The judgment of the Court of Justice of European Union (CJEU) of 13 May 2014 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) sets a milestone for EU data protection in respect of search engines and, more generally, in the online world. It grants the possibility to data subjects to request to search engines, under certain conditions, the de-listing of links appearing in the search results based on a person’s name.
On Wednesday 25 November, the European data protection authorities assembled in the Article 29 Working Party (WP29) have adopted guidelines on the implementation of the CJEU’s judgment. These guidelines contain the common interpretation of the ruling as well as the common criteria to be used by the data protection authorities when addressing complaints.
The WP29 guidelines recall that the CJUE ruling confirmed the applicability of Directive 95/46/EC to a search engine insofar as the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space on its search engine in this Member State with the aim of making that service profitable.
The judgment expressly states that the right only affects the results obtained from searches made on the basis of a person’s name and does not require deletion of the link from the indexes of the search engine altogether. That is, the original information will still be accessible using other search terms, or by direct access to the source.
The WP29 considers that in order to give full effect to the data subject’s rights as defined in the Court’s ruling, de-listing decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling. In practice, this means that in any case de-listing should also be effective on all relevant .com domains.
Under EU law, everyone has a right to data protection. In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.
The guidelines also contain the list of common criteria which the data protection authorities will apply to handle the complaints filed with their national offices following refusals of de-listing by search engines. The list contains 13 main criteria and should be seen as a flexible working tool to help DPAs during the decision-making processes. Criteria will be applied on a case by case basis and in accordance with the relevant national legislations.
No single criterion is, in itself, determinative. Each of them has to be read in the light of the principles established by the Court and in particular in the light of the “the interest of the general public in having access to [the] information”.
The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive 95/46/EC. It is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The Article 29 Working Party is competent to examine any question covering the application of the data protection directives in order to contribute to the uniform application of the directives. It carries out this task by issuing recommendations, opinions and working documents.
Credit © European Union