On July 22, 2019, the Italian supervisory authority for data protection (“Garante”) issued a judgment involving the so-called “right to be forgotten”. The Garante’s decision explores the boundaries of this right in a case in which Internet users could access an article by using a professional position as a search term, whereas it was not possible to access the article merely by using an individual’s name as a search term.
More specifically, the case before the Garante involved a professional, namely the president of a cooperative, who requested that Google remove a link to online content about him accessible by Internet users. The content was accessible not by entering the individual’s name as a search term, but rather by entering his position as president of the cooperative, an association that serves the interests of members, i.e., social or economic needs or other general aims.
The internet searches in question brought users to an article concerning a criminal proceeding in which the professional was involved and that had occurred approximately a decade before. The story had not been updated to reflect the fact that the criminal proceeding had terminated with an acquittal of the professional.
For this reason, the individual requested that Google remove the search link, on the grounds that this harmed his personal reputation as well as his career. Google refused to remove the URL, arguing that the right to be forgotten did not permit individuals to remove links to stories accessible via searches apart from those based on a person’s name, and cited the judgment of the European Court of Justice in Case C-131/12 (the so-called “Google Spain” decision) in support of its argument.
The Garante held that, in accordance with Article 21 of the GDPR, the data subject has the right to object to the processing of personal data on the grounds of his or her particular situation. On that basis, Google is required to stop the processing of the personal data unless it can demonstrate compelling legitimate grounds.
Furthermore, the Garante made clear that the principles of data protection apply to any information concerning an identified or identifiable natural person. Citing the GDPR’s definition of “personal data”, which refers to “factors specific to cultural or social identity of that natural person”, the Garante concluded that the data subject’s position as president of a cooperative constituted identifiable – and therefore personal – data relating to him.
Finally, the Garante rejected Google’s argument that the damage that the data subject suffered was outweighed by the public interests served by making the story available to the public, especially insofar as the report was incomplete and inaccurate.
For these reasons, the Garante ruled that Google must remove the URL within 20 days from the date of receipt of the decision.