“The Right to be Forgotten” in the EU’s General Data Protection Regulation

Christine Prorok
Vol. 37 Associate Editor
Vol. 38 Online Content Editor

In a world where information posted to the Internet is so widely available and difficult to control, data privacy can seem out of reach. However, a right that was recently recognized in the European Union has attempted to push back on the notion that once information has been posted online, it is lost into the void. “The right to be forgotten” is the right of Europeans to request information be removed from a search engine when that information is “inadequate, irrelevant or no longer relevant, or excessive in relation to [the purposes for which it was processed or collected] and in the light of the time that has elapsed.”[1] The Court of Justice of the European Union (CJEU) established this right and emphasized the need for sensitivity for the data subject’s private life.[2] The search engine implicated in this case was Google, an American-based company. However, that did not prevent the court from ordering the removal of the link in question, because Google Spain processed the information.[3] Continue reading

The E.U. – U.S. Privacy Shield

Corina McIntyre, Vol. 37 Associate Editor

In October 2015, the European Court of Justice (“ECJ”) struck down the U.S.-E.U. transatlantic “Safe Harbor” pact used by thousands of companies to transfer European citizens’ data to the U.S. For 15 years the Safe Harbor pact had “allowed more than 4,000 companies to avoid cumbersome E.U. data transfer rules by stating that they complied with E.U. data protection law.”[1] The E.U. argued that the pact “exposed Europeans to mass surveillance by the U.S. government” and failed to provide necessary privacy guarantees.[2] The ECJ held that the pact violated Europeans’ privacy rights and that E.U. member states can consequently override the pact. Continue reading

The Safe Harbor Principles: What They Were and What Their Invalidation Means

Silvia Raithel, Vol. 37 Associate Editor

In 1995, the European Parliament and Council passed the Data Protection Directive (Directive 95/46/EC) (the “Directive”).[1] The Directive requires that the transfer of personal data out of the European Economic Area to another country only take place if the other country ensures an adequate level of protection for the data.[2]  Adequate protection can be established by virtue of a country’s domestic law or international commitments.[3] Continue reading