On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.
Background and Scope
The Court of Justice of the European Union (the “CJEU”) previously held in its 2014 Costeja decision that individuals have a right to request that search engine operators erase one or more links to web pages from the list of results displayed by search engines in response to searches of the individual’s name (“delisting request”). This is the “right to request delisting,” more commonly known as the “right to be forgotten.”
The right to be forgotten is now recognized in Article 17 of the GDPR, which grants individuals the right to request, on certain grounds, erasure of their personal data and requires all data controllers to erase the personal data when those grounds are met, subject to exceptions. The Guidelines address those grounds and exceptions in the context of delisting requests. The Guidelines do not address the obligation provided for in Article 17(2) of the GDPR that requires data controllers who have made the personal data public to inform other data controllers of the individual’s request for erasure. The Guidelines clarify that the GDPR does not require search engine operators who have received a delisting request to inform the third party who made that information public on the Internet. Separate specific guidelines will be issued in relation to the obligation of Article 17(2) of the GDPR.
Although the right to be forgotten is explicitly provided for in Article 17 of the GDPR, the Guidelines clarify that this right implies not only the right for individuals to obtain erasure of links to web pages containing their personal data, but also their right to object to the processing of their personal data under Article 21 of the GDPR. The Guidelines note that there is an intrinsic link between the two GDPR rights, because the exercise of the right to object is one of the six grounds for the right to obtain erasure. Data controllers have an obligation to erase personal data where (1) individuals object to the processing of their personal data based on reasons relating to their particular situation under Article 21(1) of the GDPR, and (2) data controllers cannot demonstrate that there are compelling legitimate reasons for the data processing, which override those reasons. The Guidelines therefore explain that both Article 17 and Article 21 of the GDPR can serve as a legal basis for delisting requests.
The Guidelines also provide that when an individual submits a delisting request and obtains the delisting of particular content, that specific content will not appear in the list of search results displayed following a search based on the individual’s name, but this will not result in their personal data being completely erased. The personal data will not be erased from the source website, nor from the index and cache of the search engine operator. Nevertheless, the Guidelines emphasize that, in some cases, search engine operators will need to carry out full erasure in their indexes or caches, and erase the URL to the content, e.g., in the event they stop respecting robots.txt requests implemented by the original web publisher.
Grounds of the Right to Be Forgotten
While in theory all the grounds of Article 17 of the GDPR are applicable to delisting requests, the Guidelines recognize that, in practice, some will never or rarely be used. Individuals will most likely be able to request delisting because (1) they consider it is no longer necessary that their personal data is processed by the search engine and/or (2) they exercise their right to object to the processing of their personal data based on reasons relating to their particular situation under Article 21(1) of the GDPR. If a delisting request is based on the right to object under Article 21(1) of the GDPR, the delisting request will require carrying out a balance between the reasons relating to the individual’s particular situation and the search engine’s compelling legitimate grounds for listing the specific search result. In this case, search engine operators can invoke the exceptions to the right to be forgotten under Article 17 of the GDPR as compelling legitimate grounds.
Exceptions to the Right to Be Forgotten
According to the Guidelines, Article 17’s exceptions to the obligation to erase personal data are inadequate in the case of a delisting request. The Guidelines point instead to applying Article 21 of the GDPR in connection with delisting requests, which requires carrying out the above balance. The balance between the protection of privacy and the interests of Internet users in accessing information through the search engine, as discussed by the CJEU in its 2014 Costeja decision, can be relevant to conduct such assessment. Similarly, the guidelines of the former Article 29 Working Party on the implementation of the Costeja decision can still be used by search engine operators and EU data protection authorities to assess a delisting request based on the right to object. The Guidelines conclude that, depending on the circumstances of the case, search engine operators may refuse to delist content where they can demonstrate that its inclusion in the list of results is strictly necessary for protecting the freedom of information of Internet users.
The EDPB is accepting comments on these Guidelines until February 5, 2020.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code