BY ANDREW TARPEY
Group Compliance Officer
There is a battle brewing between tech behemoth Google and the European Union, pitting the freedom of information vs. the right to privacy. This legal tussle is over an issue commonly known as the “right to be forgotten”, and a court case before the EU’s Court of Justice could have far-reaching consequences on matters of censorship, privacy, government mandates and the power of the internet. For those whose task it is to conduct anti-money laundering investigations and Know Your Customer (KYC) reviews on potential clients and others, their ability to fulfill these compliance duties is made considerably harder by this.
The right to be forgotten has been ensconced in European law since 2014, when the Court of Justice,which is the European Union’s highest court, found that individuals can request that internet search engines such as Google remove certain results that appear when their name is searched. A more recent regulation implemented by the EU called the General Data Protection Regulation (GDPR) expanded on this right and added protections for those desiring more online anonymity. The ruling stems from the case of a Spanish man named Mario Costeja Gonzalez. A property he owned became the subject of a forced sale due to social security debts, and notice of this forced sale was published in the Spanish newspaper La Vanguardia. In 2009, he complained to the newspaper that when his name was searched, it led to the announcements, but La Vanguardia stated that they had been mandated to publish the notice by the Spanish government. Gonzalez then petitioned the Spanish Data Protection Agency to have links to his name removed when they appeared during internet searches, and they ruled that Google was responsible for doing so, as the sale of his property was years ago and thus a dead issue. Google appealed up to the Court of Justice who ultimately ruled for Gonzalez, thus etching the matter into European law. The ruling states that search engines must eliminate links to “inadequate, irrelevant or no longer relevant, or excessive” content when an individual requests that they do so, and noncompliance with such measures can result in fines. It should be noted that the ruling only applies to search engines such as Google and Yahoo – the websites themselves who post the information on the individual aren’t compelled to remove the information, so it’s more of a case of being delisted than being granted total online anonymity.
The most recent development in this saga is that France’s data protection authority CNIL has argued that the right to be forgotten should apply worldwide, and Google and other search engines need to ensure that those individuals who petition to have links to their name removed can no longer be found on internet searches from outside the EU. CNIL is basically claiming that it’s insufficient to remove a link to a French citizen from France’s version of Google (google.fr), but is insisting that Google needs to remove the link to the French citizen from all versions of its search engine globally so that the unfavorable link can’t be found by anyone in a non-EU country as well. Google has pushed back and said that implementing such a system on a global scale is impractical and draconian. A hearing on the matter before the European Court of Justice was recently heard, and a decision on the matter is expected sometime in 2019.
The right to be forgotten, and the results of the claim by the French government that it should apply globally, will have a major effect on those at financial institutions and other places of business whose job is to perform Know Your Customer checks on potential clients. Investigators who may be vetting a potential client or potential employee will often use basic internet searches on their subjects as the start of the background investigation process; potential red flag indicators such as lawsuits, criminal cases and media reports about the subject can often be found quickly and easily this way. However, the delisting of links related to a person’s background may eliminate a valuable tool that investigators use to conduct a due diligence review of its subject. This is a seeming contradiction for European businesses trying to navigate the complex compliance landscape. European anti-money laundering laws dictate that businesses need to conduct appropriate Know Your Customer reviews on its clients, but they are stymied in doing so by the privacy rights granted by GDPR.
What’s more, the right to be forgotten is not only the parlance of Europe; countries in other parts of the world are now looking to implement a similar version, including Russia, China, Japan, Hong Kong, Brazil, South Africa and Argentina, among others. So as more countries sign on to similar legislation as the EU, the job of conducting due diligence becomes more onerous for investigators. There are numerous subscription-and-fee based databases that companies can use to conduct their due diligence checks. However, these are often prohibitively expensive, especially for smaller companies. Anti-money laundering laws in most parts of the world are getting stricter, however, so businesses worldwide will somehow have to manage the delicate balancing act of tighter AML controls and a greater right to online privacy being granted to individuals.
If you would like to discuss this topic further please contact Southpac at firstname.lastname@example.org.