Skip to content

Law 360: Conducting Due Diligence In A ‘Right To Be Forgotten’ Age

Home > Perspectives > Law 360: Conducting Due Diligence In A ‘Right To Be Forgotten’ Age

Law360, New York (May 30, 2017, 10:29 AM EDT) —  

The European Union’s “right to be forgotten” regulation poses a challenge to the quality of online investigative research and reputational due diligence. Will virtual private networks (VPNs) prove a viable solution? 

For businesses and regulatory authorities interested in rooting out corruption and money laundering, online investigative due diligence has become a crucial step —  often a necessary first step — in understanding the reputations of individuals and companies involved in business transactions. As the demand for ever-deeper analysis of customer and third-party business relationships has grown, so too has the ability to use technology to gather information — particularly from unstructured data sources — to build a picture of an individual’s or company’s reputation. 

However, a new legal mechanism has arisen that puts a wrinkle in the free flow of information needed to conduct thorough due diligence: the “right to be forgotten.” 

The “right to be forgotten” was put into effect in a 2014 ruling by the Court of Justice of the European Union. The ruling permits citizens and residents of the European Union to petition search engines to delist links from search results, typically results connected with their names that are deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.” 

Search engines began to delist search results immediately following the ruling, and in 2016, Google announced that it would delist search results from successful right to be forgotten petitions not only from European domains of the site but also from all domains when accessed from the country of the person requesting the removal. France’s data privacy regulator, the Commission nationale de l’informatique et des libertés (CNIL), has pressed Google to go further and delist content removed under the right to be forgotten from all domains globally regardless of the petitioner’s country. Google is currently appealing the CNIL’s order in France’s Supreme Administrative Court. 

Although the court’s language is broad, in practice, “right to be forgotten” requests have been made to delist content related to an individual’s past insolvency (or involvement with a financially-troubled company), to remove mentions of prior scandals and even to hide references to criminal history. Successful “right to be forgotten” petitions can and have removed information that an investor or lender would want to know before striking a deal. A search engine’s refusal to delist can result in fines. 

In the European Union, Google alone has removed more than 700,000 search results since May 2014 under the “right to be forgotten”, often on content related to high-profile individuals who might be subject to due diligence for legitimate business reasons. The number of removals is higher when considering other common search engines. 

This can create real challenges — not only for due diligence investigators who rely on web-based search tools as a first line of screening for exactly this type of information, but also for the growing ecosystem of automated investigative technologies that use search engines. 

Perhaps for these reasons, the European Union has begun to put some limits on the right to be forgotten. In March 2017, the European Court of Justice ruled that personal data in company records was not necessarily subject to the “right to be forgotten” legislation. The ruling revolved around a 2007 Italian court case in which a director of a company that went bankrupt in the 1990s sought to scrub his name from registration records of the now-defunct company. The court reasoned that European member states “cannot guarantee that natural persons whose data are included in the company register have the right to obtain, after a certain period of time from the dissolution of the company, the erasure of personal data concerning them.” The court’s ruling is a crucial precedent that appears to bode well for investigators and due diligence practitioners. 

Still, despite resistance, the “right to be forgotten” has started to spread beyond European borders, and a cottage industry of consultants and attorneys have since sprung up to assist individuals petitioning to delist unflattering content. 

This has brought to the fore the need for a viable technological work-around for due diligence investigators who still need access to “forgotten” information. Increasingly, the industry has turned to virtual private networks (VPNs) as a means to tunnel internet traffic outside of a host country for investigative purposes. 

A VPN is an encrypted tunnel to a secondary network, often outside of a user’s host country, that is used to connect securely and shield a user’s physical location. VPNs have been used for years by investigators to conduct research on high-profile, politically exposed officials in authoritarian states where traditional information channels cannot be trusted and online censorship of content and search results is very real. 

Due diligence practitioners have an interest in seeing a full and unabridged picture of whom they are researching. By using a VPN that routes a user’s internet traffic through a third country, one may be able to view search results and other content not readily available in his or her host country. In essence, a VPN can mask a user’s country of origin, thereby permitting an investigator to access a different localized instance of a search engine, whose results may not be subject to “right to be forgotten” legislation. In light of the ever-growing body of delisted content pertaining to EU persons, VPNs are rapidly becoming a must-have when conducting due diligence from Europe. 

VPNs will remain an important tool to help to ensure that online due diligence and investigative research is comprehensive. It is an open question how far the “right to be forgotten” doctrine will reach in the coming years, and whether similar regulation could ever gain traction in the United States, with its First Amendment protections. Until then, those with a vested interest in obtaining accurate and robust due diligence on the reputations of individuals should ask whether technologies such as VPNs may be deployed by practitioners to help to see a thorough and unabridged picture. 

All Content © 2003-2017, Portfolio Media, Inc. 

Law 360 Logo

The risk landscape is constantly changing. Hear about the latest with Exiger.