On July 22, 2019, the Italian supervisory authority for data protection (“Garante”) issued a judgment involving the so-called “right to be forgotten”.  The Garante’s decision explores the boundaries of this right in a case in which Internet users could access an article by using a professional position as a search term, whereas it was not possible to access the article merely by using an individual’s name as a search term.

More specifically, the case before the Garante involved a professional, namely the president of a cooperative, who requested that Google remove a link to online content about him accessible by Internet users.  The content was accessible not by entering the individual’s name as a search term, but rather by entering his position as president of the cooperative, an association that serves the interests of members, i.e., social or economic needs or other general aims.

The internet searches in question brought users to an article concerning a criminal proceeding in which the professional was involved and that had occurred approximately a decade before.  The story had not been updated to reflect the fact that the criminal proceeding had terminated with an acquittal of the professional.

For this reason, the individual requested that Google remove the search link, on the grounds that this harmed his personal reputation as well as his career.  Google refused to remove the URL, arguing that the right to be forgotten did not permit individuals to remove links to stories accessible via searches apart from those based on a person’s name, and cited the judgment of the European Court of Justice in Case C-131/12 (the so-called “Google Spain” decision) in support of its argument.

The Garante held that, in accordance with Article 21 of the GDPR, the data subject has the right to object to the processing of personal data on the grounds of his or her particular situation.  On that basis, Google is required to stop the processing of the personal data unless it can demonstrate compelling legitimate grounds.

Furthermore, the Garante made clear that the principles of data protection apply to any information concerning an identified or identifiable natural person.  Citing the GDPR’s definition of “personal data”, which refers to “factors specific to cultural or social identity of that natural person”, the Garante concluded that the data subject’s position as president of a cooperative constituted identifiable – and therefore personal – data relating to him.

Finally, the Garante rejected Google’s argument that the damage that the data subject suffered was outweighed by the public interests served by making the story available to the public, especially insofar as the report was incomplete and inaccurate.

For these reasons, the Garante ruled that Google must remove the URL within 20 days from the date of receipt of the decision.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.