Arriving at a landmark ruling, the ECJ has now restricted applying the privacy law beyond the EU Arriving at a landmark ruling, the ECJ has now restricted applying the privacy law beyond the EU

On Tuesday, the European Union’s highest court ruled that an online privacy rule known as the ‘right to be forgotten’ under European law would not apply beyond the borders of EU member states. The European Court of Justice (ECJ) ruled in favour of the search engine giant Google, which was contesting a French regulatory authority’s order to have web addresses removed from its global database.

The ruling comes as an important victory for Google, and lays down that the online privacy law cannot be used to regulate the internet in countries such as India, which are outside the European Union.

What is the ‘right to be forgotten’ under European law?

The right to be forgotten empowers individuals to ask organisations to delete their personal data. It is provided by the EU’s General Data Protection Regulation (GDPR), a law passed by the 28-member bloc in 2018.

According to the EU GDPR’s website, the right to be forgotten appears in Recitals 65 and 66 and in Article 17 of the regulation, which states:

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” (if one of a number of conditions applies).

Under Article 2 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”, and “controller” means “the natural or legal person, public authority, agency or any other body which… determines the purposes and means of the processing of personal data”. According to the GDPR website, “undue delay” is considered to be about a month.

After a search engine company like Google gets requests under the privacy law to get information deleted, it first reviews and then removes links on country-specific sites within the European Union, such Google’s ‘google.de’ for Germany. According to the New York Times, Google has so far received more than 8.45 lakh requests to take down 33 lakh internet links, and 45% of the latter have been delisted.

Don’t miss from Explained: Qandeel Baloch’s brother convicted; a look at Pakistan’s honour killing case

What was the case before the European court, and what did it rule?

In 2015, the Commission nationale de l’informatique et des libertés (CNIL), an internet regulating agency in France, required that Google go beyond its practice of region-specific delinking, and ordered the search engine company to delete links from its global database.

Google refused to abide by the order, arguing that following the same would impede the free flow of information across the world. This led to the CNIL slapping a fine of EUR 100,000 (around INR 77 lakh) on Google in 2016.

Google challenged the CNIL’s order at the ECJ, and contended that implementing the online privacy law beyond the EU would hamper access to information in countries around the world, especially those ruled by authoritarian governments.

Arriving at a landmark ruling, the ECJ has now restricted applying the privacy law beyond the EU. It has also observed that the EU cannot enforce the ‘right to be forgotten’ on countries which do not recognise such a right.

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest Explained News, download Indian Express App.