Back to news

EU Data Protection Authority Adopts Guidelines on the Implementation of the Right to be Forgotten

November 28, 2014

On November 26, 2014, the European data protection authorities (DPAs) assembled in the Article 29 Working Party (WP29) adopted guidelines on the implementation of the judgment of the European Court of Justice (ECJ) on the right to be forgotten. These guidelines contain the common interpretation of the ECJ’s ruling. They also include the common criteria to be used by the national DPAs when addressing complaints.

The guidelines clarified several points addressed by the Google Spain v Costeja ruling.

(1) Search engines qualify as data controllers under Directive 95/46/EC to a search engine insofar as (a) the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, (b) set up to promote and sell advertising space on its search engine in this Member State with the aim of making that service profitable. In this case, the processing of data by search engines, “must be distinguished from, and is additional to that carried out by publishers of third-party websites.”

(2) A fair balance between fundamental rights and interests may lead to a limited impact of de-listing on the access to information. (a) As the ECJ originally states, “the rights of the data subject prevail, as a general rule, over the economic interest of the search engine and that of internet users to have access to the personal information through the search engine.” (b) However, a balance must be made between the nature and sensitivity of the data and the interest of the public to have access to that information. (c) If the data subject plays a role in public life, the interest of the public will be significantly greater. (d) Therefore, the guidelines concluded, the impact of de-listing on individual’s rights to freedom of expression and access to information will be very limited. When DPAs assess the relevant circumstances, de-listing will not be appropriate, if the interest of the public overrides the rights of the data subject.

(3) The original information will always remain accessible and no information is deleted from the original source. The right only affects the results obtained from searches made on the basis of a person’s name. That is, the original information will still be accessible using other search terms, or by direct access to the source.

(4) Data subjects seeking the de-listing of information do not have an obligation to contact the original website in order to exercise their rights towards the search engines. Likewise, search engines do not have a legal obligation to inform the webmasters on the delisting of specific links. However, the guidelines strongly encourage the search engines to provide the delisting criteria they use, and to make more detailed statistics available.

(5) As per the data subjects’ entitlement to request delisting, the guidelines stated that “DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.” This statement has the effect of narrowing down the application of the ECJ’s ruling in light of the general principle that, under EU law, everyone has a right to data protection.

(6) On the territorial effect of de-listing decisions, the guidelines noted that limiting de-listing to EU domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling. In practice, "this means that in any case de-listing should also be effective on all relevant .com domains." (emphasis added)

The guidelines also contain 13 main criteria which the national DPAs will apply to handle the complaints filed with their offices following refusals of de-listing by search engines. Criteria will be applied on a case by case basis, and each criteria has to be read in the light of the “the interest of the general public in having access to [the] information”.

According to these criteria, DPAs must investigate whether

(1) the search results relate to an individual and come up against a search on the data subject name, including pseudonyms and nicknames;

(2) the data subject play a role in public life, or is a public figure, and there is an interest of the public in having access to information about them;

(3) the data subject is a minor (which clearly makes the DPAs more likely to require the de-listing of the results);

(4) the data is accurate;

(5) the data is relevant and not excessive and (a) relate to the working life of the data subject, (b) the search results link to information which allegedly constitutes hate/speech/slander/libel or similar offences against the complainant, and (c) is clear that the data reflect an individual’s personal opinion or it appears to be verified fact;

(6) the information is sensitive according to Article 8 of the Data Protection Directive, such information about a person’s health, sexuality or religious beliefs;

(7) the data is up to date or made available for longer than is necessary for the purpose of the processing;

(8) the data processing is causing prejudice to the data subject and has a disproportionately negative privacy impact on the data subject;

(9) the search results links to information that can leave the data subjects open to risks, such as identity theft or stalking, for example;

(10) the data subject (a) voluntarily made public the content or (b) could have reasonably known that the content would have been made public or (c) the content was intended to be made public at all;

(11) the original content was published in the context of journalistic purposes, although this criterion alone does not provide a sufficient basis for refusing a request;

(12) the publisher of the data has a legal power or obligation to make the personal data publicly available;

(13) the data relate to a criminal offence, which should be handled by DPAs according to national approaches to the public availability of information about offenders, although “as a rule, DPAs are more likely to consider the de-listing of search results relating to relatively minor offences that happened a long time ago, whilst being less likely to consider the de-listing of results relating to more serious ones that happened more recently.”

The guidelines provide a number of specific suggestions for the DPAs to interpret and properly balance each criterion (pp. 13-19). The WP29 guidelines are available here. The WP29 press release can be found here.

This article was originally published at the CIS Blog EU Data Protection Authority Adopts Guidelines on the Implementation of the Right to be Forgotten
Date published: November 28, 2014
Region
European Union
Topic, claim, or defense
Privacy or Data Protection
Right to Be Forgotten
Freedom of Expression