Google reprimanded by Belgian SA

Google was reprimanded by the Belgian SA due to lack of transparency concerning a request to have articles delisted.

 

This recent decision by the Belgian SA concerns a lawyer who was previously disbarred less than 10 years ago, who had requested that articles and information concerning his disbarment be delisted. The complainant currently works as a legal advisor and had his complaint dismissed by the Belgian SA. According to this report by the EDPB, the Authority reprimanded Google for a lack of transparency in this case. Under the GDPR, the Belgian SA recognized some shortcomings in the manner in which Google handled the complainant’s request. 

 

Google reprimanded by Belgian Supervisory Authority despite the complaint made against the company being dismissed

 

While the Belgian Supervisory Authority dismissed complaints regarding Google’s refusal to delist, the Authority found it necessary to reprimand the company due to SuperSonics in the manner in which the delisting request was handled. Google did not honor the complainants request based on a reasoning that the public still has an interest to access the information concerning the lawyer in the search engine. The Belgian Supervisory Authority, while not in disagreement with this, found that the complainant was effectively ‘passed around’ from Google Ireland to Google LLC via Google Belgium, and that there were issues with the quality of the statement of why the delisting is refused. This statement was said to lack transparency, and to be in violation of Article 12 of the GDPR. 

 

The Belgian Supervisory Authority found issues with the quality of the response to the data subject’s request.

 

With regard to Article 17 of the GDPR, the Belgian Supervisory Authority found Google to be in violation of article 12 of the GDPR. Article 17 relates to the data subject’s right to erasure, and while the authority dismissed the complaints of the data subject in this instance, the company was found to be in violation of Article 12 due to the lack of transparency in responding to the data subject’s request. Article 12 states that “the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…” In this case, due to unclear identification of the controller, the authority found issues with the quality of the response to the data subject’s request, and reprimanded the company. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Right to erasure: Controller ordered to delete photos

Right to erasure is behind Slovenia supervisory authority IPRS’s recent decision, ordering a controller to delete 88 photos.

 

Slovenian SA recently ordered a data controller to delete a collection of 88 photos of a data subject, taken over a period of time 7 to 15 years ago. The order, which came this July, was on the basis of the data subject’s right to erasure, as reported by the EDPB. Article 17 of the GDPR gives data subjects the right to obtain, from the controller, the erasure of personal data concerning him or her without undue delay, under certain conditions. The controller in this case, a content production agency, creating content on the topic of lifestyle, processed a collection with a total of 88 photos of the data subject, and complainant in this case. The data subject claimed she  did not give permission to have her personal data processed, and then explicitly objected to the processing of her personal data stating also that there were no compelling legitimate grounds for the processing of her data.

 

The controller declined the data subject’s demand to have the photos deleted, claiming that the processing was lawful.

 

The controller refused the data subject’s demands to have her photos removed claiming that the processing was lawful under Article (6) (1) (f) of the GDPR. However, controller’s claims that the processing was needed for exercising his freedom of expression with regard to media activities, as well as for the public’s right to information and on the basis of legitimate interests did not hold up. The Supervisory Authority maintained that the data subject in this case has the right to erasure of her personal data, and that the right to personal data protection needs to be balanced with the right to freedom of expression and information.

 

The photos and other data features on the website were organized in such a way that a profile could be created on the data subject through a search of her name.

 

The Slovenian Supervisory Authority found that all the photos indeed represented personal data which formed part of a filing system. The thumbnail and the description of the photos were accompanied by the first and last name of the individual. From the photos and the information provided,it was possible to determine which events she attended, who her company was, and also her personal characteristics. A search for the data subject’s name through the website’s search engine could create a profile highlighting the photos and data about her in particular. The content of the website cannot be understood as reporting on a specific event, because it enables a search on the basis of first and last name.

The Supervisory Authority ordered the removal of the photos and any related data, upholding the data subject’s right to erasure.

 

The Supervisory Authority ordered that  the controller must delete, not just the photos from the website, but also the name of the individual, URL address and any metadata that enabled access to photographs. Publications of this nature are usually intended only for revealing interesting information to satisfy the curiosity of members of the public who seek information about public events and on the personal lives of specific people. However, by the Slovenian Supervisory Authority’s measure, the data subject was not an absolute public figure, and the content of the website did not contribute to any debate of social importance nor did they relate to any topic of public interest. In addition, the controller failed to demonstrate its legitimate interests. As a result, the Slovenian SA decided to uphold the complaint.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Google Wins landmark privacy case on right to be forgotten

Google Wins landmark privacy case on right to be forgotten

Judges at the Court of Justice of the European Union this week ruled that Google does not have to apply the GDPRs right to be forgotten globally.

 

On Tuesday September 24th, in what is being lauded as a landmark privacy case, Luxembourg-based judges said operators of a search engine are not required to carry out a de-referencing on all versions of its search engine. This means that firms like Google—when acting on an individuals request to remove personal data; i.e their right to be forgotten,—only need to remove links from search results in Europe and nowhere else.

The court ruling stemmed from a May 2015 dispute between French Data Protection Authority, the CNIL, and Google Inc where the CNIL gave Google Inc formal notice to apply de-referencing requests to all its search engines domains and name extensions. Google Inc however refused to do so and confined itself to removing the links in question from only the results displayed in EU member states. As a result on March 10, 2016, the CNIL imposed a EUR100,000 penalty on Google Inc. Google subsequently requested that the Council of State, France, annul the March 10, 2016 adjudication on the grounds that the right to be forgotten does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engines domain names.

 

On Tuesday the court ruled in favor of Google Inc, concluding that:

Currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subjects fundamental rights. Thus, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subjects name from gaining access, via the list of results displayed following that search, through a version of that search engine outside the EU, to the links which are the subject of the request for de-referencing.

GDPR’s Right to Be Forgotten

An individual’s right to request to have personal data erased falls under article 17 of the GDPR. This is known as their right to erasure or the right to be forgotten. This right is however not absolute and only applies in certain circumstances.

According to the ICO an individual has the right have their personal data erased if:

“the personal data is no longer necessary for the purpose which you originally collected or processed it for;
you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
you are processing the personal data for direct marketing purposes and the individual objects to that processing;
you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
you have to do it to comply with a legal obligation; or
you have processed the personal data to offer information society services to a child.”

Dr Bostjan Makarovic, Aphaia managing partner, further explains: “Like other GDPR rights, one could not expect the right to be forgotten to apply globally, without limitations. The latest ECJ Google right to be forgotten ruling further clarifies the limits of the GDPR’s extraterritorial effects.”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.