The Article 29 Data Protection Working Party adopted on 26 November 2014 its guidelines on the implementation of the controversial Court of Justice of the European Union (CJEU) judgment on Google Spain v. AEPD and Costeja (C-131/12).
In that case, the CJEU ruled on three questions concerning the interpretation of the Data Protection Directive regarding the status of search engine providers as data controllers, their data processing activities, and the existence and scope of the so-called ‘right to be forgotten’ as a result of the application of Articles 12 and 14 of the Directive to their activities. The latter refers to the CJEU’s ruling in its judgement that, in response to a request from a data subject, under certain conditions a search engine must remove from a list of results displayed following a search made based on a data subject’s name, links to web pages published by third parties that contain information relating to them.
The guidelines are 19-page long and summed up in an executive summary of 2 pages which identifies 9 key points. While Part I interprets the upshot of the CJEU’s judgment, Part II offers a table summarizing the list of relevant criteria to be taken into account by European Data protection authorities when handling complaints by data subjects in cases in which search engines have not been responsive or refuse de-listings. This list is not a closed list, but is conceived as a flexible working tool to help authorities during their decision-making processes and will certainly evolve over time. Obviously these guidelines are also of interest to search engines and individuals themselves who are considering making an official complaint to such authorities.
Just a few things to note:
- It is only the structured overview of the information relating to data subjects that appears on the search-result webpage produced by the search engines when the names of these data subjects are used as key words that is at stake here, as such a structured overview usually has a decisive impact upon Internet users’ perception of data subjects. As a result:
- even when the publication of by the original publisher is lawful, the structured overview can be problematic and opposed by the data subject.
- data subjects are thus not obliged to contact the original website before or when contacting the search engine.
- the de-listed pages will never disappear from the indexes of the search engine. The original information will therefore still be accessible using other search terms, or by direct access to the publisher’s original source.
- But the structured overview is the view that appears on all relevant domain names and not only EU domain names. “In any case de-listing should also be effective on all relevant domains, including .com” says the Article 29 DP Working Party. (To note, so far Google has refused to de-list content on its .com domain, arguing that that US law governs that domain, where free speech concerns would be likely to override data subject rights. It will be interesting to see whether Google will accept the Working Party’s position on this point – see also a recent post on this point).
- And when modifying the structured overview, search engines should not let users making a name-based query know that some web pages cannot be displayed due to the exercise of the right to have certain results de-listed. The Article 29 DP Working Party states “such a practice would only be acceptable if the information is presented in such a way that users cannot, in any case, conclude that one particular individuals has asked for de-listing of resulting concerning him or her”.
- By contacting a search engine to have the structured overview modified, the data subject makes an important decision: he is saying that the de-listing is the appropriate remedy. To use the words of the Article 29 DP Working Party “by making a request to one or several search engines the individual is making an assessment of the impact of the appearance of the controverted information in one or several of the search engines and, consequently, makes a decision on the remedies that may be sufficient to diminish or eliminate that impact”. [Does is it mean that the de-listing is therefore the sole possible remedy?]
- Upon receipt of a request to de-list certain results, a search engine may request some form of identification information from the requester. But it should make sure adequate security safeguards are in place when it does so.
- The ruling is “specifically addressed to generalist search engines” and not to search engines built within particular websites such as online newspapers. However this is not to say that only generalist search engines are targeted. The ruling can potentially apply to other types of intermediaries. [That’s for you to guess whom! Remember the words of the CJEU: the processing at stake consisted in “finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference”.]
- Search engines seem to have an ‘obligation of result’ to make sure data subjects can exercise their rights [the words of the Article 29 DP Working Party are not that clear though: “The ruling sets thus an obligation of results which affects the whole processing operation carried by the search engine”. An ‘obligation of result’ is a French concept which implies that in case the result is not reached the debtor of the obligation can be held liable even without the need to prove any negligence from his part. So what is the Article 29 DP Working Party really saying?].
- “No provision in EU data protection law obliges search engines to communicate to original webmasters that results relating to their content have been de-listed”. This would constitute an additional processing which would need to be justified under data protection law.
- Data subjects should be able to resort to “the national subsidiaries of search engines in their respective Member States of residence” to exercise their rights.
- Among the list of criteria for assessing the legitimacy of the claim made by data subjects, one factor is crucial (although not singly determinative). It is whether the data subject plays a role in public life or whether the data subject is a public figure. Why? Because the CJEU “made an exception for de-listing requests from data subjects that play a role in public life, where there is an interest of the public in having access to information about them. The criterion is broader than the ‘public figures’ criterion”. Here, the Article 29 DP Working Party refers back to the Case Law of the European Court on Human Rights and formulates 2 rules of thumb:
- “A good rule of thumb is to try to decide where the public having access to the particular information – made available through a search on the data subject’s name – would protect them against improper public or professional conduct”.
- [A]s a rule of thumb, if applicants are public figures, and the information in question does not constitute genuinely private information, there will be a stronger argument against de-listing search results to them”.
What is the Article 29 DP Working Party implying in its non-binding but highly influential opinion? Is it that the moment you have an online public life (through the means of blogs, tweets, and other social media) it is going to be a lot more difficult to exercise your right to alter the structured overview that appears on search-result webpages when someone uses your name as a keyword? [What do readers think?].
Anyway, it remains to be seen whether the guidelines will have the effect of reducing the number of complaints that national data protection authorities receive from aggrieved individuals who have had requests refused.