The right to be forgotten is regulated in Article 17 GDPR, which grants individuals the right to request, on certain grounds, erasure of their personal data.
“Right to be Forgotten”. A famous one over the last few years, right? The case known as Google Spain v. Costeja Gonzalez is the origin of this concept. Let’s proceed first with an overview of what happened. In 2010, a Spanish citizen requested Spanish a newspaper and Google (both Google Inc. and Google Spain) to remove the data concerning a confiscation order for his house, which had been fully resolved for several years though, but the information was still displayed and available when his name was entered in the Google search engine. Google appealed AEPD decision and the National High Court of Spain presented some questions to the European Court of Justice (CJEU) for a preliminary ruling. The CJEU ruled that a data subject may request the provider of an online search engine (“search engine provider”) to “remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful”.
Right to be Forgotten is regulated in Article 17 GDPR (“right to erasure”). EDPB guidelinesaim to interpret the Right to be Forgotten in the search engines cases in light of the provisions of Article 17.1 GDPR, together with article 21 GDPR, which grants the right to object and can serve as a legal basis for delisting requests.
When it comes to article 17.2. GDPR, EDPB just points out that “the statement by the Article 29 Working Party, saying that search engine providers “should not as a general practice inform the webmasters of the pages affected by de-listing of the fact that some webpages cannot be acceded from the search engine in response to specific queries” because “such communication has no legal basis under EU data protection law”, remains valid”.
The grounds of the right to request delisting under GDPR
Article 17.1 sets out a general principle to erase the data in the six following cases:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Article 17.1.a).
Within the context of the Right to request delisting, the key is the balance between the protection of privacy and the interests of Internet users in accessing to the information. The EDPB provides the following examples of scenarios where a data subject may exercise his or her right to request delisting pursuant to Article 17.1.a:
• information about a data subject held by a company have been removed from the public register;
• a link to a firm’s website contains the contact details of a data subject who is no longer working in that firm;
• information had to be published on the internet for a number of years to meet a legal obligation and remained online longer than the time limit specified by the legislation.
b. the data subject withdraws consent on which the processing is based (Article 17.1.b).
The CJEU has interpreted that this clause is unlikely to apply when it comes to a delisting request because the controller to whom the data subject gave his or her consent is the web publisher, not the search engine operator that indexes the data. However, whenever a data subject withdraws his or her consent for the use of his or her data on a particular web page, the original publisher of that web page should inform search engine providers.
c. the data subject exercised his or her Right to object to processing of his or her personal data pursuant to Article 21.1 and 21.2 GDPR (Article 17.1.c).
Unlike the former Data Protection Directive, the GDPR does not impose on the data subject an obligation to demonstrate “compelling legitimate grounds” in order object to a processing “on grounds relating to his or her particular situation”. As a result, when a search engine provider receives a request to delist based on the data subject’s particular situation, it must now erase the personal data unless it can demonstrate “overriding legitimate grounds” for the listing of the specific search result. Therefore there is a need for assessing the particular situation of the data subject together with the classic criteria, such as his or her role in public life, how his or her privacy is affected, the nature of the information, whether the information has been verified, when the facts are dated, etc.
d. the personal data have been unlawfully processed (Article 17.1.d).
The notion of unlawful processing shall be interpreted both in view of Article 6 GDPR and also broadly, as the infringement of a legal provision other than the GDPR.
e. the erasure is compliant with a legal obligation (Article 17.1.e).
Compliance with a legal obligation may result from an injunction, an express request by national or EU law for being under a “legal obligation to erase” or the mere breach by the data controller of the retention period.
f. the personal data have been collected in relation to the offer of information society services to a minor (Article 17.1.f which refers to Article 8.1).
According to Directive 2000/31/EC, Information society services are not restricted to “services giving rise to on-line contracting but also, in so far as they represent an economic activity, extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data”.
The exceptions to the right to request delisting under article 17.3 GDPR
Article 17.3 GDPR states that 17.1 and 17.2 GDPR will not apply when processing is necessary. However, according to the EDBP, those exceptions under Article 17.3 GDPR do not appear suitable in case of a delisting request, and such inadequacy pleads in favor of the application of Article 21 GDPR. Let’s see the reason why:
a. for exercising the right of freedom of expression and information (Article 17.3.a).
The CJEU recognised in the Costeja judgement and repeated recently in the Google 2 judgment that the processing carried out by a search engine provider can significantly affect the fundamental rights to privacy and data protection law when the search is performed using the name of a data subject. The Court also considered that the rights of the data subjects will prevail, in general, on the interest of Internet users in accessing information through the search engine provider. However, it identified several factors that may influence such determination, as for example: the nature of the information or its sensitivity, and especially the interest of Internet users in accessing information, an interest that can vary depending on the role played by the interested party in public life. This means that, depending on the circumstances of the case, search engine providers may refuse to delist a content, but they are required to be able todemonstrate that its inclusion in the list of results is strictly necessary for protecting the freedom of information of internet users.
b. for compliance with a legal obligation that requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller(Article 17.3.b).
In view of EDPB, the content of this exemption makes it difficult to apply to the activity of search engine providers as the processing of data by them is based, in principle, on the legitimate interest of the search engine provider.
c. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) (Article 17.3.c).
Considering the activity that search engine providers develop, which implies that they do not produce or present information, it is difficult to imagine the existence of legal provisions that oblige search engine providers to disseminate certain information instead of setting the obligation for that publication to be carried out in other web pages that will then be linked by search engine providers.
On another note, search engines providers are not public authorities and therefore do not exercise public powers by themselves. However, they could exercise those powers if they were attributed by the law of a Member State or of the Union. In the same way that they could carry out missions of public interest if their activity was considered necessary to satisfy that public interest in accordance with national legislation. Nonetheless, given the characteristics of search engine providers, it is unlikely that Member States will grant them public powers or consider that their activity or part of it is necessary for the achievement of a legally established public interest.
d. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89 (1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing (Article 17.3.d).
These purposes must be objectively pursued by the search engine provider. The possibility that the suppression of results could significantly affect research purposes or statistical purposes pursued by users of the search engine provider’s service is not relevant for the application of this exemption. It should also be noted that these purposes may be objectively pursued by the search engine provider, without a link between the name of the data subject and the search results being necessary.
e. for the establishment, exercise or defense of legal claims (Article 17.3.e).
Delisting request supposes the suppression of certain results from the search results page that the search engine provider offers when the name of a data subject is normally used as search criteria. The information remains accessible using other search terms.
It is important to stress that, even though the above is focused on processing by search engine providers and delisting requests submitted by data subjects, Article 17and Article 21 GDPR are applicable to all data controllers.