Privacy & Information Security Law Blog

On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.

The Opinion consists of two parts: (1) the Working Party’s interpretation of the findings of Costeja with respect to search engines, and (2) a list of common criteria established by European data protection authorities (“DPAs”) for handling complaints concerning a search engine’s refusal to de-list certain links to information.

Part I: Interpretation of the Court of Justice of the European Union (“CJEU”) Judgment

Part I of the Opinion sets out an interpretation of the Working Party, much of which reiterates the judgment.

General and Scope of the Ruling

• The right only affects the results obtained from searches made on the basis of a person’s name. The term “name,” however, should be interpreted to include different versions of a name or different spellings.
• As a general rule, the rights of data subjects will prevail over the economic interests of search engine operators and that of Internet users to have access to personal information through the search engine. A balance has to be struck, however, and the outcome will depend on the nature and sensitivity of the processed data and on the interest of the public in having access to that particular information. The interest of the public will be significantly greater if the data subject plays a role in public life.
• The impact of de-listing on individuals’ rights to freedom of expression and access to information will prove to be limited because (1) Costeja applies only to searches made on the basis of the data subject’s name (and accordingly the relevant information could be found with the use of other appropriate search terms), and (2) the de-listed information will remain available through direct access at the original source.
• The ruling does not apply to “internal” search engines that have a restricted field of action, for example those on newspaper websites.

Data Subject Rights

• Data subjects are not obligated to contact the original website in order to exercise their rights toward search engines.
• In order for search engines to make the required assessment, data subjects must identify the specific URLs at issue, explain why they request de-listing, and indicate whether they fulfill a role in public life.
• Most national data protection laws provide for flexibility in how data subjects may exercise their rights. While the development of specific notification methods by search engines, such as online procedures and forms, may have advantages, they must not be an exclusive way for data subjects to exercise their rights. Search engine operators must provide the opportunity for data subjects to submit requests in any way permitted by the national law of the data subject’s jurisdiction.
• Where a removal request is refused, the search engine operator should provide a sufficient explanation to the data subject as to the reasons for the refusal.
• The effective application of the Judgment requires that affected data subjects should be able to exercise their rights with the national subsidiaries of search engine operations in their EU Member States of residence.

Territorial Effect of De-listing

• Limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains will not be sufficient to achieve complete compliance. Accordingly any de-listing should be effective across all relevant domains, including .com.
• In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU.

Communication with Affected Parties Including Webmasters

• The practice of informing search engine users that some results to searches based on a person’s name have been de-listed could undermine the Judgment. This practice is acceptable only if the information is presented in such a manner that a user cannot determine if a specific individual has asked for the de-listing of results concerning him or her.
• No provision of the Directive requires search engines to communicate to the original webmasters that results relating to their content have been de-listed, and there will not be a legal basis for making such notification routinely under the Directive.
• However, search engines will often have a legitimate interest in contacting original publishers prior to taking making any de-listing decision, in particular where this is necessary to get a fuller understanding of the circumstances.

Part II: List of Common Criteria for Handling Complaints by DPAs

Part II of the Opinion sets out a list of common criteria (and associated commentary) to be used by DPAs in determining if a search engine provider’s refusal to de-list a search result is in compliance with data protection laws. The Opinion emphasizes that the list is flexible, and each of the various criteria identified need to be accounted for in a balancing exercise. Each case needs to be assessed on a case-by-case basis.

The criteria are:

• Does the search result relate to a natural person?
• Does the search result come up against the search on the data subject’s name?
• Does the data subject play a role in public life? Is the data subject a public figure?
• Is the data subject a minor?
• Is the data accurate?
• Is the data relevant and not excessive?
  • Does the data relate to the working life of the data subject?
  • Does the search result link to information which allegedly constitutes hate speech/slander/libel or similar offences in the area of expression against the complainant?
  • Is it clear that the data reflect an individual’s personal opinion or does it appear to be verified fact?
• Is the information sensitive in the meaning of Article 8 of the Directive?
• Is the data up-to-date? Is the data being made available for longer than is necessary for the purpose of the processing?
• Is the data processing causing prejudice to the data subject? Does the data have a disproportionally negative impact on the data subject?
• Does the search result link to information that puts the data subject at risk?
• In what context was the information published?
  • Was the content voluntarily made public by the data subject?
  • Was the content intended to be made public? Could the data subject have reasonably known that the content would be made public?
• Was the original content published in the context of journalistic purposes?
• Does the publisher of the data have a legal right or obligation to make the personal data publicly available?
• Does the data relate to a criminal offense?

Although the criteria are aimed at DPAs, they will serve as a useful starting point for search engine providers in determining their own criteria and processes for assessing de-listing requests.