Following the recent EU referendum results, there will be any number of consequences facing the UK over the next few years as the Brexit looms. Not least is the mass of laws and regulations handed down to us by the EU that will need to be reviewed and adjusted accordingly.
One such rule is the right to be forgotten. As confirmed by the Court of Justice of the European Union’s decision in the case Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González in May 2014, individuals can apply to search engines and request that certain links be removed, where they are ”inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.”
The right to be forgotten and to erasure has been enshrined in Article 17 of the EU’s General Data Protection Regulation, which is set to become EU law on 25 May 2018. By that time, the UK’s two-year window for completing its exit negotiations and leaving the EU won’t have closed.
The EU uses different methods to pass on its decisions to Member States. In some cases, this will be done through a directive, which needs to be implemented in some appropriate way by the individual Member State – through an Act of Parliament or a statutory instrument. Article 17, however, is part of a regulation, which means it will automatically become law across Member States when it comes into force. So it may apply to the UK for a short while but our government will not need to transcribe it into national law.
If and when we leave, it will be down to our politicians to decide how many of our EU-influenced laws should stay and how many should go. Where a statute has been made following a directive, it will remain in force until it is formally repealed. Conversely, regulations – like the GDPR – will simply lose their authority when we leave the EU, unless they have already been brought into UK law during the interim period that awaits us. Perhaps for the right to be forgotten, this could come as an addition to the Data Protection Act 1998.
If no such action is taken, The Independent has suggested that, “When Britain is out the EU, Google can, if they want to, apply to a British court for a ruling that in the UK there is no right to be forgotten.” Although the UK courts may continue to pay some attention to the CJEU’s rulings, after Brexit they will no longer be obliged to do so and therefore could potentially side with the search engine.
That said, there is a strong chance that a post-Brexit Britain will still be influenced by the EU’s data protection rules if we wish to continue having access to the Single Market. Exactly which of its rules the EU will demand are abided by in return for this access cannot be said with complete certainty but if we want to do business in the EU then following the rules laid out in the GDPR seems pretty likely. However, whether this will mean we end up abiding by the regulations in full, including Article 17, or just parts of it remains to be seen.
Although the ruling was made by the CJEU, Google does permit requests from some non-EU countries, such as Norway, Switzerland, Iceland and Liechtenstein. Perhaps then, individuals in the UK could continue to be able to access this right as well. However, for the time being it looks like we will just have to wait to find out what the future holds for us and our internet search results.
This post originally appeared on the Himsworth Legal Blog and is reproduced with permission and thanks