Guidelines on the Implementation of the Court of Justice of the European Union (CJEU) Judgment on Google Spain and Inc. v. Agencia Espanola de Proteccion des Datos (AEPD) and Mario Costeja GonzalezC-131/12 (Guidelines) to provide its interpretation of the CJEU’s ruling, and identify the criteria that will be used by the EU/EEA Member States Data Protection Authorities when addressing complaints from individuals following a denial of de-listing requests.
May 13, 2014 European Court of Justice Decision
On May 13, 2014, the Court of Justice of the European Union published its decision in the case Google Spain and Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez c-132/12, which stemmed from an individual’s request that Google adopt the measures necessary to withdraw personal data relating to him from its index, and to prevent access to the data in the future.
In its decision, the CJEU focused on two major points. First, it clarified that Directive 95/46/EC applies to a search engine as data controllers, insofar as the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State set up to promote and sell advertising space on its search engine in that Member State with the aim of making that service profitable.
Second, the CJEU ruled that, under certain conditions, data subjects may request search engines to de-list links that appear in the search results based on the person’s name. In most circumstances, the data subject’s right to privacy should prevail over the economic interest of the search engine, and the internet users that have access to the personal information through the search engine.
This decision has proven to be very controversial, especially in the United States, out of concern for the right to information and freedom of expression. Major US search engines have actively lobbied the EU administration, which resulted in the publication of these Guidelines on the implementation of the “Right to be Forgotten”.
While a great portion of the Guidelines confirms prior statements made by EU agencies or organizations, some aspects of the Guidelines constitute a significant increase in scope, geography, or consequences from prior positions. Some of the most significant aspects include:
- While the ruling is specifically addressed to search engines, it might apply to other intermediaries;
- The de-listing should affect all domains of a search engine, not just EU based domains;
- Search engines should not comment or indicate on their search results that some listings might be missing as a result of a de-listing request; and
- Search engines should not inform publishers that a posting has been delisted.
The remainder of this post provides a detailed analysis of the 20-page Guidelines.
Fair Balance Between Fundamental Rights and Interest
In these new Guidelines, the WP29 first confirms that, as a general rule, the data subject’s rights should prevail over the economic interest of the search engine and that of Internet users to have access to the personal information through the search engine. The goal is to address the potential seriousness of the impact that this processing might have on the fundamental rights to privacy and data protection.
However, the WP 29 Guidelines distinguish circumstances and bring some nuances to the general statement. The WP29 comments that there must be a balance between the relevant rights and interests. The outcome may depend on the nature and sensitivity of the processed data and on the interest of the public in having access to that particular information. In particular, the public’s interest would be significantly greater if the data subject plays a role in public life.
Further, the EU Data Protection Authorities will take into account the public’s interest in having access to the information. If the public’s interest overrides the rights of the data subject, de-listing will not be appropriate.
No Information to be Deleted from the Original Source
The WP29 points out that the CJEU Judgment makes it clear that the right granted to individuals only pertains to the results obtained from searches made on the basis of a person’s name. It does not require deletion of the link from the indexes of the search engine altogether. The original information should still be accessible using other search terms, or by direct access to the source.
This is important, but might prove cumbersome to implement. When implementing a request for de-listing, the only links that must be removed are those that would appear in response to a search for information regarding a specific person’s name. Links to the same article that would be associated with different searches, such as searches focusing on a different topic or different individuals, would survive and remain.
The Guidelines allow the ruling to be expanded to organizations other than search engines. While “the ruling is specially addressed to generalist search engines, … that does not mean that it cannot be applied to other intermediaries. The rights [to the de-listing] may be exercised whenever the conditions established in the ruling are met.”
At this point, it is not clear which types organizations might be affected. Would, for example, data brokers, credits reporting organizations and companies specializing in background checks be the next target?
Territorial Effect of a De-Listing Provision
The Guidelines add a very important element to the implementation of the Right to be Forgotten: a much greater geographic scope of the de-listing implementation.
According to the WP29, de-listing decisions must be implemented in such a way that they “guarantee the effective and complete protection of data subjects’ rights, and that EU Law cannot be circumvented.”
The WP 29 stresses that limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling.
In practice, this means that de-listing should also occur and be effective on all relevant .com and other domains. The WP29 expects that search engines, and other organizations that will receive requests under the “Right to be Forgotten” will implement the de-listing request on all domains on which they operate, and not just on EU or EEA based domains.
This is likely to cause concerns for the search engines and other organizations required to implement Right to be Forgotten requests, as it will result in significant increase in technical work and related administrative costs. So far, Google, for example, has vehemently argued that its implementation should only cover EU based search engines, and not others.
Who would be entitled to the Right to be Forgotten?
The WP29 also indicated that the EU Data Protection Authorities will focus on claims where there is a clear link between the data subject and the EU, such as where the data subject is a citizen or resident of an EU Member State.
Thus, the ruling and the Guidelines are directed at activities of EU Data Protection Authorities, and for the benefit of EU/EEA residents. Individuals residing outside the European Economic Area will not be entitled to seek the same privileges from the EU Data Protection Authorities.
No Communication of the De-Listing Requests to the Public and to Website Editors
The Guidelines also address two initiatives that were taken by search engines – especially Google – when implementing de-listing decisions.
No Information to the public on the de-listing of specific links
Search engines have added a notice on some search results pages to indicate that the search results are not complete because of the application of European data protection laws. The WP 29 comments that this practice would only be acceptable if the information were presented in such a way that users cannot, in any case, conclude that one particular individual has asked for de-listing of results concerning him or her.
No Communication to website editors on the de-listing of specific links
In some cases, search engines have also informed webmasters of the pages affected by de-listing that some pages of their website cannot be acceded from the search engine in response to a specific name-based query. This information, of course, caused vocal reactions from the publishers of the article affected by the de-listing request, causing, in turn a “Streisand Effect,” i.e. bringing even more attention to a matter that the initial requestor was trying to mask or erase.
The WP 29 comments that this practice is not warranted, and there is no legal basis for such routine communication under EU data protection law. According to the Guidelines, the only circumstance where this communication would be appropriate is where a search engine would want to contact the original publisher in relation to a particular request before any de-listing decision, in order to obtain additional information for the assessment of the circumstances surrounding that request.
Practical Aspects of De-Listing Requests
The Guidelines in WP 225 address several practical aspects of the delisting request process, such as whether to contact the original publisher, or how the search engine should communicate its decision.
Data Subjects Have No Obligation to Contact the Original Publisher
Individuals are not obliged to contact the original website in order to exercise their rights towards the search engines. Since search engines are deemed data controllers, the applicable national Data Protection Law applies directly to the activity of a search engine.
Search Engines Should Publish De-listing Criteria and Detailed Statistics
In addition, the WP29 Guidelines address the role and responsibilities that search engines play in the dissemination and accessibility of information posted on the Internet. In this regard, the Guidelines urge the search engines to provide the de-listing criteria they use, and to make more detailed statistics available.
Communication of the Refusal to De-List a Request
Finally, the Guidelines recommend that a search engine that refuses a de-listing request should provide sufficient explanation to the data subject about the reasons for the refusal. It should also inform data subjects that they can turn to the Data Protection Authority or to a court if they are not satisfied with the answer. If the data subject elects to appeal the decision to the national Data Protection Authority, such explanations would be provided to the Data Protection Authority.
13 Common Criteria
The second part of the Guidelines in WP 225 contains the list of 13 common criteria that the Data Protection Authorities will apply to handle the complaints filed with their national offices following de-listing refusals. These criteria will be applied on a case-by-case basis and in accordance with the relevant national legislations.
According to the Guidelines, this list of criteria is to be seen as a flexible working tool to help Data Protection Authorities in their analysis of Right to be Forgotten complaints, and during their decision-making process. No single criterion would be determinative. Each of the criteria has to be read in the light of the principles established by the Court and in particular in the light of the public’s interest in having access to the information. The specific criteria are:
1. Does the search result relate to a natural person, i.e. an individual? And does the search result come up against a search on the data subject’s name?
2. Does the data subject play a role in public life? Is the data subject a public figure?
3. Is the data subject a minor?
4. Is the data accurate?
5. Is the data relevant and not excessive?
a. Does the data relate to the working life of the data subject?
b. Does the search result link to information that allegedly constitutes hate speech/slander/libel or similar offences in the area of expression against the complainant?
c. Is it clear that the data reflect an individual’s personal opinion or does it appear to be verified fact?
6. Is the information sensitive within the meaning of Article 8 of the Directive 95/46/EC?
7. Is the data up to date? Is the data being made available for longer than is necessary for the purpose of the processing?
8. Is the data processing causing prejudice to the data subject? Does the data have a disproportionately negative privacy impact on the data subject?
9. Does the search result link to information that puts the data subject at risk?
10. In what context was the information published?
a. Was the content voluntarily made public by the data subject?
b. Was the content intended to be made public? Could the data subject have reasonably known that the content would be made public?
11. Was the original content published in the context of journalistic purposes?
12. Does the publisher of the data have a legal power or a legal obligation to make the personal data publicly available?
13. Does the data relate to a criminal offence?
The Right to be Forgotten is here to stay. Throughout the world, numerous individuals hope to be able to erase or mask a portion of their past – a mistake, a petty crime for which they have paid, events that occurred sometimes 10 or 15 years ago or simply articles about them that they find invasive – such as news regarding their health. The CJEU ruling of May 13, 2014 gives an opportunity to request such masking and in some cases, to obtain it. The analysis and the CJEU’s Judgment have been followed with great interest throughout the world. De-listing requests have been filed in other countries, such as Japan and Mexico.
The Guidelines published by the WP29 are an important document that is likely to evolve in the future. In the meantime, they provide a thoughtful analysis of the different factors and players. They also identify criteria to take into account when examining such requests, and some guidance on how to balance an individual’s attempt to forget or mask some of his past or some of his acts, against the (sometimes) legitimate right of some other individuals to have access to this information.