Landmark Decision in Google’s ‘Right To Be Forgotten’ Case
In this article, Gemma Wilson, Solicitor at Travlaw, discusses the implications of the recent developments in the European Court regarding the issue of “Right to Be Forgotten”, and what the relevant issues are for the travel & leisure industries…
One of the issues we deal with here at Travlaw on a regular basis is that of ‘subject access requests’ – i.e. when customers demand of our travel & leisure clients to have all data they hold about that customer collated and presented to them. Less common is the ’right to be forgotten or ‘right of erasure’ – where the request is for such data to be erased.
The phrase ‘right to be forgotten’ has gained a fair bit of recognition in society generally, which is perhaps not surprising considering the various concerns there have been with who holds our personal data and how they use it.
One of the fundamental questions is on what level can there be a “Right to be forgotten”? Does it exist on a company level, a group company level, between companies that share data, nationally, internationally and so on.
The Google Case
Recently, the Court of Justice of the European Union (CJEU) has ruled that Google does not need to apply a data subject’s right to be forgotten globally. See the full case here.
This means that if Google receives a right to be forgotten or ‘right to erasure’ request from an EU citizen, then the search engine only needs to hide data about them from the results of its European sites and not its sites from elsewhere in the world.
This follows several years of legal wrangling between Google and French privacy regulator, CNIL. In 2015 CNIL ordered Google to globally remove search engine listings for results which showed false or damaging information about users who had made requests for their removal.
Google complied in respect of results viewable by users in Europe, but declined to apply the ‘right to be forgotten’ on a worldwide basis. The CJEU has found that this was the correct approach, stating in their ruling:
“Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject… to carry out such a de-referencing on all the versions of its search engine,
Whilst this was a significant decision by the CJEU from a privacy law point of view, it’s also an opportunity to remind ourselves about the travel industry’s duty to its customers in respect of this right under GDPR.
What is the ‘right to be forgotten’ or ‘right to erasure’ in respect of UK Travel Businesses?
Under Article 17 of the GDPR data subjects (in our case customers, who are usually travellers) have the right to obtain the erasure of their personal data without “undue delay” under one of several grounds, including where the data is no longer necessary for the purpose for which it was collected, or the customer no longer consents to the processing of their data.
Essentially the right to be forgotten is part of the customer’s right to control how businesses collect and use that customer’s personal data.
Once you receive a right to be forgotten or a right to erasure request, you must comply without undue delay, and in any event within one month, unless any of the exemptions set out in the GDPR apply or a timescale extension is applicable. You can only extend the time to respond where the request is complex or you have received a number of requests from the same individual.
What can travel service providers do to ensure that they can comply with one of these requests?
- Have a process in place to ensure that you respond to a request within the specified timescales;
- Be aware of the circumstances in which you can extend the timescale for responding;
- Be aware of the specific rules which apply to the processing of data collected from children; and
- Have appropriate methods in place to erase information.
It’s all too easy to dismiss these steps as pre-emptive, but Google received 845,501 ‘right to be forgotten’ requests in the last five years. It makes sense that a search engine displaying numerous web results will receive more of these requests than a travel agent or tour operator but consumers are more aware than ever of their rights under data protection legislation, including the ‘right to erasure’, so it’s sensible to prepare your approach to these requests before they hit your inbox, from both a regulatory and money-saving perspective.
What will happen if I’m not GDPR compliant?
Failure to comply with GDPR could result in fines of up to 4% of your annual turnover or €20 million (whichever is higher). Even before the GDPR came into existence, the Information Commissioners Office took breaches of data protection legislation very seriously.
In a widely publicised decision, in July 2019 international hotel chain Marriott was fined £99 million for not sufficiently protecting customers’ data. Readers will also be aware that British Airways was also in the headlines this summer after a flaw in their security systems resulted in a whopping £183.39 million fine under the GDPR’s predecessor, the Data Protection Act 1998.
What other legislation do we need to be aware of?
If you are operating serviced or self-catering accommodation premises you must keep a record of all guests over the age of 16 who stay at the premises. These records must be kept for a period of at least 12 months, under the Immigration (Hotel Records) Order 1972.
What about Brexit?
The UK government has made clear its intention to write GDPR into UK law, whether the UK leaves the EU with a deal or not. In any event, the bulk of the provisions have already been incorporated within the Data Protection Act 2018 and this piece of English legislation will be entirely unaffected by Brexit. So, the chances of the situation for travel businesses being different in the near future are slim.
How can I ensure that I am GDPR compliant?
Gemma Wilson, Solicitor, Travlaw