Articles

WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten”

WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten”

WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten”

30.04.2015 BE law

On 13 May 2014 the European Court of Justice (“ECJ”) delivered a landmark ruling, the so-called “Google Spain Case” (“the Ruling”). Because this decision has generated several concerns and could have potentially led to Member States’ diverging application of this case-law, the European Commission (“the Commission”), followed by the Article 29 Working Party (“WP 29”), issued guidelines (“Guidelines”) on the matter.

In February 2015 Google’s Advisory Council published its report on “the Right to be Forgotten” to advise Google on how to implement the Ruling properly. Notwithstanding the broad scope given by some in their interpretation of the Ruling, it seems that the ECJ did not intend its judgment to be one of principle.

In the first part of the Guidelines, the WP 29 specifies the most important elements of the Ruling. It confirms that, according to the ECJ, search engines operators process data are considered data controllers. The legal basis lies in the legitimate interest of the controller or of third parties to which the processed data are disclosed. This legal basis is different from the one justifying the publishing of content by the original publisher. That is why, in some instances, although the publishing of some information by the original publisher might be lawful, the accessibility to those information by means of a search engine might, however, in turn be unlawful. In any event, search engine operators are supposed to assess the legitimacy of the data processing only at the data subjects’ request. Moreover, those data subjects, when they are refused its request to be de-listed, should be allowed to turn to the competent data protection authority (“DPA”) to contest that decision of refusal. Regarding transparency, the search engines could only inform their users that some results have been removed if it was not, on this sole basis, possible for them to conclude that a specific individual has asked for this de-listing. Lastly, the WP 29 considers that an effective de-listing decision should have a global territorial reach and affect all domain names, including those ending with .com.

In the second part of its Guidelines, the WP, through its creating a list of “common criteria for the handling of complaints by EU DPAs”, has undertaken to harmonize the way these DPAs should deal with de-listing-related complaints. The WP 29 makes it clear, however, that the assessment of the data subjects’ complaints must be made on a case-by-case basis. The criteria are indeed merely “flexible working tool”, none of which being determinative. They will always have to be applied in accordance with applicable domestic legislation.

These Guidelines complement the report published on 19 September by the EU Commission and aim to rebut the “myths” surrounding the Ruling. This report refutes some ideas that have erroneously emerged, e.g.: the Ruling does not contradict freedom of expression, nor does it allow for censorship. Indeed, it is emphasized that the Ruling does not enable people to have the contested search results removed in all cases, but only if the interest to privacy overrides the respect for other fundamental rights. No less importantly, the EU Commission clarifies the scope of the Ruling, stating that it only concerns the right to be forgotten “regarding search engine results involving a person’s name”. The resulting consequences to this clarification are twofold: (i) only the link to the disputed content can be deleted, the content itself remains unaffected in its original location on the internet; (ii) the content can still be found via the same search engine when using a different query.

Finally, the most recent developments regarding the appropriate implementation of the Ruling are contained in the report published by Google’s Advisory Council (“Report”). This panel of independent experts has been asked to advise Google in this regard. The panel has based its advice on, inter alia, the opinion on experts from all over Europe, the European Court of Human Rights case-law, policy guidelines of new organizations, and also the WP 29 Guidelines discussed above. Remarkably, the Report emphasizes that the Ruling does not establish a general right to be forgotten. Indeed, the balancing test that has to be used by Google might lead to the conclusion that overriding interests justify a de-listing refusal. The Report states that “the Ruling, while reinforcing European citizen’s data protection rights, should not be interpreted as a legitimation for practices of censorship of past information and limiting the right to access information.”

Further, and in line with the WP 29 approach, the Report lists the main criteria to be used for assessing delisting requests: (i) the data subject’s role in public life; (ii) the nature of the information; (iii) the source of the information; and (iv) the time that has elapsed since the original publication. Then, the Report explains key procedural elements in this respect. Two of them are worth emphasizing. Firstly, the Panel advises, as a good practice, that the search engine should notify the publishers of the delisting to the extent allowed by law. That is to say, in compliance with each Member State’s domestic data protection law, among other regulations. Secondly, contrary to the WP 29 Guidelines, the Report states that the de-listing should not operate globally. The rights of the data subjects are, according to the Panel, adequately protected if de-listings apply only to the European versions of the search. This is based on the finding that 95% of all European search queries are conducted on local versions of Google. The Report concludes that “removal from nationally directed versions of Google’s search services within Europe is the appropriate means to implement the Ruling at this stage.”

The Ruling allows for a major enhancement to the data subjects’ right online. However, it seems that this has been widely misinterpreted. To increase clarity regarding its implications, the WP 29, the EU Commission, and later, a panel of experts, have published reports and guidelines on how to implement the Ruling correctly. Although those reports differ in some aspects (e.g., the geographical scope of the de-listing obligation), there seems to be a growing consensus towards the inexistence of the so-called right to be forgotten. The Ruling is a mere application of the balancing test that must be made, on a case-by-case basis, between, on the one hand, the rights to privacy and data protection, and on the other hand, the rights to freedom of expression and access to information.

Click here to read a PDF version of the 51st edition of our ICT Law Newsletter. 

Team

Related news

26.08.2021 BE law
Sarah De Wulf and Malik Baba co-authored a book dedicated to the legal aspects of the video-game industry

Articles - The book, entitled 'Legal Aspects of the video-game industry', provides a first answer to the most important legal questions that might arise in the lifecycle of a video-game company. These insights are intended to be applicable irrespective of jurisdictions, illustrated by real-life situations and easy to read for individuals without a legal background.

Read more

13.09.2021 NL law
Adopting the new Standard Contractual Clauses to secure international personal data transfers

Short Reads - Recently, the European Commission issued an implementing decision on standard new contractual clauses (“SCCs”) for the transfer of personal data to countries outside the European Economic Area. Organisations need to use the new SCCs from 27 September 2021 and onwards. Transitional periods apply for existing international data transfer agreements. To meet their obligations under the General Data Protection Regulation, organisations need to make the appropriate changes in time.

Read more

26.08.2021 EU law
Facebook/Belgian DPA: Landmark ruling on cross-border enforcement under the GDPR

Short Reads - On 15 June 2021, the CJEU delivered an important judgment on the one-stop-shop mechanism. While the CJEU reinforced that the lead supervisory authority is the sole interlocutor in cross-border processing operations, it also contributed to the effective enforcement of the GDPR by reiterating the conditions under which supervisory authorities other than the lead supervisory authority can bring enforcement actions against such processing operations.

Read more

09.09.2021 BE law
Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

Articles - In this blog, we briefly present three interesting news in the field of digital law: (1) Parliamentary initiatives to tackle cyber attacks (2) "Zero tariff" options and open internet access do not mix! (3) Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

Read more

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more