Excuse the hyperbole, but Google (and other search engines) dodged a bullet this week when it came to privacy regulations that come out of the European Union and then influence other jurisdictions.
It’s way too early to call what happened a victory, but months after the EU imposed digital security and privacy regulations that have generally become a hassle and headache for online commerce and payment operations — regulations being imitated in other parts of the world — a favorable outcome in a “right to be forgotten” case stands as good news for companies figuring out how they will advertise, market and sell online globally in the years to come.
Case Summary
PYMNTS readers probably already know about the case and the recent development, but in case not (hey, the time back from holiday break is very busy for everyone), here’s a review: Earlier this week (Jan. 10), the advocate general for the EU’s Court of Justice — the EU’s supreme court, whose decisions are binding for member states — said that Google and other search engines do not have to abide by the EU’s “right to be forgotten.”
That was established in 2014 by that same court, and enables residents of the EU to ask search engines to remove links containing their personal information. According to The Wall Street Journal, “under the 2014 ruling, search engines must balance those requests against the public’s right to access a link associated with the searched-for name, taking into account, for instance, whether the person is a public figure.” Since that court decision, Google reportedly has removed more than one million links for search results that appear in the EU — though those links were not removed for other search results.
Google ran afoul of France’s national privacy regulator about three years ago for allegedly violating that right. According to WSJ, the regulator “ordered Google to expand its takedowns to any search for the given individual’s name, regardless of where the searcher is located. [The regulator] argued that the right to be forgotten is empty if it can be dodged by spoofing one’s location, for instance, by connecting to a VPN.” Google was fined about $150,000 and took the case to the Court of Justice.
Next Moves
So what’s next?
The court is expected to make a final decision within the next few months. Though there is no obligation for the court to follow the advice of the advocate general, reports indicate that the court usually does. No matter the ruling, the court’s decision is final, as there will be no more appeals.
The view of the advocate general — Maciej Szpunar — said in his opinion that “there is a real risk of reducing freedom of expression to the lowest common denominator across Europe and the world.” Indeed, European groups dedicated to protecting free expression have backed Google during this case.
But Szpunar wasn’t 100 percent favorable to Google. He recommended that the search engine adopt a single approach to “right to be forgotten” in Europe — some supporters of Google in this case worry that such an approach could still lead to a “least common denominator” situation, in which the strictest application of that right becomes de-facto for other jurisdictions.
Those other jurisdictions, of course, can mean countries outside of the EU. The body’s executive arm in late 2018 did indeed argue — in opposition to the view taken by France — that the “right to be forgotten” should not extend overseas. “We don’t see extraterritoriality” in EU privacy law, said Antoine Buchet, a lawyer for the European Commission, during questioning by EU judges, according to a report from September. “It’s intellectually difficult to enter into that logic and give a universal effect to removals.”
GDPR Experiences
That might not mean much to companies that are not based in the EU but, because of their global operations, must conform to the General Data Protection Regulation, or GDPR. Compliance still has a way to go — a report from late 2018 found that only 29 percent of EU firms are following GDPR, in fact — but regulators are enforcing it.
One example?
Chinese bike-sharing company Mobike is being investigated by German regulators for potentially being in breach of the regulation. The regulator’s concern with bike- and car-sharing platforms is the significant amounts of data they collect about their users via mobile phone apps, including precise location data — even when the customer is not using the bike or car.
As well, GDPR-like laws are gaining traction in other parts of the globe, including in California, one of the world’s largest economies and, of course, a hub of digital innovation, commerce and payments. It’s not difficult to see how a ruling that’s unfavorable to Google concerning the “right to be forgotten” could have global impacts.