On Wednesday 25th November the European Data Protection Authorities collective body the Article 29 Working Party (WP29) met to adopt guidelines on the implementation of the Court of Justice of the European Union (CJEU) ruling of 13th May in the Google v. Gonzalez case – the so called right to be forgotten case. There’s a recap on the ruling in that case in our original alert of 19th May here.
The WP29 guidelines were published yesterday after some initial confusion as to whether WP29 would commit to a publication date. In part their release looks a little hurried with a number of typographical errors. The fact that WP29 have been transparent and published their guidelines finally is however to be welcomed.
WP29 express some concerns about Google’s interpretation of the Court’s decision that it applies only to Google’s European domains. For example searches to www.google.co.uk can bring different results to those of www.google.com as Google has applied the right to be forgotten only to its European sites. WP29’s press release says that “limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling. In practice, this means that in any case de-listing should also be effective on all relevant .com domains”. They also seem to criticise the notice Google have adopted saying searches may not be complete as a result of the CJEU ruling.
In a move that will ameliorate some of the most difficult aspects of the CJEU ruling WP29 say that data protection authorities (DPAs) across the EU will focus on claims where there is a clear link between the data subject and the EU “for instance where the data subject is a citizen or resident of an EU Member State”. They also remind DPAs of the balance between private rights and the public’s need to know “if the interest of the public overrides the rights of the data subject, de-listing will not be appropriate”. Those having a role in public life are not defined by the CJEU decision but DPAs will assume “business-people and members of the (regulated) professions can usually be considered to fulfill a role in public life”. Hopefully this will put an end to the practice of individuals outside the EU, with little connection to any EU Member State, trying to use the right to be forgotten to clean up their somewhat sordid reputations.
In addition WP29 seem to have tried to redress the balance a little between the person making the request and the person receiving it. In the cases we have handled almost exclusively those wanting to exercise the right to be forgotten and their lawyers have made wide all-encompassing requests for any and all data on them to be deleted. This was never the intention of the CJEU ruling and hopefully WP29’s guidelines will put an end to this practice. The guidelines say “in order for the search engine to be able to make the required assessment of all the circumstances of the case, data subjects must sufficiently explain the reasons why they request delisting, identify the specific URLs and indicate whether they fulfil a role in public life, or not”.
In many respects WP29’s guidelines are to be welcomed however questions remain as to whether they have done too little too late. Google clearly acted more quickly than WP29 have done. As we reported in our alert of 20th October Google’s public consultation exercise seems considerably wider than that of WP29. They were quick to set up their own procedure and by October they had evaluated 498,737 URLs as a result of 146,357 requests received from within the EU. Some individual DPAs (including the UK Information Commissioner Christopher Graham) have been active in speaking at events and gathering public opinion. Others have not.
At the same time from our experience right to be forgotten requests are being made almost exclusively by people with an unsavoury past. Hopefully the WP29 guidelines and Google’s own procedures will make those individuals and their lawyers think through the public interest in knowing about their previous track record before sending out unfocused and ill-advised right to be forgotten requests.
For more information contact Jonathan Armstrong who is a lawyer with Cordery in London where his focus is on compliance issues. Lawyers at Cordery have experience in handling right to be forgotten claims and have made representations to the European Commission about a proposed new statutory right to be forgotten. For details of Cordery’s data protection practice click here.
Jonathan Armstrong Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com