What is the Right to be Forgotten?
In 2010 a Spanish citizen, Mario Costeja González, lodged a complaint against Catalonia’s leading daily La Vanguardia. In 1998 the paper had printed an auction notice relating to the forced repossesion of González’s home. González argued that since the issue had been completely resolved in the subsequent 12 years, the information was now irrelevant and should be removed, both from the paper’s digital archives and from the search results of Google Spain or Google Inc.
The Spanish court in question referred the issue to the Court of Justice of the European Union. Four years later, the court returned a landmark ruling, which established that :
- Even if the physical server of a company processing data is located outside Europe, EU rules apply to search engine operators if they have a branch or a subsidiary in a Member State
- Search engines are controllers of personal data. Google can therefore not escape its responsibilities before European law when handling personal data by saying it is a search engine
- Individuals have the right, under certain conditions, to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing
Right to Data Protection Versus Right to Be Forgotten
In this particular case, the court found that González’s right to data protection was not trumped by Google’s economic interests, and so the right to be forgotten (or, technically, ‘the right to erasure’) was born in its modern form. (It should be noted that the court also stressed that the right to be forgotten is not absolute and must be balanced against other rights like the freedom of expression.)
Requests for search result removal are made every day (Google received about 400,000 in the 18 months following the ruling) and don’t just pertain to embarrassing old blog posts. Of all such requests made to Google UK and Google Ireland, 31% relate to fraud or scam incidents, 20% relate to arrests for serious crimes, and 12% relate to arrests for child pornography.
This has obvious implications for companies conducting adverse media searches as part of their customer due diligence process, although the rules don’t apply to PEP, sanctions and watch lists, which are maintained by independent providers and authorities.
Currently Google implements the rules on a country specific basis. If a removal request is made in Germany and is approved, Google will hide the results in question to anyone searching from Germany, regardless of which version of the search engine they use. Companies wishing to do an especially thorough search could get round this by using a virtual private network (VPN) to make it appear to Google that they are searching from a different jurisdiction.
In reality, this is unlikely to be necessary. Most regulation relating to customer screening allows companies defences of proper procedures and lack of reasonable grounds for suspicion. There is no case law as yet, but the likelihood is that if a company found itself under investigation by a regulator for providing services to a fraudster, but could demonstrate that it had conducted thorough due diligence and missed information only because it had been removed from search results under the right to be forgotten, this would be sufficient to avoid prosecution.
The implications for KYC screening
There are two concrete implications for customer screening:
1. On its own, Google is not a sufficient KYC screening tool. Especially in light of the right to be forgotten, Google will not reliably tell you if your customer is a known criminal who could pose a risk to your business. Screening providers which allow you to search PEPs, sanctions and watch lists offer much more reliable results
2. Although screening is a critical first step in a comprehensive AML regime, it is a limited tool on its own. Be it by using an alias or proxy, exercising their right to be forgotten, or by other means, customers who pose a risk to your business can find a way round due diligence checks. You should focus at least the same volume of resources on ongoing monitoring, and on training staff to recognise ‘red flags’, as you do in initial screening.
Amos Wittenberg – Editor, KYC Global Technologies
Amos is a contributor to KYC Global Technologies and writes news, comment and analysis to power the global fight against financial crime.