Guidelines”, 20, punto 13.

[22] “Request to Block Bing Search Results in Europe”, Bing, consultado el 31 de mayo de 2018, https://https://www.bing.com/webmaster/tools/eu-privacy-request.

[23] “Personal Information Removal Request Form”, EU Privacy Removal, Google, consultado el 31 de mayo de 2018, https://https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&hl=en&rd=1.

[24] “Request to block search results in Yahoo Search: Resource for European residents”, Yahoo Help, consultado el 31 de mayo de 2018, https://https://uk.help.yahoo.com/kb/search-for-desktop/requests-block-search-results-yahoo-search-resource-european-residents-sln28252.html?impressions=true.

[25] Peter Teffer, “Europeans give Google final say on ‘right to be forgotten’”, Euobserver, (2015), https://https://euobserver.com/investigations/130590.

[26] “Search removals under European privacy law”, Transparency Report, Google, consultado el 31 de mayo de 2018, https://https://transparencyreport.google.com/eu-privacy/overview?hl=en.

[27] Teffer, “Europeans”.

[28] Ahmed, “The Right to be Forgotten”, 179-180; Haber, “Privatization”, 137-139; Jones, “Ctrl+Z”, 45; Julia Powles, “The Case That Won’t Be Forgotten”, Loyola University Chicago Law Journal 47 (2015): 583, 591 et seq.

[32] Article 29 Data Protection Working Party, “Guidelines”, 9.

[33] “Google’s Advisory Council”, Google, consultado por última vez el 31 de mayo de 2018, https://https://www.google.com/advisorycouncil/.

[34] Google Advisory Council, “Final Report”, (2015), https://static.googleusercontent.com/media/archive.google.com/en/advisorycouncil/advisement/advisory-report.pdf, 19-20.

[35] CNIL, Délibération n.º 2016-054, 10 de marzo de 2016.

[36] Kent Walker, “Ne privons pas les internautes français d’informations légales”, Le Monde, (2016), http://www.lemonde.fr/idees/article/2016/05/19/ne-privons-pas-les-internautes-francais-d-informations-legales_4922590_3232.html; for an English translation, see “A principle that should not be forgotten”, Google in Europe Blog, 31 de mayo de 2018, https://https://europe.googleblog.com/2016/05/a-principle-that-should-not-be-forgotten.html.

[37] Walker, “A principle that should”.

[38] Conseil d’État, Décision n.º 399922, Google Inc, 19 de julio de 2017.

[39] Conseil d’État, Décision n.º 399922.

[40] Bruno Hardy, “Application dans l’espace de la directive 95/46/CE: la géographie du droit à l’oubli”, Revue Trimestrielle de droit européen 50, n.º 4 (2014): 879, part IV; Jones, Ctrl+Z, 175-177; Julia Powles, “Results May Vary: Borderdisputed on the frontlines of the ‘right to be forgotten’”, Slate, (2015), http://www.slate.com/articles/technology/future_tense/2015/02/google_and_the_right_to_be_forgotten_should_delisting_be_global_or_local.html; Dan Jerker B. Svantesson, “The Google Spain Case: Part of a Harmful Trend of Jurisdictional Overreach”, European University Institute Working Papers, RSCAS 2015/45, (2015), Brendan van Alsenoy y Marieke Koekkoek, “The extra-territorial reach of the EU’s ‘right to be forgotten”, ICRI Working Paper Series, 20/2015, (2015): 14-29.

[41] Comparar con Ahmed, “The Right to be Forgotten”, 178 (“Aunque algunos pueden considerar que la eliminación de vínculos a información del índice de búsqueda de Google es suficiente, esto dependería, no obstante, del propósito para el cual se está usando la información y de si la simple eliminación del índice de búsqueda en efecto la volvería inútil. Así mismo, los vínculos continúan existiendo sin mayores obstáculos, y cualquiera que tenga una experiencia razonable en navegar la web podría encontrarlos”).

[42] Miquel Peguera, “Right to be Forgotten and Global Delisting: Some News from Spain”, The Center for Internet and Society Blog, 17 de diciembre de 2017, http://cyberlaw.stanford.edu/blog/2017/12/right-be-forgotten-and-global-delisting-some-news-spain.

[43] Para una mirada crítica a profundidad del mecanismo de supresión previsto en el RGPD, véase la serie de publicaciones de Daphne Keller sobre el tema, albergadas en la plataforma de blogs del Center for Internet and Society de Stanford Law School: “Intermediary Liability and User Content under Europe’s New Data Protection Law”, 8 de octubre de 2015; “The GDPR’s Notice and Takedown Rules: Bad News for Free Expression but not Beyond Repair”, 29 de octubre de 2015; “Notice and Takedown under the GDPR: an Operational Overview”, 29 de octubre de 2015; “Solving Data Protection Problems with eCommerce Directive Tools”, 11 de noviembre de 2015; “Free Expression Gaps in the General Data Protection Regulation”, 30 de noviembre de 2015; “Series Conclusion and Summary: Intermediaries and Free Expression under the GDPR in Brief and The Final Draft of Europe’s “Right to be Forgotten” Law”, 17 de diciembre de 2015. Estos artículos se pueden encontrar de manera colectiva en http://cyberlaw.stanford.edu/blog/. Por ultimo, véase también Daphne Keller, “The Right Tools: Europe’s Intermediary Liability Laws and the 2016 General Data Protection Regulation”, Berkeley Technology Law Journal 33, n.º 297, http://dx.doi.org/10.2139/ssrn.2914684.

[44] RGPD, Artículo 17, 1, (a) y (b).

[45] Jones, “Ctrl+Z”, 48-50; Rustad y Kulevska, “Reconceptualizing”, 367-370; Tamó y George, “Oblivion”, 72-73.

[46] Haber, “Privatization”, 124-125; Keller, “The Final Draft”, Segundo guión.

[47] Viviane Reding, “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age”, Discurso presentado en Múnich el 22 de enero de 2012, 5; véase también van Hoboken, “The Proposed Right to be Forgotten”, 26-29; Rosen, “The Right to be Forgotten”, 90-91.

[48] Ivana Kottasovà, “Your Inbox is Being Flooded With Emails About Privacy. Here’s Why”, CNN, 1.º de mayo de 2018, http://money.cnn.com/2018/05/01/technology/gdpr-data-privacy-email-consent/index.html.

[49] Grupo de Trabajo del Artículo 29, “Guidelines”, 29; House of Lords, EU Data Protection Law, 15-16.

[50] Gasser y Schulz, “Governance of Online Intermediaries”, 8; Jones, “Ctrl+Z”, 43-46; comparar con Haber, “Privatization”, 16-25, 43-46.

[51] The Manila Principles on Intermediary Liability, consultado el 31 de mayo de 2018, https://www.manilaprinciples.org; Keller, “Bad news”, bajo “What’s Wrong with the GDPR’s Notice and Takedown Process”; “Notice and Takedown under the GDPR”, punto 7; “Free Expression Gaps”, bajo Process and Public Resources to Protect Fundamental Rights.

[52] Ahmed, “The Right to be Forgotten”, 181-182.

[53] Reymond, “Hammering Square Pegs”, 37-41.

[54] Véase nota 52.

[55] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), Official Journal of the European Communities L 171/1 (17 de julio de 2000), 1; en Francia, la Directiva, por ejemplo, ha sido transpuesta por la Loi n.º 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique, pues su artículo 6 implementa el régimen de notificación y eliminación para intermediarios.

[56] Keller, “Solving Data Protection problems”.

[57] De Werra, “Alternative Dispute Resolution in Cyberspace”, 289, 302-306.

[58] Haber, “Privatization”, 164. Véase también Ahmed, “The Right to be Forgotten”, 182-183.

The future of the European Union “Right to be Forgotten”

Abstract

El futuro del “derecho al olvido” de la Unión Europea