Articles

WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten”

WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten”

WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten”

30.04.2015

On 13 May 2014 the European Court of Justice (“ECJ”) delivered a landmark ruling, the so-called “Google Spain Case” (“the Ruling”). Because this decision has generated several concerns and could have potentially led to Member States’ diverging application of this case-law, the European Commission (“the Commission”), followed by the Article 29 Working Party (“WP 29”), issued guidelines (“Guidelines”) on the matter.

In February 2015 Google’s Advisory Council published its report on “the Right to be Forgotten” to advise Google on how to implement the Ruling properly. Notwithstanding the broad scope given by some in their interpretation of the Ruling, it seems that the ECJ did not intend its judgment to be one of principle.

In the first part of the Guidelines, the WP 29 specifies the most important elements of the Ruling. It confirms that, according to the ECJ, search engines operators process data are considered data controllers. The legal basis lies in the legitimate interest of the controller or of third parties to which the processed data are disclosed. This legal basis is different from the one justifying the publishing of content by the original publisher. That is why, in some instances, although the publishing of some information by the original publisher might be lawful, the accessibility to those information by means of a search engine might, however, in turn be unlawful. In any event, search engine operators are supposed to assess the legitimacy of the data processing only at the data subjects’ request. Moreover, those data subjects, when they are refused its request to be de-listed, should be allowed to turn to the competent data protection authority (“DPA”) to contest that decision of refusal. Regarding transparency, the search engines could only inform their users that some results have been removed if it was not, on this sole basis, possible for them to conclude that a specific individual has asked for this de-listing. Lastly, the WP 29 considers that an effective de-listing decision should have a global territorial reach and affect all domain names, including those ending with .com.

In the second part of its Guidelines, the WP, through its creating a list of “common criteria for the handling of complaints by EU DPAs”, has undertaken to harmonize the way these DPAs should deal with de-listing-related complaints. The WP 29 makes it clear, however, that the assessment of the data subjects’ complaints must be made on a case-by-case basis. The criteria are indeed merely “flexible working tool”, none of which being determinative. They will always have to be applied in accordance with applicable domestic legislation.

These Guidelines complement the report published on 19 September by the EU Commission and aim to rebut the “myths” surrounding the Ruling. This report refutes some ideas that have erroneously emerged, e.g.: the Ruling does not contradict freedom of expression, nor does it allow for censorship. Indeed, it is emphasized that the Ruling does not enable people to have the contested search results removed in all cases, but only if the interest to privacy overrides the respect for other fundamental rights. No less importantly, the EU Commission clarifies the scope of the Ruling, stating that it only concerns the right to be forgotten “regarding search engine results involving a person’s name”. The resulting consequences to this clarification are twofold: (i) only the link to the disputed content can be deleted, the content itself remains unaffected in its original location on the internet; (ii) the content can still be found via the same search engine when using a different query.

Finally, the most recent developments regarding the appropriate implementation of the Ruling are contained in the report published by Google’s Advisory Council (“Report”). This panel of independent experts has been asked to advise Google in this regard. The panel has based its advice on, inter alia, the opinion on experts from all over Europe, the European Court of Human Rights case-law, policy guidelines of new organizations, and also the WP 29 Guidelines discussed above. Remarkably, the Report emphasizes that the Ruling does not establish a general right to be forgotten. Indeed, the balancing test that has to be used by Google might lead to the conclusion that overriding interests justify a de-listing refusal. The Report states that “the Ruling, while reinforcing European citizen’s data protection rights, should not be interpreted as a legitimation for practices of censorship of past information and limiting the right to access information.”

Further, and in line with the WP 29 approach, the Report lists the main criteria to be used for assessing delisting requests: (i) the data subject’s role in public life; (ii) the nature of the information; (iii) the source of the information; and (iv) the time that has elapsed since the original publication. Then, the Report explains key procedural elements in this respect. Two of them are worth emphasizing. Firstly, the Panel advises, as a good practice, that the search engine should notify the publishers of the delisting to the extent allowed by law. That is to say, in compliance with each Member State’s domestic data protection law, among other regulations. Secondly, contrary to the WP 29 Guidelines, the Report states that the de-listing should not operate globally. The rights of the data subjects are, according to the Panel, adequately protected if de-listings apply only to the European versions of the search. This is based on the finding that 95% of all European search queries are conducted on local versions of Google. The Report concludes that “removal from nationally directed versions of Google’s search services within Europe is the appropriate means to implement the Ruling at this stage.”

The Ruling allows for a major enhancement to the data subjects’ right online. However, it seems that this has been widely misinterpreted. To increase clarity regarding its implications, the WP 29, the EU Commission, and later, a panel of experts, have published reports and guidelines on how to implement the Ruling correctly. Although those reports differ in some aspects (e.g., the geographical scope of the de-listing obligation), there seems to be a growing consensus towards the inexistence of the so-called right to be forgotten. The Ruling is a mere application of the balancing test that must be made, on a case-by-case basis, between, on the one hand, the rights to privacy and data protection, and on the other hand, the rights to freedom of expression and access to information.

Click here to read a PDF version of the 51st edition of our ICT Law Newsletter. 

Team

Related news

14.10.2019 NL law
Kamerdebat over digitalisering van de overheid: aandacht voor bescherming burger vereist

Short Reads - Op 24 september 2019 zijn er vier moties in stemming gebracht én aangenomen door de Tweede Kamer. De moties hebben als gemeenschappelijke deler dat ze in het teken staan van de steeds groter wordende digitalisering bij de overheid. Het achterliggende doel van de moties is dat de burger voldoende beschermd moet worden tegen deze digitalisering.

Read more

27.09.2019 NL law
Stibbe is attending the IBA's annual conference in Seoul

Conference - The annual conference of the International Bar Association (IBA) is currently taking place in Seoul. There are fourteen partners from Stibbe attending the event. Several of them have speaking slots on a wide range of legal topics and will take part in various panel discussions.

Read more

28.08.2019 NL law
Masterclass: e-signature and electronic identifiers

Masterclass - Stibbe is organising a Masterclass on 26 September 2019 in Amsterdam on the subject of e-signature and electronic identifiers. This Masterclass will cover the legal framework and focus especially on the numerous possibilities for applying the various electronic signatures in different situations. In addition, we explain the regulations governing electronic identifiers, and the mandatory European recognition they receive.

Read more

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 25th at 9.30 am, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring