The Article 29 Working Party (WP29) has adopted Right to Be Forgotten Guidelines, to help Data Protection Authorities in the implementation of the May 13, 2014 judgment of the Court of Justice of European Union (CJEU) in the case Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez (C-131/12) (“Google Spain”). The WP 29 Guidelines provide the WP29’s view on the interpretation of the CJEU’s ruling, and identify the criteria that will be used by the data protection authorities when addressing complaints.
An EU press release published on November 25 announces the upcoming publication of the Guidelines and provides some highlights. The complete text of the Guidelines is expected to be published within the next few days.
In the Google Spain case, the CJEU clarified that Directive 95/46/EC applies to a search engine insofar as the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space on its search engine in this Member State with the aim of making that service profitable.
The CJEU also ruled that, under certain conditions, data subjects may request search engines to de-list links that appear in the search results based on the person’s name.
Scope of the Right to Be Forgotten
In its Press Release, the WP29 pointed that the CJEU ruling expressly states that the right only affects the results obtained from searches made on the basis of a person’s name and does not require deletion of the link from the indexes of the search engine altogether. The original information will still be accessible using other search terms, or by direct access to the source.
This is an important clarification. When implementing a request for de-listing, the only links that must be removed are those that would appear in response to a search for information regarding a specific person’s name. Links to the same article that would be associated with different searches, focusing on a different topic or different individual would survive.
Implementation Should be Global
A second element identified in the Press Release is the geographic scope of the de-listing implementation. According to the WP29, de-listing decisions must be implemented in such a way that they “guarantee the effective and complete protection of data subjects’ rights, and that EU Law cannot be circumvented.”
WP 29 stresses that limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling.
In practice, this means that de-listing should also occur and be effective on all relevant .com and other domains. WP29 expects that search engines, and other organization that will receive requests under the “right to be forgotten”, will implement the de-listing request on all domains on which they operates, and not just on EU or EEA based domains.
This is likely to cause concerns for the search engines and other organization required to implement Right to be Forgotten requests as it will result in significant increase in technical work and related administrative costs.
Who would be entitled to the Right to be Forgotten?
The WP29 also indicated that the EU Data Protection Authorities will focus on claims where there is a clear link between the data subject and the EU, such as where the data subject is a citizen or resident of an EU Member State.
Thus, the ruling and the guidelines are directed at activities of EU Data Protection Authorities, and for the benefit of EU/EEA residents. Individuals residing outside the European Economic Area will not be entitled to seek the same privileges from the EU Data Protection Authorities.
13 Common Criteria
The guidelines contain the list of 13 common criteria that the Data Protection Authorities will apply to handle the complaints filed with their national offices following refusals of de-listing. These criteria will be applied on a case-by-case basis and in accordance with the relevant national legislations.
This list of criteria is to be seen as a flexible working tool to help Data Protection Authorities in their analysis of Right to be Forgotten complaints, and during their decision-making process. No single criterion would be determinative. Each of the criteria has to be read in the light of the principles established by the Court and in particular in the light of the public’s interest in having access to the information.
The complete Guidelines are not yet published. They are expected to be published within the next few days