The European Data Protection Board (“EDPB”) in early December 2019 published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.
Background and Scope
The Court of Justice of the European Union (the “CJEU”) previously held in its 2014 Costeja decision that individuals have a right to request that search engine operators erase one or more links to web pages from the list of results displayed by search engines in response to searches of the individual’s name (“delisting request”). This is the “right to request delisting,” more commonly known as the “right to be forgotten.”
The right to be forgotten is now recognized in Article 17 of the GDPR, which grants individuals the right to request, on certain grounds, erasure of their personal data and requires all data controllers to erase the personal data when those grounds are met, subject to exceptions. The Guidelines address those grounds and exceptions in the context of delisting requests. The Guidelines do not address the obligation provided for in Article 17(2) of the GDPR that requires data controllers who have made the personal data public to inform other data controllers of the individual’s request for erasure. The Guidelines clarify that the GDPR does not require search engine operators who have received a delisting request to inform the third party who made that information public on the Internet. Separate specific guidelines will be issued in relation to the obligation of Article 17(2) of the GDPR.
Although the right to be forgotten is explicitly provided for in Article 17 of the GDPR, the Guidelines clarify that this right implies not only the right for individuals to obtain erasure of links to web pages containing their personal data, but also their right to object to the processing of their personal data under Article 21 of the GDPR. The Guidelines note that there is an intrinsic link between the two GDPR rights, because the exercise of the right to object is one of the six grounds for the right to obtain erasure. Data controllers have an obligation to erase personal data where (1) individuals object to the processing of their personal data based on reasons relating to their particular situation under Article 21(1) of the GDPR, and (2) data controllers cannot demonstrate that there are compelling legitimate reasons for the data processing, which override those reasons. The Guidelines therefore explain that both Article 17 and Article 21 of the GDPR can serve as a legal basis for delisting requests.
The Guidelines also provide that when an individual submits a delisting request and obtains the delisting of particular content, that specific content will not appear in the list of search results displayed following a search based on the individual’s name, but this will not result in their personal data being completely erased. The personal data will not be erased from the source website, nor from the index and cache of the search engine operator. Nevertheless, the Guidelines emphasize that, in some cases, search engine operators will need to carry out full erasure in their indexes or caches, and erase the URL to the content, e.g., in the event they stop respecting robots.txt requests implemented by the original web publisher.
Grounds of the Right to Be Forgotten
While in theory all the grounds of Article 17 of the GDPR are applicable to delisting requests, the Guidelines recognize that, in practice, some will never or rarely be used. Individuals will most likely be able to request delisting because (1) they consider it is no longer necessary that their personal data is processed by the search engine and/or (2) they exercise their right to object to the processing of their personal data based on reasons relating to their particular situation under Article 21(1) of the GDPR. If a delisting request is based on the right to object under Article 21(1) of the GDPR, the delisting request will require carrying out a balance between the reasons relating to the individual’s particular situation and the search engine’s compelling legitimate grounds for listing the specific search result. In this case, search engine operators can invoke the exceptions to the right to be forgotten under Article 17 of the GDPR as compelling legitimate grounds.
Exceptions to the Right to Be Forgotten
According to the Guidelines, Article 17’s exceptions to the obligation to erase personal data are inadequate in the case of a delisting request. The Guidelines point instead to applying Article 21 of the GDPR in connection with delisting requests, which requires carrying out the above balance. The balance between the protection of privacy and the interests of Internet users in accessing information through the search engine, as discussed by the CJEU in its 2014 Costeja decision, can be relevant to conduct such assessment. Similarly, the guidelines of the former Article 29 Working Party on the implementation of the Costeja decision can still be used by search engine operators and EU data protection authorities to assess a delisting request based on the right to object. The Guidelines conclude that, depending on the circumstances of the case, search engine operators may refuse to delist content where they can demonstrate that its inclusion in the list of results is strictly necessary for protecting the freedom of information of Internet users.
The EDPB is accepting comments on these Guidelines until February 5, 2020.
Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.