As you might well remember, the Court of Justice of the European Union, in a better known as ‘right to be forgotten’ judgement, ruled that individuals, provided that certain prerequisites are met, have the right to require from search engines, such as Google, to remove certain results about them, subsequently presented to a search based on a person’s name. (you can read more here, here, here, here and here) According to the ruling, the original information will still be accessible under other search terms or by direct access to the publisher’s original website.
In this context, in cases where the criteria for deletion are met and where search engines do not remove the links requested by the data subject, the latter would be able to complain to its national data protection or judicial authority.
Therefore, last week, the Article 29 Working Party, which gathers representatives of the 28 national data protection authorities (hereafter DPAs) of the EU Member States, has adopted Guidelines on the implementation of the judgement. This has not really come as a surprise as the Working Party had already announced its decision to establish a common approach to the right to be forgotten.
Indeed, the ruling left many questions unanswered. For instance, it was left to be found out if Google was only obliged to block requested names for European domain names only or should do so for all Google search domains. Moreover, it was left unanswered how could the balance between the relevant rights and interests at stake be achieved and how the ‘public figure’ concept could be defined.
According to the Article 29 Working Party, the ruling only refers to search engines as “data controllers” and is not to be applicable to the original source of information, so the information is not to be removed entirely, just from search indexes.
Furthermore, considering that users are directed to localised editions of the company’s search service, when they initially try to visit the Google.com website, Google’s current practice regarding delisting procedures consists in delisting results which appear in the European versions of its search engines, but not the international one ‘.com’. In this regard, the Article 29 Working Party considers that Google has therefore failed to effectively implement the abovementioned ruling. It considers, indeed, that limiting the de-listing of search results to EU domains, on the grounds that users tend to access search engines via their national domains, does not sufficiently guarantees the rights of the data subjects. In fact, it concluded that the de-listing should be conducted on all the relevant ‘.com’ domains. This conclusion is certainly in line with a recent position of a French court which decided that Google should remove a link to a defamatory article for a particular search on both on its ‘.fr’ and ‘.com’ domains.
In addition, the document clarifies that Google is not required to block links if searches lead to the same result without using the individual’s name and that, although all individuals have a right to data protection under EU law, DPAs should focus on claims where there is a clear link between the data subject and the EU.
Moreover, referring to the notice stating that “some results may have been removed under data protection law in Europe” posted by Google at the bottom of search results, the Working Party deems that the information provided to users of search engines that the list of results to their queries is not complete has no legal ground under data protection law and is only acceptable if it cannot be concluded that the results related to a particular individual have been de-listed.
Likewise, because there is no legal basis for such routine communication under EU data protection, and in order to avoid a ‘Streisand effect’, it is considered that search engines should not, as a general practice, inform the webmasters of the pages affected by removals of the fact that some web pages cannot be accessed from the search engine in response to a specific name based query. However, it is accepted that contacting the original editor of the content being targeted by a search de-listing request might actually be appropriate when more information is required in order to take a decision.
Furthermore, the guidelines establish a list of 13 common criteria which the data protection authorities should apply when handling complaints following refusals of de-listing by search engines.
It is also stated that no single criterion is determinative and that, in most cases, more than one will have to be taken into consideration. However, each criterion has to be applied in the light of the interest of the general public in having access to the information.
The Working Party further concluded that the impact of the de-listing on individuals’ rights to freedom of expression and access to information will prove, in practice, to be very limited and the balance between the public interest and the rights of the data subject will have to be assessed casuistically.
The abovementioned list includes an orientation regarding what can constitute ‘public life’, considering that, while details associated to the private life of a public figure may be delisted, information regarding the public role or activities should be available for search:
It is not possible to establish with certainty the type of role in public life an individual must have to justify public access to information about them via a search result. However, by way of illustration, politicians, senior public officials, business-people and members of the (regulated) professions can usually be considered to fulfil a role in public life. There is an argument in favour of the public being able to search for information relevant to their public roles and activities.
A good rule of thumb is to try to decide where the public having access to the particular information – made available through a search on the data subject’s name – would protect them against improper public or professional conduct. It is equally difficult to define the subgroup of ‘public figures’. In general, it can be said that public figures are individuals who, due to their functions/commitments, have a degree of media exposure.
In addition, search engines are called upon to be more transparent regarding the de-listing criteria. It is a legitimate concern as Google only has released very limited and abstract information on this regard.
Despite the fact that these guidelines are not legally binding, they reflect a consensual position of national regulators and therefore will certainly influence the enforcement decisions taken by the Member States’ data protection authorities. Considering all the issues surrounding the implementation of the ruling, these guidelines are undoubtedly useful. Nonetheless, it remains to be seen whether Google will actually follow the guidance and extend de-listing to ‘.com’ as well.
In my personal opinion, it is quite outlandish and unrealistic, from both legal and technical points of view, to assume that the ‘right to be forgotten’ can become a global scenario and not just a European one. I mean, considering the overlapping jurisdictions regarding Internet, how come nobody considers the evidence that such a global de-listing sets up a divergence on the international level, between the EU Member States and the rest of the world?
The Internet should not be subjected to geographical boundaries. Assuming that the rules referring to a country can actually apply worldly online can be associated with web censorship. In fact, the EU is not alone in its aim for the global implementation of its rules. Russia and China, for instance, have quite global ambitions regarding Internet governance. Of course, one may argue that the EU motivations are legitimate, intended to protect some individuals’ private sphere, and do not amount to censorship. But considering that this legitimacy of the measures is usually the most frequent argument regarding censorship, is this really the example the EU wants to set?