On November 25, 2014, the Article 29 Working Party agreed guidelines for data protection authorities seeking to apply the Court of Justice of the European Union (CJEU) ruling reached earlier this year against Google, which has become known as the right to be forgotten or “RTBF” ruling. The full guidelines have not yet been published, but the Working Party has now released a short statement that already addresses some important issues.
The Working Party guidelines are not legally binding, but will influence enforcement decisions made by Europe’s data protection authorities.
These clarifications are written for data protection authorities, but will also help Google and other search engines understand the requirements set out in the CJEU judgment in better detail; we’ll provide more information in a later blog post when the full guidance is released.
The CJEU ruling found that search engines, by virtue of collecting, indexing, and displaying information in response to searches on individual names, “must be classified as processing …personal data” within the scope of European data protection law.
The CJEU also found that Google was subject to European data protection law (contrary to Google’s assertions in the case) because Google’s search engine data processing occurred “in the context of the activities of an establishment of the controller on the territory of the Member State” — specifically, in the context of the activities of Google’s Spanish subsidiary, which conducts marketing and sales for search engine advertising in Spain.
As a result, the CJEU ruled that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages” when requested by that person under rights of objection set out in the Data Protection Directive. These rights, held the CJEU, were binding on the search engine if the search results in question were “inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that …elapsed,” except in specific cases involving a heightened public interest (i.e., when a serving politician requests de-listing of information relating to a scandal).
The Press Release
The CJEU ruling in May left many questions open. One question, for example, was whether Google was required to block requested names only for European domain names such as Google.co.uk and Google.fr, or more broadly for all Google search domains. The Working Party has now reached a position on this issue, and explains in the new press release that “limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling. In practice, this means that in any case de-listing should also be effective on all relevant .com domains.”
The Working Party guidance also clarifies that Google is not required to block the surfacing of requested links if searches lead to the same result without using the individual’s name. (For example, a search for “John Doe, privacy lawyer, London” might be the subject of a de-listing, but the same de-listed result could still be allowed to surface for “privacy lawyer, London.”)
There was also uncertainty as to who could make requests to Google. The Working Party has now explained that although all persons “have a right to data protection under EU law,” in practice, enforcement of the right by data protection authorities will “focus on claims where there is a clear link between the data subject and the EU,” including scenarios where the requestor is a resident or citizen of the EU.