05 Feb 2020

Response to draft EDPB Guidelines on the right to be forgotten in search engine cases

Executive summary

The right to erasure is central to the General Data Protection Regulation’s (GDPR) system of safeguards. Its application is particularly interesting following the Costeja judgment, which has clarified its application to search engines. We therefore welcome the European Data Protection Board’s (EDPB) draft Guidelines on the right to be forgotten (RTBF) in search engine cases, which build on previous guidance from the Article 29 Working Party (WP29).

Our members’ experience indicates that data protection authorities (DPAs) in most instances confirm the decisions taken prima facie by search engine providers when reviewing appeals lodged by data subjects, which represent a small fraction of all RTBF requests received. This shows that the criteria and delicate balance established by Costeja, and further fleshed out in DPA decisions and national case law, are working well.

DIGITALEUROPE hence welcomes the EDPB’s confirmation that the right to request delisting under Arts 17 and 21 of the GDPR does not change the findings of the Court of Justice of the EU (CJEU) in Costeja. For the same reasons, we also welcome the acknowledgement that the criteria for delisting developed by the WP29 remain accurate and applicable to delisting requests.

In our submission, we highlight some aspects of the draft Guidelines that we find would benefit from additional clarity.


Balance of interests

It is important to note that the GDPR has not introduced a change in approach to the RTBF following the Costeja ruling. In fact, Costeja already required search engine providers to balance the rights of the data subjects in light of their particular situation against the public interest in accessing information. Importantly, such public interest can constitute a compelling, overriding legitimate ground for the search engine provider to refuse the data subject’s request under Art. 21(1).

In this context, we welcome the EDPB’s acknowledgement of the relevance of case law from the European Court of Human Rights (ECHR) in press matters when assessing the balance between data subjects’ privacy rights and the public’s interest in accessing and imparting information.

Freedom of expression and information

In light of the above, we are confused by the draft Guidelines’ blanket assertion that exceptions under Art. 17(3) are not suitable to delisting requests. Notably, such exceptions include processing that is necessary for exercising the right to freedom of expression and information (Art. 17(3)(a)).

As a matter of fact, Section 2.1 of the draft Guidelines directly contradicts this statement as it describes the balance recognised in both the Costeja and Google 2 judgments and subsequently concludes, correctly, that ‘depending on the circumstances of the case, search engine providers may refuse to delist content in the event where they can demonstrate that its inclusion in the list of results is … necessary for protecting the freedom of information of internet users.

We urge the EDPB to provide a more granular examination of this ground for refusal in the final Guidelines, in particular noting that the Google 2 judgment has discussed the specific relevance and role of Art. 17(3)(a) in terms of the balance between data subjects’ rights and the right to freedom of expression in this context, as opposed to the balancing act under Art. 21(1).

See notably para. 81 in Costeja. The draft Guidelines, on the contrary, seem to imply otherwise when they state that ‘delisting requests now imply to make the balance’ (p. 8, emphasis added). We suggest this be corrected in the final version.

A person’s name

The CJEU’s ruling in Costeja was clear that the RTBF only affects results obtained from searches made ‘on the basis of a person’s name’ and does not require deletion of links from the indexes of the search engine altogether.

However, the draft Guidelines refer to searches performed ‘as a main rule’ on a person’s name. If the EDPB’s intention here is to emphasise that the RTBF applies to any search query that includes the data subject’s name, e.g. name accompanied by another term or combination of terms, that should be clarified in the final Guidelines to avoid confusion. Nevertheless, we note that, after the Costeja ruling, courts in different Member States have in multiple cases rejected attempts by data subjects to extend the right to delisting to queries including other terms in addition to the person’s name.

Notice to affected websites

The EDPB’s position regarding the lack of a legal basis for submitting removal notices about URLs affected by an RTBF delisting to webmasters seems to contradict the explicit requirements set out in other EU legislation.

In particular, the P2B Regulation requires online search engine providers, when altering the ranking order or delisting a particular website following third-party notification, to offer the possibility for the corporate website user to inspect the contents of the notification.

We therefore urge the EDPB to clarify in the final Guidelines that there can be legal grounds under EU data protection law to provide notice to affected websites.

Child requests

The fact that the data subject making an RTBF request is a child is clearly an important factor to consider as part of the search engine’s assessment, which balances the privacy rights and the child’s special conditions against the right to freedom of expression and information. We consider that the rights of children will most likely outweigh other rights at stake, unless there is an unusually strong public interest at stake.

However, we believe the draft Guidelines are incorrect in finding that the indexing of information by search engine providers constitutes the direct offering of information society services to a child, hence falling within the scope of Art. 8(1). A search engine’s aim when indexing such information is not to offer a service to the child. In addition, the legal basis for such processing is not consent, which Art. 8 specifies in relation to children, as clearly recognised elsewhere in the draft Guidelines.

The final Guidelines should clarify that, while in practice many RTBF requests involving children likely result in a delisting decision, such requests are assessed based on the requirements of Art. 17(1)(c), not Art. 17(1)(f).

No longer necessary for the search engine’s purposes

As recognised by the EDPB’s, search engines process data subjects’ personal data for the purpose of making information more easily accessible for internet users. The draft Guidelines also restate, as established in Costeja, that search engines are separate controllers in that the purpose for which they process the personal data is different from the purpose for which the personal data may have originally been published by the webmaster.

Therefore, it does not automatically follow that, if the purpose for which the personal data was originally published by the webmaster no longer exists, the purpose for which search engines process that information has also ceased to exist.

For these reasons, we believe that the ground under Art. 17(1)(a) is as a matter of fact unlikely to apply – the purpose of making information more easily accessible for internet users is still likely to be valid, while Art. 17(1)(a) may be invoked with the webmaster. In this context, the final Guidelines should reflect the fact that, if the webmaster takes action on the basis of Art. 17(1)(a) and removes the personal data from the web pages concerned, such action will automatically be reflected on the search results returned by search engines as soon as there is a recrawling of those pages.

For more information please contact:
Alberto Di Felice
Director for Infrastructure, Privacy and Security
Back to Cybersecurity
View the complete Policy Paper
PDF
Our resources on Cybersecurity
resource 16 Mar 2020
Encryption: finding the balance between privacy, security and lawful data access
Policy Paper 05 Dec 2019
DIGITALEUROPE’s commentary on CSPCERT’s recommendations to ENISA for a Cloud Security Certification Scheme
Policy Paper 24 Oct 2019
Defining the way forward for IoT security and certification schemes
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept