Europe’s Right to be forgotten: update on implementation guidelines

In an earlier newsletter, we wrote that the Article 29 Working Party ("Working Party 29″) has adopted guidelines relating to the implementation of the European Court of Justice's Google ruling on the right to be forgotten. Click here for a previous blog post on this ruling.

These guidelines have now been published and can be consulted here.
The guidelines are important for several reasons. Not only do they clarify the scope of the ruling but they also introduce an harmonized approach by the different national Data Protection Authorities of the EU member states ("DPAs") when handling de-listing requests. It has been an issue in Europe before that DPA's have divergent approaches to similar problems. With these guidelines, the DPA's will at least all follow the same criteria when handling a complaint.

In its Google ruling, the European Court of Justice held that individuals can request search engines, under certain conditions, to de-list certain links from the results for searches based on their names. Where a search engine refuses such a request, the data subject can file a complaint with the DPAs. Based on the complaints they received during the past six months, the DPAs have drafted a non-exhaustive list with thirteen common criteria which can be used as "a flexible working tool" when evaluating such complaints.
Generally more than one criterion will need to be taken into account when taking such decisions and each criterion has to be applied in the light of the principles established by the Court of Justice and in particular in the light of the "the interest of the general public in having access to [the] information". Even when they are directed towards the DPAs, these criteria will also be very useful for search engines when handling de-listing requests.
Below we give a quick overview of these criteria.

1. Does the search result relate to a natural person - i.e. an individual? And does the search result come up against a search on the data subject's name?
European data protection rules only apply to natural persons. It is interesting to note that the Working Party also considers pseudonyms and nicknames as relevant search terms.

2. Does the data subject play a role in public life? Is the data subject a public figure?
The Court of Justice has made an exception for de-listing requests from data subjects that play a role in public life, where there is an interest of the public in having access to information about them.
Whilst the Working Party 29 is of the opinion that it not possible to establish with certainty the type of role in public life which is required to justify public access to information about them via searches based on their name, it states by way of example that politicians, senior public officials, business-people and members of the (regulated) professions can usually be considered to fulfill such a role.

However this criterion seems to be broader than those examples suggest since it encompasses all situations "where the public having access to the particular information would protect them against improper public or professional conduct."
Note that this criterion is certainly broader than "public figures" which can be defined as individuals who, due to their functions or commitments, have a degree of media exposure. If applicants for de-listing are public figures, and the information in question does not constitute genuinely private information, it is likely that de-listing will be refused.

3. Is the data subject a minor?
As a general rule, if a data subject is still a minor at the time of the publication of the information, de-listing of the relevant results will be more likely.

4. Is the data accurate?
De-listing of a search result will more likely be considered appropriate where there is inaccuracy as to a matter of fact and where this presents an inaccurate, inadequate or misleading impression of an individual.

5. Is the data relevant and not excessive?
On the basis of these criteria is assessed whether the information contained in a search result is relevant or not according to the interest of the general public in having access to the information. Relevance is also closely related to the data's age.

6. Is the information sensitive within the meaning of Article 8 of the Directive 95/46/EC?
Because of the greater impact sensitive data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life) have on the private life of individuals, it is more likely that de-listing will be granted in respect of search results that reveal such information.

7. Is the data up to date? Is the data being made available for longer than is necessary for the purpose of the processing?
The purpose of this criterion is to ensure that information that has become inaccurate because it is out-of-date, is de-listed.

8. Is the data processing causing prejudice to the data subject? Does the data have a disproportionately negative privacy impact on the data subject?
Although there is no obligation for the data subject to demonstrate prejudice in order to request de-listing, this would be a strong factor in favor of de-listing.

9. Does the search result link to information that puts the data subject at risk?
In cases where the risks (e.g. identity theft or stalking) are substantive, DPAs are likely to consider that the de-listing of a search result is appropriate.

10. In what context was the information published?
a. Was the content voluntarily made public by the data subject?
b. Was the content intended to be made public? Could the data subject have reasonably known that the content would be made public?

Personal data can only be processed on a few legal grounds. If the only legal basis for the original publication on the internet is consent and the individual subsequently revokes his or her consent, the publishing lacks a legal basis and must therefore cease. This has also an influence on de-listing requests of results which contain links to such information. The Working Party states that, if in such cases the individual concerned is unable to revoke his or her consent, and a de-listing request is refused, the DPAs will generally consider that de-listing of the search result is appropriate.

11. Was the original content published in the context of journalistic purposes?
European data protection rules contain some exceptions for the processing (such as publishing) of personal data in the context of journalistic purposes. However the Google ruling clearly distinguishes between the legal basis for (i) the original publication by the media, and the legal basis for (ii) search engines to organise search results based on a person's name. Hence search engines cannot rely on these exceptions.
Nevertheless the DPAs will take into account the fact that journalists have to be able to inform the general public. At this moment it is not very clear what the precise influence of this criterion will be on de-listing requests. Note that the Google case itself concerned the de-listing of a link to a newspaper.

12. Does the publisher of the data have a legal power - or a legal obligation - to make the personal data publicly available?
Where this is the case, de-listing may not be considered appropriate. However DPAs may consider that de-listing is appropriate even if there is a legal obligation to make the content available on the original website.

13. Does the data relate to a criminal offence?
As a general rule, de-listing of search results relating to minor offences that happened a long time ago is more likely to be obtained than de-listing of results relating to more serious ones that happened more recently. However, these issues will be handled on a case-by-case basis taking into account the applicable national laws.

Zie ook : DLA Piper LLP ( Mr. Patrick Van Eecke )

Click here to see the ad(s)

Laatste artikels van Mr. Patrick Van Eecke

Dynamic IP-addresses can be "personal data" says EU Court of Justice

On October 19, 2016, the European Court of Justice decided on the question whether or not dynamic IP-addresses consti...

Read more

Belgian Privacy Commission issues a 13 step plan for companies preparing for GDPR compliance

Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-r...

Read more

Cookies: Belgian Privacy Commission publishes official guidance

Almost one year after the publication of the draft version, the Belgian Privacy Commission has recently issued the final v...

Read more

Connected Cars & Privacy: Automotive industry adopts consumer privacy principles

Last week proved to be an important week for privacy and data protection in the US: while representatives of the European ...

Read more

LexGO Network