Guidelines 05/2019 on criteria of the Right to be Forgotten in search engines

INTRODUCTION

1. Following the Costeja judgment of the Court of Justice of the European Union (“CJEU”) of the 13th ofMay 2014, a data subject may request the provider of an online search engine (“search engine provider”), to erase one or more links to web pages from the list of results displayed following a search made on the basis of his or her name.

2. According to Google’s Transparency Report, the percentage of URLs that Google has not delisted has not increased over the past 5 years since that judgement. However, further to the CJEU judgement, data subjects seem to bemore aware of their right to lodge a complaint for refusals of their delistingrequests since Supervisory Authorities have observed an increase in the number of complaints regarding the refusal by search engine providers to delist links.

3. The European Data Protection Board (the “EDPB”), in accordance with its Action Plan, is developing guidelines in respect of Article 17 of the General Data Protection Regulation (“GDPR”). Until those guidelines are finalised, Supervisory Authorities must continue to handle and investigate, to the extent possible, complaints from data subjects and in a timely manner as possible.

4. Accordingly, this document aims to interpret the Right to be Forgotten in the search engines cases in light of the provisions of Article 17 GDPR (the “Right to request delisting”). Indeed, the Right to be Forgotten has been especially enacted under Article 17 GDPR to take into account the Right to request delisting established in the Costeja judgement.

5. Nonetheless, as under the Directive 95/46/EC of 24 October 1995 (the “Directive”) and as stated by the CJEU in its aforementioned Costeja judgement, the Right to request delisting implies two rights (Right to Object and Right to Erasure GDPR). Indeed, the application of Article 21 is expressly foreseen as the third ground for the Right to erasure. As a result, both Article 17 and Article 21 GDPR can serve as a legal basis for delisting requests. The right to object and the right to obtain erasure were already granted under the Directive. Nonetheless, as it will be addressed, the wording of the GDPR requires an adjustment of the interpretation of these rights.

6. As a preliminary point, it should be noted that, while Article 17 GDPR is applicable to all data controllers, this paper focuses solely on processing by search engine providers and delisting requests submitted by data subjects.

7. There are some considerations when applying Article 17 GDPR in respect of a search engine provider’s data processing. In this regard, it is necessary to state that the processing of personal data carried out in the context of the activity of the search engine provider must be distinguished from processing that is carried out by the publishers of the third-party websites such as media outlets that provide online newspaper content.

8. If a data subject obtains the delisting of a particular content, this will result in the deletion of that specific content from the list of search results concerning the data subject when the search is, as amain rule, based on his or her name. This content will however still be available using other search criteria.

9. Delisting requests do not result in the personal data being completely erased. Indeed, the personal data will neither  be erased from the source website nor from the index and cache of the search engineprovider. For example, a data subject may seek the delisting of personal data from a search engine’s index which have originated from a media outlet, such as a newspaper article. In this instance, the link to the personal data may be delisted from the search engine’s index; however, the article in question will still remain within the control of the media outlet and may remain publicly available and accessible, even if no longer visible in search results based on queries that include in principle the data subject’s name.

10. Nevertheless, search engine providers are not exempt in a general manner from the duty to fully erase. In some exceptional cases, they will need to carry out actual and full erasure in their indexes or caches. For example, in the event that search engine providers would stop respecting robots.txt requests implemented by the original publisher, they would actually have a duty to fully erase the URL to the content, as opposed to delist which is mainly based on data subject’s name.

11. This paper is divided into two topics. The first topic concerns the grounds a data subject can rely on fora delisting request sent to a search engine provider pursuant to Article 17.1 GDPR. The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR. This paper will be supplemented by an appendix dedicated to the assessment of criteria for handling complaints for refusals of delisting.

12. This paper does not address Article 17.2 GDPR. Indeed, this Article requires data controllers who have made the personal data public to inform controllers who have then reused those personal data through links, copies or replications. Such obligation of information does not apply to search engine providers when they find information containing personal data published or placed on the internet by third parties, index it automatically, store it temporarily and make it available to internet users according to a particular order of preference. In addition, it does not require search engine providers, who have received a data subject’s delisting request, to inform the third party which made public that information on the internet. Such obligation seeks to give greater responsibility to original controllers and try to prevent from multiplying data subjects’ initiatives. In this regard, the statement by the Article 29 Working Party, saying that search engine providers “should not as a general practice inform the webmasters of the pages affected by de-listing of the fact that some webpages can not be acceded from the search engine in response to specific queries” because “such communicationhas no legal basisunder EU data protection law” remains valid. It is also planned to have separate specific guidelines in respect of Article 17.2 GDPR.