The Article 29 Working Party published new Guidelines on the Right to be Forgotten on 26 November 2014.  This is the latest chapter in the story which began with the Google Spain case.  In that case, the Court of Justice of the EU (CJEU) decided that EU data protection law already provides individuals with a right to have a relevant or outdated information about them de-listed from appearing in search results.

Here are the key points:

  • Aim of Guidelines:  To guide DPAs on how to implement the CJEU judgment in Google Spain.  The Guidelines also contain a list of common criteria which DPAs can apply in handling complaints, but the criteria should be seen as a “flexible working tool”.  No single criterion is determinative and the list is non-exhaustive!  So individual decisions and assessments will be very much “case-by-case”.
  • Search Engines:  The Guidelines confirm that search engines act as controllers (as per the Court ruling).  The “mischief” is that processing by a search engine could allow you to generate a detailed profile of an individual.  This probably means that individual publishers should be treated as lower risk.
  • Privacy takes Priority:  The rights of the individual, as a general rule, will prevail over commercial interests of the search engine and freedom of expression.  This is the most controversial aspect of the ruling.
  • People “in Public Life”:  DPAs will consider the role played by the data subject in public life.  They are less likely to be able to rely on the right to be forgotten.  Interestingly, people in public life could include politicians, senior public officials, business people and members of regulated professions.
  • Process:  Individuals should be able to exercise their rights using any adequate means (online procedures and electronic forums should not be mandatory).  This could cause practical difficulties in responding to the volume of requests.
  • Extra-territorial scope:  The CJEU ruling says that a non-EU company can be deemed to be “established” in the EU by virtue of its subsidiaries.  This could have much wider implications than intended.  Have another look at your group structure to ensure you are not caught.  For search engines, the .com domains will also have to comply, although DPAs will tend to focus on claims by EU citizens or residents.
  • The Search Engines have to de-list all source content?  No; they only need to de-list in relation to searches made by the name of the individual.
  • Can Search Engines tell users that content has been de-listed?  No; unless notices or statements are made in a consistent way (i.e. permanent general statements on search engines’ webpages).
  • Can Search Engines tell web publishers about proposed de-listing?  In general: No. Only exception will be the “particularly difficult cases” where it is necessary to get a fuller understanding of the circumstances to decide whether to de-list.  So if you publish content that is then de-listed, you won’t necessarily be told about the de-listing.

The Guidelines include a template set of criteria. Search engines are encouraged to publish their own de-listing criteria and make more detailed statistics available.

Optimistically, the Guidelines say that the decision as to whether de-list particular search results will, in essence, be “a routine assessment” as whether the processing of personal data complies with the data protection principles.  Needless to say, it is going to be a bit more complicated than that!