The internet lives forever, which is probably one of the most frustrating things about it—if you’re unlucky enough to have the same name as a criminal, or used to engage in youthful antics, it’s likely that your internet reputation may follow you around for the rest of your life. Since 2014, Europeans have had the right to request links to pages containing sensitive personal information about them to be removed, under the rule called the ‘right to be forgotten’, which would only apply to EU citizens.
But even if that information got delisted in the EU, it appeared that delisted links were still available online to people outside of the EU. This knowledge led to a dispute between Google and the French privacy regulator CNIL, who tried to impose a fine after Google didn’t completely remove listings containing damaging information about people. Google then challenged this as the search giant said it had no obligation to remove information outside of the EU, which led to the case being referred up to the European Court of Justice.
On 24 September, Google won the legal ruling that would let it bypass this legislation outside of the EU, arguing that it could be used in harmful or nefarious ways by authoritarian governments.
The ‘right to be forgotten’ has always lacked clear structure, but it is based on a couple of fundamental principles. In 2013, the first draft legislation was introduced in the EU to make it possible for individuals to have information about themselves scrubbed from the internet. For that to happen, you have to be a resident of the EU, and then you, or someone representing you, can put in a request for the removal of URLs that are believed to be a violation of your privacy.
At this point, the validity of the request will, of course, be assessed for legitimacy before it’s approved. Google’s teams look at whether the information contained, such as a high school indiscretion, like a silly website, is irrelevant or inadequate or if it is just necessary to be made publicly available to whoever is making the request. If it is approved, it doesn’t mean that this information about someone is completely erased either, it just means that this information won’t show up if you google that specific person. In order to make sure that the person who is having this information appealed is actually involved in the process, some kind of identification has to be provided too.
In turn, Google has formed a significant advisory board to advise the company on what to do and how to regulate these demands. While Google has often said it prioritises the privacy of the people who use the search engine (there are roughly 3.5 billion searches every day), the company has long since said that it doesn’t necessarily agree with the motivations of this legislation. If Google refuses to comply or asserts that someone’s removal request is illegitimate, then people have to appeal to their local data protection agency, and these processes can be even more complicated. And still after going through all that, some websites and news agencies have often published the links that had been delisted, sometimes including the names of the people who were making the request in the first place, raising thorny questions around the public interest.
Google says that to date, it has received millions of requests for removal, and that the ultimate decision around removal is still carried out by a human, because of how crucial context is in many of these situations. Yet, the problem still remains—while Google might not display this information anymore, other websites outside of the EU still might, and it means that a website with information that someone wants removed will not always be completely erased.
In some ways, the right to be forgotten legislation was one of the early precursors to the General Data Protection Regulation (GDPR), put in place in 2018, on top of the right to be forgotten. That’s why there have been some issues around how it was actually implemented. For example, in 2015, there was outrage after it was revealed that the past, botched operations of a British doctor had been removed from Google (after the doctor requested it to be so), despite the obvious public interest. While this is a piece of EU legislation, the effects of right to be forgotten have been evoked in courts in the U.S., and Consumer Watchdog, an organisation that advocates for the rights of consumers in the U.S., has also filed with a request for this right to be obtained in the U.S. as well.
Much of the criticism of the right to be forgotten ruling has centred on the threat it could pose to the right to freedom of speech, which is also a line of argument that Google pursued. The company argued that by delisting URLs around the world, it could give authoritarian governments unduly power, or could have harmful effects on the dissemination of information in society. Other tech companies, like Wikipedia and Microsoft, also supported Google’s campaign.
Crucially, the EU has continued to push for delinkings requested by EU citizens to also be carried forward into other Google domains, past just the European ones. This right to be forgotten legislation has only been applied in the EU, and the ruling last week demonstrated that it will remain that way. Google won.
However, the ruling did say that delisting must be accompanied by a serious attempt to encourage internet users not to access the information elsewhere, even if it’s not accessible within the EU. And even if the U.K. does leave the EU, the rules will still apply (for now). So if you have a dark past hidden somewhere online and wish for it to be deleted, send your request very soon, before it’s too late.