On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.
The Opinion consists of two parts: (1) the Working Party’s interpretation of the findings of Costeja with respect to search engines, and (2) a list of common criteria established by European data protection authorities (“DPAs”) for handling complaints concerning a search engine’s refusal to de-list certain links to information.
Part I: Interpretation of the Court of Justice of the European Union (“CJEU”) Judgment
Part I of the Opinion sets out an interpretation of the Working Party, much of which reiterates the judgment.
General and Scope of the Ruling
- The right only affects the results obtained from searches made on the basis of a person’s name. The term “name,” however, should be interpreted to include different versions of a name or different spellings.
- As a general rule, the rights of data subjects will prevail over the economic interests of search engine operators and that of Internet users to have access to personal information through the search engine. A balance has to be struck, however, and the outcome will depend on the nature and sensitivity of the processed data and on the interest of the public in having access to that particular information. The interest of the public will be significantly greater if the data subject plays a role in public life.
- The impact of de-listing on individuals’ rights to freedom of expression and access to information will prove to be limited because (1) Costeja applies only to searches made on the basis of the data subject’s name (and accordingly the relevant information could be found with the use of other appropriate search terms), and (2) the de-listed information will remain available through direct access at the original source.
- The ruling does not apply to “internal” search engines that have a restricted field of action, for example those on newspaper websites.
Data Subject Rights
- Data subjects are not obligated to contact the original website in order to exercise their rights toward search engines.
- In order for search engines to make the required assessment, data subjects must identify the specific URLs at issue, explain why they request de-listing, and indicate whether they fulfill a role in public life.
- Most national data protection laws provide for flexibility in how data subjects may exercise their rights. While the development of specific notification methods by search engines, such as online procedures and forms, may have advantages, they must not be an exclusive way for data subjects to exercise their rights. Search engine operators must provide the opportunity for data subjects to submit requests in any way permitted by the national law of the data subject’s jurisdiction.
- Where a removal request is refused, the search engine operator should provide a sufficient explanation to the data subject as to the reasons for the refusal.
- The effective application of the Judgment requires that affected data subjects should be able to exercise their rights with the national subsidiaries of search engine operations in their EU Member States of residence.
Territorial Effect of De-listing
- Limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains will not be sufficient to achieve complete compliance. Accordingly any de-listing should be effective across all relevant domains, including .com.
- In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU.
Communication with Affected Parties Including Webmasters
- The practice of informing search engine users that some results to searches based on a person’s name have been de-listed could undermine the Judgment. This practice is acceptable only if the information is presented in such a manner that a user cannot determine if a specific individual has asked for the de-listing of results concerning him or her.
- No provision of the Directive requires search engines to communicate to the original webmasters that results relating to their content have been de-listed, and there will not be a legal basis for making such notification routinely under the Directive.
- However, search engines will often have a legitimate interest in contacting original publishers prior to taking making any de-listing decision, in particular where this is necessary to get a fuller understanding of the circumstances.
Part II: List of Common Criteria for Handling Complaints by DPAs
Part II of the Opinion sets out a list of common criteria (and associated commentary) to be used by DPAs in determining if a search engine provider’s refusal to de-list a search result is in compliance with data protection laws. The Opinion emphasizes that the list is flexible, and each of the various criteria identified need to be accounted for in a balancing exercise. Each case needs to be assessed on a case-by-case basis.
The criteria are:
- Does the search result relate to a natural person?
- Does the search result come up against the search on the data subject’s name?
- Does the data subject play a role in public life? Is the data subject a public figure?
- Is the data subject a minor?
- Is the data accurate?
- Is the data relevant and not excessive?
- Does the data relate to the working life of the data subject?
- Does the search result link to information which allegedly constitutes hate speech/slander/libel or similar offences in the area of expression against the complainant?
- Is it clear that the data reflect an individual’s personal opinion or does it appear to be verified fact?
- Is the information sensitive in the meaning of Article 8 of the Directive?
- Is the data up-to-date? Is the data being made available for longer than is necessary for the purpose of the processing?
- Is the data processing causing prejudice to the data subject? Does the data have a disproportionally negative impact on the data subject?
- Does the search result link to information that puts the data subject at risk?
- In what context was the information published?
- Was the content voluntarily made public by the data subject?
- Was the content intended to be made public? Could the data subject have reasonably known that the content would be made public?
- Was the original content published in the context of journalistic purposes?
- Does the publisher of the data have a legal right or obligation to make the personal data publicly available?
- Does the data relate to a criminal offense?
Although the criteria are aimed at DPAs, they will serve as a useful starting point for search engine providers in determining their own criteria and processes for assessing de-listing requests.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code