Today, the European Court of Justice (ECJ) handed down its decision in Google v. CNIL, dealing with the remit of the ‘right to be forgotten’ (RTBF). In short, the ECJ held that the operator of a search engine is not required to carry out de-referencing on all domain extensions of its search engine when dealing with a RTBF request. It is required, however, to carry out de-referencing on the versions of its search engine corresponding to all member states and take measures to protect the data subject’s fundamental rights. Though the decision was made under the former Data Protection Directive, it will have implications for data subjects under the General Data Protection Regulation (GDPR) as the RTBF was codified by GDPR Article 17.
Continue Reading Forget-me-not: Google v. CNIL defines territorial scope of the right to be forgotten
Spotlight shone on online advertising as complaints are filed with EU supervisory authorities
On 12 September 2018, complaints were filed with the UK Information Commissioner’s Office and the Irish Data Protection Commissioner regarding the “wide scale and systemic breaches of the data protection regime” by Google and others in the online advertising industry (the Complaints).
The Complaints
The Complaints were submitted by Brave, an ad blocking web browser, together with the Open Rights Group and Michael Veale, a researcher at University College London. They focus on the real time bidding (RTB) systems used by Google and the wider online advertising industry, which operate to provide personalised advertising on websites.
It is claimed that there are ongoing breaches of applicable data protection laws across the industry. As an example, a wide range of personal data is gathered by the RTB system, far more than is necessary to provide targeted advertisements to individuals browsing the web. It is suggested that the information collected is then provided to a host of third parties for a range of uses that go far beyond those purposes which a data subject can understand, consent to, or object to. According to Brave, “every time a person loads a page on a website that uses programmatic advertising, personal data about them are broadcast to tens – or hundreds – of companies”.Continue Reading Spotlight shone on online advertising as complaints are filed with EU supervisory authorities
The High Court considers the right to be forgotten
On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.
Right to be forgotten/right to erasure
The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.
Case summary
Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:
- NT1 was convicted of conspiracy to commit false accounting and tax evasion; and
- NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.
Continue Reading The High Court considers the right to be forgotten
Google Makes Ad-Tracking Change in its Privacy Policy
In 2007, Google bought online ad network DoubleClick, which uses cookies to collect and store data about Google users from their browsing history, to best place clients’ ads. This past June, Google revised its privacy policy to state that users’ activities on other sites tracked by DoubleClick “may be associated with [their] personal information.” This…
Galloway v Frazer & Others – A glimpse to the future of data protection litigation
On 27 January, the High Court of Northern Ireland granted British MP George Galloway leave to serve proceedings on Google Inc. out of the jurisdiction. The application was based on a variety of claims including libel, harassment, misuse of private information, and unlawful data processing under the Data Protection Act 1998 (the Act).
The claims relate to three videos uploaded to Google’s YouTube platform by William Frazer. It was claimed that these videos had been uploaded unlawfully. The court stated that there could be no doubt that one of the three videos contained sensitive personal data, but that the question of whether Google was a data processor or data controller would be a “fact specific investigation” which would have to wait until full trial. The view was expressed in the judgment that “[T]he facts as presently put before the court would suggest that Google will not find it easy to defend this claim if it is found to be a data controller.”
Continue Reading Galloway v Frazer & Others – A glimpse to the future of data protection litigation
Second Circuit Holds That the Google Digital Books Project Is Protected Under the Fair Use Doctrine
On October 16, the Second Circuit ruled that Google’s scanning of millions of books without the copyright holders’ permission, for use in its “Google Books” database, is permissible under the fair use doctrine. Google Books enables members of the public to search for terms within these books and view snippets of machine-readable text containing their search terms.
In 2004, Google entered into agreements with a number of the world’s major research libraries, pursuant to which Google was permitted to scan more than 20 million books submitted by those libraries in order to create an online index. Google’s aim was to enable members of the public to search for terms within the machine-readable text of each scanned book, in order to see if that book contained relevant material. The Google Books search tool does not display advertising or otherwise cost members of the public money, and searches reveal only snippets of text surrounding the words or phrases searched. Publishers and authors sued Google for injunctive relief, claiming that the search and snippet view features of Google Books undermined the value of their copyrighted works.
Continue Reading Second Circuit Holds That the Google Digital Books Project Is Protected Under the Fair Use Doctrine
UK first: right-to-be-forgotten notice issued against Google Inc.
The UK’s Information Commissioner’s Office (‘ICO’) has published what appears to be its first public enforcement notice based upon “the right to be forgotten” against Google Inc. The “right to be forgotten” was introduced by the ECJ last year when it held that data subjects have a right to compel search engines to remove results linking to websites containing their personal information, if those results were outdated or irrelevant.
In the current case, Google originally agreed with the data subject’s initial right-to-be forgotten request, namely that its historic criminal conviction was no longer relevant, and removed the link. Unfortunately for the data subject, the removal drew more attention to the story causing new articles to be written, and Google refused to remove the subsequent links on the basis that they were relevant and in the public’s interest.
Continue Reading UK first: right-to-be-forgotten notice issued against Google Inc.
Google signs UK Undertaking to Improve its Privacy Policy
On 30 January 2015, Google signed an Undertaking with the Information Commissioner’s Office (ICO) to improve and amend the Privacy Policy it adopted 1 March 2012.
Among other things, the modifications to the Privacy Policy allowed Google to combine personal data across all services and products. For example, personal data collected through YouTube could now…
Hong Kong Privacy Commissioner Ends 2014 with Special Interest in Mobile Apps
The Hong Kong Privacy Commissioner of Personal Data (the “Commissioner”) ended 2014 with a special interest in mobile applications (“apps”).
In a media statement published 15 December 2014, the Commissioner reported that versions 4.3 and earlier of Google’s Android operating system contained a flaw that allowed others to read shared memory in mobile…
Dutch Data Protection Authority Threatens Google with a €15 million fine
The Dutch data protection authority, College Bescherming Persoonsgegevens (CBP), released a cease and desist order requiring Google to pay €60,000 per day, up to a maximum of €15 million, for violating Dutch data protection law, Wet bescherming persoonsgegevens(Wbp). Google has until the end of February 2015 to change the way it handles personal data.
The…