People and data

Google Wins in GDPR Data Privacy Case — for Now!

Google Wins in GDPR “Right to be Forgotten” Data Privacy Case — for Now!

By Gabe Gumbs, Chief Innovation Officer

In the year leading up to the launch of the European Union’s new General Data Protection Regulation (GDPR) in May 2018, the innovative data security regulation was lauded as a leader in citizens’ personal data privacy.

Fast forward to September of 2019, and the progressive regulation has hit its first speed bump. A French regulator wanted all of his personal data removed from Google search engines globally. Google balked at the request. It would agree only to delete the citizen’s personal data from view in the EU. A lawsuit was launched.

On September 24th, 2019, the EU high court declared that the citizen was asking for too much, and ruled that Google does not have to apply the right to be forgotten rule globally. The victory for the U.S. tech titan means that, while it must remove links to sensitive personal data from its internet search results in Europe when requested, it does not have to remove them from searches elsewhere in the world.

Ruling Blow to Personal Privacy

This case has been viewed as a landmark test in an age where a global internet has no borders, and where individuals cannot demand a blanket removal of information about themselves from internet searches — thereby, losing control of who has access to their personal information.

The ruling is a blow to the EU’s attempts to impose its privacy standards to its citizens beyond its borders, as well as for privacy advocates, who point out that results about a person will still be discoverable online, for example, by using a virtual private network.

“The judgment underscores how the EU is moving to balance its citizens’ various fundamental rights and countries’ differing perspectives on those rights when enforcing the GDPR. In essence, the Google ruling signals that the EU doesn’t want to overreach,” lawyers said.

“It is a significant result for big tech companies and civil liberties organizations, reinforcing the principle that privacy rights are not always absolute and will need to be balanced against other fundamental rights, such as free speech and access to information,” stated a data protection legal professional. “It also shows that, despite the GDPR’s extraterritorial scope, EU privacy standards will not always be automatically enforced in other countries without equivalent laws.”

Big Tech’s Battles Have Just Begun

“It’s good to see that the court agreed with our arguments,” Google said in a statement about the win.

However, at least one of the data behemoth’s arguments could be characterized as a stretch. It stated that the obligation to remove personal data globally could be abused by authoritarian governments trying to cover up human rights abuses. But is that a legitimate argument in the face of the general population losing control over who has access to their personal data?

In any case, the battle is far from over. In fact, this case was not Google’s first battle with the EU over the right to be forgotten rule. The company lost its first battle in 2014, even before GDPR was enacted.

Under the EU’s previous right to be forgotten privacy rule, established in 2014, a man wanted information about a past crime he had committed removed from search engine results. He had been convicted in 2008 of conspiring to intercept communications and spent six months in jail. He claimed these facts were no longer relevant. The judge ruled in his favor in 2018.

Google’s past loss and recent win in personal data privacy cases is likely far from over. Many more battles are sure to be waged as people struggle to keep their personal data private in a tech world that appears to want unbridled access.

In fact, Google was supported in its recent GDPR case by Microsoft, the Wikimedia Foundation, the non-profit Reporters Committee for Freedom of the Press, and the UK freedom of expression campaign group Article 19, among others.

Google’s determination to fight privacy cases and its high-powered backup support speaks to the fact that the conflict over personal data privacy could have everything to do with companies wanting more, not less, access to and control over people’s personal data. Google’s recent purchase of Fitbit for $2.1 billion, announced on November 1st, 2019, speaks to this very concern as well.

Check back next week for more insight on the data privacy vs. big tech battleground.

Related Blog Posts

Blog Post
Data Privacy and Compliance (CCPA, CPRA, GDPR): A Mid-Year Review and Look Ahead for 2021
Blog Post
Cal State CISO discusses protecting sensitive data for half a million people
Blog Post
Biggest GDPR Non-Compliance Penalties (So Far) | Spirion
Blog Post
History of Google and CCPA’s Data Privacy Rules | Spirion
Blog Post
Spirion Executives Share Insights on Data Privacy and Compliance During RSA Conference 2020
Blog Post
Privacy Please Podcast Episode 5: Guest Nina Wyatt, Senior VP and CISO of Sunflower Bank