The EU’s top court ruled on Thursday that individuals in Europe can request Google to remove search results on them if they can show the information is “manifestly inaccurate.”
The dispute began when two investment managers asked Google to disregard search results that were returned based on their names and linked to several articles that criticized the group’s investment strategy. They contend that the articles make incorrect statements.
Google argued that it was unsure of the accuracy of the information in the articles and declined to cooperate.
However, the Court of Justice of the European Union allowed investment managers to successfully invoke the so-called “right to be forgotten” under the EU’s General Data Protection Regulation in a decision on Thursday.
Users who want to remove misleading information from search engine results must offer solid evidence that it is untrue.
“to provide only evidence that can reasonably be required of [them] to try to find,” the court said.
The judgment returns to the complex issue of the online ‘right to be forgotten, where for years, there have been opposing camps of those who believe that priority should be given to freedom of information and those who believe in the right to privacy.
📌 About the right to erasure, “right to be forgotten”
Users have the right to request that their data be deleted, and all distribution stopped when it is no longer relevant for its original purpose, when users have withdrawn consent, or when the personal data have been processed unlawfully. Requests must be fulfilled without undue delay and, at the latest, one month after they are made.
🚀 For more on this, see here.
📌 A user requested to exercise their right to erasure how do I prove that I honored that?
In general, the GDPR’s protections apply to “personal data,” which is defined by the Regulation as information that can be used to directly or indirectly identify a natural person.
Therefore, if a user requests to have all of their personal data deleted, you would theoretically no longer have access to that user’s personal information, and the individual would no longer be “identifiable” to you or your systems.
Practically speaking, the best way to respond to such a request would be to explicitly inform the user (at the time of the initial request) that by granting the request, all of their data will be removed, making it impossible for them to exercise any further rights regarding this data because it no longer exists on your systems.
🚀 We go into further details on this here.
Psst! To effortlessly comply with regulations and fulfill your legal duties, you can easily record and control every data processing activity within your organization with the help of our solution.
👉 For a list of the full features of the Internal Privacy Management tool click here or read the guide here.
