The Federal Court of Canada released a landmark decision finding that the court has the jurisdiction to make an extra-territorial order with world-wide effects against a foreign resident requiring the foreign person to remove documents containing personal information about a Canadian citizen that violates the person’s rights under Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). In A.T. v. Globe24h.com, 2017 FC 114 the Honourable Mr Justice Mosely ordered the individual operator of the website Globe24h.com to remove all Canadian tribunal and court decisions posted on the site that contain personal information and to take all necessary steps to remove the decisions from search engines caches.
Posts Tagged ‘right to be forgotten’
In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.
The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had disagreed about. The Article 29 Data Protection Working Party has now released a Guideline addressing these controversial issues.
In a bombshell opinion released earlier today, the CJEU ruled that Google Inc. is subject to EU data protection laws even where its servers are located outside of the EU. The Court ruled that when Google spiders the web and indexes the globe’s data, it is a processor with respect to personal information and a controller of such information. In the case before the Court, this meant that Google was required to de-index links to personal information, even though the information was accurate and without any showing that making the information available was prejudical to the data subject. The case is bound to lead to many further questions about the scope of the duties of search engines like Google under EU laws. I raised this issue in an interview with CTV News.
Yesterday, the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. Highlights of the reform plan are described by the Commission as follows:
- A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
- Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.