Article 29 Working Party Supports ECJ “Right to be Forgotten” Ruling

Posted by fgilbert on May 23rd, 2014

In a May 23, 2014 press release, the Article 29 Working Party (WP29) has indicated that it welcomes the May 13, 2014 ruling of the European Court of Justice (ECJ), which recognizes a “right to be forgotten” for individuals.

The WP29 also announced that it is planning a discussion among the EU data protection authorities at its upcoming plenary meeting on June 3-4, 2014 to analyze the consequences of the ECJ ruling. The WP29 indicated that it intends to develop guidelines to help build a common approach of EU data protection authorities on the implementation of this ECJ ruling. It is hoped that these guidelines will help clarify the criteria to be used when evaluating a data subject’s request to “be forgotten” against the public’s interest in having access to information.

The ECJ was requested to rule on a data subject’s right to obtain the deletion of links to certain search results. In its May 13, 2014 ruling, the ECJ concluded web users have the right to directly request from the search engine the deletion of the links to web pages containing information breaching their rights under the Directive, even if the publication of the information on the web pages in question is lawful in itself.

The ECJ noted, however, that while the rights to privacy and to the protection of personal data set forth in the EU Charter of Fundamental Rights override the search engine’s economic interest, they are not absolute; the right to deletion of information will have to be assessed on a case by case basis depending on the nature of the information in question, on its sensitivity for the data subject, and on the interest of the public to have access to that information, considering in particular the role played by the data subject in public life.

This decision has significant consequences both for search engines and for the public. Search engines will have to incur costs in responding to individual requests to block unwanted links. Since the publication of the ruling, they have already been flooded by takedown requests from a wide range of individuals. To follow the ruling, they would have to assess and balance, on a case-by-case basis, the individual’s right to be forgotten against the public’s right to information. If links are blocked, the public might be deprived of relevant information that otherwise might be relevant, useful, or necessary in making decisions.

In addition to the above, the ECJ ruling addresses two important issues that have been of great concern to companies that operate their websites on a worldwide basis. First, the ECJ ruling adopts a wide interpretation of the notion of “establishment” for determining the applicability of the EU Directive 95/46/EC and national law to a company when the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space in that Member State. This is likely to influence national courts in the European Economic Area into asserting broad scope jurisdiction over companies based on their promotion and advertising activities.

The other important position taken in the May 13, 2014 is the clarification of the concepts of “data processing” and “controller” in the context of the processing of personal data by search engines. So far numerous companies that view themselves as services providers, such as search engines or cloud service providers, have argued that they were only data processors, and that third parties were data controllers. In its May 13, 2014 ruling, the ECJ determined that search engine providers are data controllers when they automatically index information published online and provide such information to web users according to a particular order of preference.

The May 13, 2014 ECJ ruling is a very important decision. It is likely to have significant consequences in many areas of the data protection field, and beyond. It may also affect the current discussions regarding a “right to be forgotten” or a “right to erasure” in the proposed EU Data Protection Regulation.

This post was also published by The Computer & Internet Lawyer (August 2014)  Volume 31, Number 8, page 18 (Wolters Kluwer publisher).

Similar Posts
Posted in Europe

Comments are closed.