Tag Archive: right to be forgotten

FRANCE: France’s Highest Administrative Court Requests a Preliminary Ruling from the ECJ on the Right To Be Forgotten

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com)

 

On February 24, 2017, France’s highest administrative court (the “Conseil d’Etat”) submitted to the European Court of Justice (“ECJ”) a series of questions raising serious issues with regard to the interpretation of the 1995 Data Protection Directive in light of the ECJ’s 2014 ruling in the Google v. Costeja case[1].

 

The Conseil d’Etat had received from four individuals their appeals against decisions of the French data protection authority (“CNIL”). In each case, the CNIL rejected the appellant’s complaint seeking an order that Google Inc. remove certain links from the list of results displayed following a search of each appellant’s name. The links direct to content on third party sites relating to the appellants, and specifically:

 

  • a 2011 video, posted anonymously, that explicitly reveals the nature of the relationship that the first appellant was deemed to have entertained with a person holding a public office, and alleges that such relationship was beneficial for the appellant’s political career;
  • a 2008 press article relating to the suicide of a Church of Scientology member, mentioning that the second appellant was the public relations manager of that Church; the appellant no longer holds that position;
  • various articles dating from 1995 relating to criminal proceedings for illegal political party financing in which the third appellant was charged; the appellant was acquitted in 2010; and
  • articles (date not mentioned) relating to the conviction of the fourth appellant for sexual assault of minors and mentioning intimate details relating to the appellant that were revealed at the trial.

 

Noting that in each case the published information is either sensitive data or concerns offenses and criminal convictions, the Conseil d’Etat questions whether and to what extent the prohibition on processing such data applies to search engine operators, as they are only required to comply with data protection requirements “within the framework of [their] responsibilities, powers and capabilities” (para. 38 of the Google v. Costeja case).

 

The Conseil d’Etat has therefore declined to rule, stating that appellants’ claims raise serious questions of interpretation regarding the implementation of the right to be forgotten, and has deemed it necessary to refer to the ECJ for a preliminary ruling on the following questions:

 

  1. Considering the specific responsibilities, powers and capabilities of search engine operators, does the prohibition on processing sensitive data and data relating to offenses and criminal convictions, subject to certain exceptions, apply to search engine operators as controller of the processing in the search engine?
  2. If yes:
    1. Does this mean that search engines must systematically delist links to webpages processing sensitive and/or data relating to offenses and criminal convictions, whenever the relevant individual so requests?
    2. How do the exceptions to the prohibition apply? In particular, can search engine refuse to delist links if they find, for example, that the data subject consented to the processing of their personal data or that the data has been disclosed to the public by the data subject or is necessary for the establishment, exercise or defense of legal claims?
    3. Can search engines refuse to delist links to websites processing such data for journalistic purposes
  3. If no:
    1. What data protection law requirements must the search engines comply with, considering their specific responsibilities, powers and capabilities?
    2. When search engines find that webpages contain illicit content and their delisting is requested:
      1. Are the search engines required to remove the links to those webpages from the search results?
      2. Or are they required to take this circumstance into account when assessing the delisting request?
      3. Or does this circumstance have no impact on such assessment?
      4. If it does have an impact, how must the lawfulness of a publication be appreciated when the personal data contained in such publication originates from processing that fall outside the territorial scope of the 1995 Directive and Member State laws?
  4. Irrespective of the response to the first question:
    1. Irrespective of the lawfulness of the publication:
      1. If an appellant demonstrates that his/her personal data has become incomplete, inaccurate or outdated, do search engines have to delist the links?
      2. More specifically, if an appellant demonstrates that the information regarding a past judicial procedure no longer reflects his/her current situation, do search engines have to delist links to webpages containing such information?
    2. Does information regarding an individual’s indictment or trial, and the subsequent conviction, constitute data relating to offenses and criminal convictions? More generally, do webpages containing this type of information fall within the scope of these requirements?

 

Almost three years after the Google v. Costeja case, and many intense debates around its interpretation and implementation, the right to be forgotten returns to its progenitor for much needed clarification.

 

For more information, please contact carol.umhoefer@dlapiper.com or caroline.chance@dlapiper.com

[1] Case C-131/12

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-frances-highest-administrative-court-requests-a-preliminary-ruling-from-the-ecj-on-the-right-to-be-forgotten/

FRANCE: The CNIL Fines Google €100,000 Over Right To Be Forgotten

The French data protection authority (the “CNIL”) will not settle for a compromise, or so says its recent decision to fine Google Inc. €100,000 for failing to properly implement the so-called “right to be forgotten”.

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).

Earlier this month, Google announced it was adapting its approach to the right to be forgotten following discussions between the Mountain View, California firm and EU data protection authorities, in particular the CNIL, which in May 2015 issued a cease and desist order against Google Inc. (see previous post here) and rejected its appeal in September 2015 (see previous post here).

Despite reports that some EU data protection authorities saw this as a potentially acceptable solution, on March 10, 2016, the French regulator ordered Google Inc. to pay a €100,000 fine for violation of individuals’ right to object to the processing of their personal data and the right to delete their personal data, in light of the landmark decision of the Court of Justice of the European Union (“ECJ”) in Costeja v. Google[1].

For the CNIL, in order to be compliant with French law, Google Inc. must delist links from all Google Search extensions globally, and unconditionally. Google Inc. argued that this extraterritorial reach of the right to be forgotten is likely to raise conflict of laws issues and impair other States’ sovereignty (see previous post here). In particular, Google expressed concerns that a global delisting would disproportionately undermine the freedom of expression and information. But the CNIL countered that the purpose of its decision is to ensure “effective and complete protection of data subjects“, as required by the ECJ.

A Google spokesman has already confirmed they will appeal the CNIL’s decision[2].

If the CNIL’s decision becomes definitive, Google will have to further adapt its approach to the right to be forgotten or face up to € 300,000 in additional administrative fines.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] Case C-131/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014

[2]France fines Google over ‘right to be forgotten’“, Julia Fioretti, Reuters, March 24, 2016 (http://www.reuters.com/article/us-google-france-privacy-idUSKCN0WQ1WX)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-cnil-fines-google-e100000-over-right-to-be-forgotten/

RIGHT TO BE FORGOTTEN: Google Adapts Its Approach To The EU Right To Be Forgotten

Will the arm wrestling between Google and the EU data protection authorities regarding the implementation of the so-called “right to be forgotten” come to an end?  Almost a year after the CNIL issued a cease and desist against Google, the search engine announced it will expand the right to be forgotten to all Google domains, based on geolocation, starting this week.

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) & Caroline Chancé (Caroline.Chance@dlapiper.com).

On March 4, 2016, Google announced that it will use geolocation signals (like IP addresses) to restrict access to delisted URL on all Google search engine domains, including google.com, when accessed from the country of the person requesting the removal. This new approach will be applied prospectively but also “retrospectively”, to all previous delistings by Google under the ECJ’s decision in Costeja v. Google[1].

What does this change? Until now, Google delisted search results from all EU versions of the Google search engine, such as google.fr, google.co.uk or google.de, as well as from the Andorra, Icelandic, Liechtenstein, Norwegian and Swiss extensions, regardless of the country of origin of the request. This meant that delisted results were no longer accessible to Internet users using those extensions, but were still available on other versions of Google, such as google.com, google.ca or google.co.jp.

The EU data protection authorities did not consider Google’s approach to be compliant. In the view of the French data protection authority, the CNIL, the various geographic extensions are simple means of access to processing. Therefore, if a search engine agrees to delist a result, it must do it on all the extensions. The CNIL’s reasoning is that to do otherwise deprives the right to be forgotten of its effectiveness. In fact, the CNIL issued a cease and desist to Google, Inc. in May 2015, ordering it to de-index the entirety of Google’s indexing services and thus all extensions of the search engine.  Google appealed to no avail (see previous posts here and here).

Google has now proposed, in addition to its existing practice, to delist results from all extensions, but only for persons searching in the specific country where the delisting request was made. This means that users in other EU countries will still be able to find those results and the search engine will still be processing the data of the person requesting the delisting, even though the negative consequences will obviously be mitigated as people in the same country won’t have access to the delisted links, whatever extension they use.

Will this new approach satisfy the EU data protection authorities? The CNIL has not yet issued its position. Nevertheless, filtering may be an acceptable (or possibly interim) compromise, particularly if applied to the entire EU, as opposed to limiting it to the country where the request was made. People in other EU countries presumably have a lesser interest in finding information regarding the person who made the delisting request. Moreover, if results are completely delisted in the country where the request was made, completely delisting in the EU should not be a problem, either technically or legally. As for the rest of the world, the right to be forgotten could still conflict with other jurisdictions’ laws.

It will therefore be interesting to see whether EU regulators will insist that links be completely delisted for anyone worldwide, as the CNIL first requested in its formal notice, essentially putting search engines in a situation where they would certainly be exposed to financial sanctions in the EU or violate other jurisdictions’ freedom of speech principles  (see previous post here).

In any case, the right to be forgotten will not be forgotten, and in fact has been taken up outside the EU. For example, it has been reported[2] that a Japanese court recently ordered Google to delete from its search engine news reports of Japanese man convicted of a sex offense involving minors who invoked his right to be forgotten.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] Case C-121/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014
[2] Justin McCurry, “Japan recognises ‘right to be forgotten’ of man convicted of child sex offences”, The Guardian, March 1, 2016 (http://www.theguardian.com/technology/2016/mar/01/japan-recognises-right-to-be-forgotten-of-man-convicted-of-child-sex-offences)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/right-to-be-forgotten-google-adapts-its-approach-to-the-eu-right-to-be-forgotten/

Europe’s Right to be forgotten: update on implementation guidelines

By Patrick Van Eecke and Mathieu Le Boudec

Last week we wrote that the Article 29 Working Party (“Working Party 29”) has adopted guidelines relating to the implementation of the European Court of Justice’s Google ruling on the right to be forgotten. Click here for a previous blog post on this ruling.

These guidelines have now been published and can be consulted here.

The guidelines are important for several reasons. Not only do they clarify the scope of the ruling but they also introduce an harmonized approach by the different national Data Protection Authorities of the EU member states (“DPAs”) when handling de-listing requests. It has been an issue in Europe before that DPA’s have divergent approaches to similar problems. With these guidelines, the DPA’s will at least all follow the same criteria when handling a complaint.

In its Google ruling, the European Court of Justice held that individuals can request search engines, under certain conditions, to de-list certain links from the results for searches based on their names. Where a search engine refuses such a request, the data subject can file a complaint with the DPAs. Based on the complaints they received during the past six months, the DPAs have drafted a non-exhaustive list with thirteen common criteria which can be used as “a flexible working tool” when evaluating such complaints.

Generally more than one criterion will need to be taken into account when taking such decisions and each criterion has to be applied in the light of the principles established by the Court of Justice and in particular in the light of the “the interest of the general public in having access to [the] information”. Even when they are directed towards the DPAs, these criteria will also be very useful for search engines when handling de-listing requests.

 Below we give a quick overview of these criteria. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europes-right-to-be-forgotten-update-on-implementation-guidelines/

EUROPE: Right to be forgotten guidelines adopted by WP29

Article 29 Working Party adopts guidelines on the implementation on the Right to be Forgotten judgment of the CJEU

 By Patrick Van Eecke , Giulio Coraggio & Julie De Bruyn

The Article 29 Working Party, the European data protection advisory body existing of representatives of the national data protection authorities of the EU Member States, announced yesterday to have adopted guidelines – for national data protection authorities – on the implementation of the Court of Justice’s ruling on the right to be forgotten.

  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-right-to-be-forgotten-guidelines-adopted-by-wp29/

ITALY: Right to be forgotten and the Google Advisory Council in Rome: main takeaways.

As you all remember, last May the European Court of Justice ruled that Google must allow the de-indexing of web pages containing personal data, further to a lawful enforcement by the relevant data subjects of their right to be forgotten. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/right-to-be-forgotten-and-the-google-advisory-council-in-rome-main-takeaways/

UK: The ICO’s view on the Google case – and the practical consequences

The UK Information Commissioner’s Office (ICO) recently published a one-page summary of its key findings in relation to this case, along with a blog regarding the practical consequences.  This has some interesting and topical views, which I thought I would share with you.

The ICO’s blog post (here, which has a link to its one page case summary) identifies that the case has grabbed headlines, and put data protection issues firmly into the public forum yet again.  The ICO note four key findings:

1. that search engines may have to remove some search results – but critically this is in respect of their own activities as a data controller, not the removal of the site with the original information on it.  The ICO won’t be enforcing this until there are practical ways of removing the search results – in the same way that there was a tolerance period in respect of the new rules on cookies a couple of years ago;

2. that the current 1995 EU Directive (which led to the 1998 Data Protection Act) still meets some of the challenges posed by technologies – and that the ICO welcome the judgement confirming that search engines are data controllers;

3. applying the “right to be forgotten” will be difficult in practice – many comments seem to overstate the requirements here.  There is no absolute “right to be forgotten”, nor a requirement to remove the original material the search engine was linking to, particularly if it is a journalistic matter, art or literature.  The ICO envisages that bloggers will use the “journalistic” exemption to apply to them.  Here the ICO are realistic as well – the new “right to be forgotten” to be introduced in the new EU Data Protection Regulation will bring individuals closer to having greater rights in their data – but there are still practical considerations to overcome; and

4. the judgement may have been delivered, but this is just the beginning – how will search engines comply?  How will the competing rights of data controllers and data subjects (you and I) be balanced?  Much more guidance is needed in this area, and the ICO are taking this up with their equivalents in other countries to try and determine a common, and correct, approach.  In the meantime, the advice is to ensure that if requests are received, that they are considered appropriately, and consistent with the judgement upholding the data protection rights of individuals. 

For further details, please contact JP Buckley (jp.buckley@dlapiper.com) or to join the discussion on this, please leave a comment.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-the-icos-view-on-the-google-case-and-the-practical-consequences/

The EUCJ has ruled in favour of the “right to be forgotten” in Google’s case

By Bartolome Martin and Diego Ramos

It was made ​​public yesterday, Tuesday, May 13th, the decision of the Court of Justice of the European Union (EUCJ) in Case C-131/12 on the questions submitted by Spanish High Court (Audiencia Nacional) in the proceedings involving Google Spain, SL Google Inc. and the Spanish Data Protection Commissioner and a Spanish citizen.

The decision is particularly striking as it divorces from the criteria proposed by the General Attorney (Mr. Niilo Jääskinen ) in its Conclusions of 25 June 2013 on the right to apply for the de-indexation of certain content. In this sense, in contrast with the position of General Attorney that data subjects cannot exercise their cancellation rights in front of Internet search engine services provider, the EUCJ has confirmed that they are allowed to request the de-indexation of content. The EUCJ defends that, in general, the data subject’s interest must prevail over both the economic interest of the Internet search engine services provider, and the interest of third parties (the general public) of finding a specific information in connection with a given research about the data subject.

The EUCJ accepts however that, the cancellation/ blocking request made by the data subject can be rejected when, for specific reasons (such as having the data subject a public post), the interference with the fundamental rights concerned is justified by the overriding interest of third parties to, as a result of this indexation, have access to information on the data subject. It further clarifies that backing the enforceability of this right does not entail that indexation of the information causes damages to the data subject.

With the above in mind, in principle, it is possible to exercise the so-called “right to be forgotten” in front of Internet search engine services providers, which will be obliged to process such request in all cases, it being only possible to reject cancellation or blocking of data exceptionally, when a major interest of third parties (the public) to find this information by making a research on the data subject is reputed.

Regarding the rest of questions raised within the proceedings brought by the Spanish Audiencia Nacional, the ruling backs the General Attorney and states:

  • The activity of Internet search engine services providers should be considered a “data processing”, as defined in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with respect to the processing of their personal data and the free movement of such data (the Directive).
  • Internet search engine services providers should be considered “data controllers”, as defined in the Directive, as the decide on the purposes and means for the processing.
  • A subsidiary in a Member State of an entity not located in a Member State that is performing an activity closely connected to the activity of the parent company (e.g. to advertise and promote the sale of advertising spaces associated with the search patterns of Google Search users) should be considered as an establishment in said Member State acting “in the framework of the activities” of the Controller (reference contained in Article 4 of the Directive that cannot be interpreted restrictively), and therefore the Member State data protection regulations shall be applicable.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-eucj-has-ruled-in-favour-of-the-right-to-be-forgotten-in-googles-case/