Today, the European Court of Justice (ECJ) handed down its decision in Google v. CNIL, dealing with the remit of the ‘right to be forgotten’ (RTBF). In short, the ECJ held that the operator of a search engine is not required to carry out de-referencing on all domain extensions of its search engine when dealing with a RTBF request. It is required, however, to carry out de-referencing on the versions of its search engine corresponding to all member states and take measures to protect the data subject’s fundamental rights. Though the decision was made under the former Data Protection Directive, it will have implications for data subjects under the General Data Protection Regulation (GDPR) as the RTBF was codified by GDPR Article 17.
Continue Reading Forget-me-not: Google v. CNIL defines territorial scope of the right to be forgotten

On 12 September 2018, complaints were filed with the UK Information Commissioner’s Office and the Irish Data Protection Commissioner regarding the “wide scale and systemic breaches of the data protection regime” by Google and others in the online advertising industry (the Complaints).

The Complaints

The Complaints were submitted by Brave, an ad blocking web browser, together with the Open Rights Group and Michael Veale, a researcher at University College London. They focus on the real time bidding (RTB) systems used by Google and the wider online advertising industry, which operate to provide personalised advertising on websites.

It is claimed that there are ongoing breaches of applicable data protection laws across the industry. As an example, a wide range of personal data is gathered by the RTB system, far more than is necessary to provide targeted advertisements to individuals browsing the web. It is suggested that the information collected is then provided to a host of third parties for a range of uses that go far beyond those purposes which a data subject can understand, consent to, or object to. According to Brave, “every time a person loads a page on a website that uses programmatic advertising, personal data about them are broadcast to tens – or hundreds – of companies”.Continue Reading Spotlight shone on online advertising as complaints are filed with EU supervisory authorities

On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.

Right to be forgotten/right to erasure

The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.

Case summary

Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:

  • NT1 was convicted of conspiracy to commit false accounting and tax evasion; and
  • NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.

Continue Reading The High Court considers the right to be forgotten

In 2007, Google bought online ad network DoubleClick, which uses cookies to collect and store data about Google users from their browsing history, to best place clients’ ads. This past June, Google revised its privacy policy to state that users’ activities on other sites tracked by DoubleClick “may be associated with [their] personal information.”  This

On 27 January, the High Court of Northern Ireland granted British MP George Galloway leave to serve proceedings on Google Inc. out of the jurisdiction. The application was based on a variety of claims including libel, harassment, misuse of private information, and unlawful data processing under the Data Protection Act 1998 (the Act).

The claims relate to three videos uploaded to Google’s YouTube platform by William Frazer. It was claimed that these videos had been uploaded unlawfully. The court stated that there could be no doubt that one of the three videos contained sensitive personal data, but that the question of whether Google was a data processor or data controller would be a “fact specific investigation” which would have to wait until full trial. The view was expressed in the judgment that “[T]he facts as presently put before the court would suggest that Google will not find it easy to defend this claim if it is found to be a data controller.”
Continue Reading Galloway v Frazer & Others – A glimpse to the future of data protection litigation

Open book

On October 16, the Second Circuit ruled that Google’s scanning of millions of books without the copyright holders’ permission, for use in its “Google Books” database, is permissible under the fair use doctrine. Google Books enables members of the public to search for terms within these books and view snippets of machine-readable text containing their search terms.

In 2004, Google entered into agreements with a number of the world’s major research libraries, pursuant to which Google was permitted to scan more than 20 million books submitted by those libraries in order to create an online index. Google’s aim was to enable members of the public to search for terms within the machine-readable text of each scanned book, in order to see if that book contained relevant material.  The Google Books search tool does not display advertising or otherwise cost members of the public money, and searches reveal only snippets of text surrounding the words or phrases searched. Publishers and authors sued Google for injunctive relief, claiming that the search and snippet view features of Google Books undermined the value of their copyrighted works.
Continue Reading Second Circuit Holds That the Google Digital Books Project Is Protected Under the Fair Use Doctrine

The UK’s Information Commissioner’s Office (‘ICO’) has published what appears to be its first public enforcement notice based upon “the right to be forgotten” against Google Inc. The “right to be forgotten” was introduced by the ECJ last year when it held that data subjects have a right to compel search engines to remove results linking to websites containing their personal information, if those results were outdated or irrelevant.

In the current case, Google originally agreed with the data subject’s initial right-to-be forgotten request, namely that its historic criminal conviction was no longer relevant, and removed the link. Unfortunately for the data subject, the removal drew more attention to the story causing new articles to be written, and Google refused to remove the subsequent links on the basis that they were relevant and in the public’s interest.
Continue Reading UK first: right-to-be-forgotten notice issued against Google Inc.

The Hong Kong Privacy Commissioner of Personal Data (the “Commissioner”) ended 2014 with a special interest in mobile applications (“apps”).

In a media statement published 15 December 2014, the Commissioner reported that versions 4.3 and earlier of Google’s Android operating system contained a flaw that allowed others to read shared memory in mobile

The Dutch data protection authority, College Bescherming Persoonsgegevens (CBP), released a cease and desist order requiring Google to pay €60,000 per day, up to a maximum of €15 million, for violating Dutch data protection law, Wet bescherming persoonsgegevens(Wbp). Google has until the end of February 2015 to change the way it handles personal data.

The