Disclosure, Exposure and the ʻRight to be Forgottenʼ after Google Spain: Interrogating Google Search's webmaster, end user and Lumen notification practices

Abstract

This article argues that Google's essentially blanket and unsafeguarded dissemination to webmasters of URLs delisted under the Google Spain judgment disclosures claimants’ personal data, cannot be justified either on the purported basis of their consent or a legal requirement but instead seriously infringes European data protection standards. Such disclosure would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) prevented unauthorised repurposing or other misuse through robust safeguards. Strict necessity thresholds would need to apply where disclosure involved special categories of data or was subject to reasoned objection by a data subject and international transfers would require further controls, ideally as provided by the European Commission's standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject's rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of whether rights are claimed in data protection, defamation or civil privacy. The public's legitimate interests in receiving information on personal data removals are best secured through safeguarded scientific research, which search engines should facilitate.