Deconstructing WP29 RTBF guide and a look to the future
On 26 November 2014, the Article 29 Working Party (WP29) issued Guidelines on the interpretation of the Court of Justice of the European Union (CJEU) ruling on Google Spain v the Spanish Data Protection Authority and Mario Costeja Gonzalez (‘the Ruling’), setting out a list of common criteria that European data protection authorities (DPAs) would take into account when considering the right to be forgotten (‘RTBF’) in relation to complaints received from individuals. According to Nuria Pastor, Senior Associate at Fieldfisher London, the Guidelines are in line with the Ruling but they further elaborate on certain legal and practical aspects of it and, as a result, offer invaluable insight into the DPAs vision of the future of the RTBF.
While the Guidelines help to frame the current debate regarding the content and limits of the RTBF, it is also useful to understand what the RTBF is not.
First, the RTBF is not entirely a new right. The Data Protection Directive 95/46/EC (‘the Directive’) does not regulate the RTBF as such but it recognises two rights on which the RTBF is based, namely the right to erase and the right to block one's personal data. Article 17 of the draft General Data Protection Regulation (GDPR) provides explicitly for a RTBF which is based on the existing right of erasure, although it is defined more broadly.
Second, the RTBF is not an absolute right and it is limited by other fundamental rights.
Last, but not least, the RTBF does not concern only search engines.
So far, it is mainly search engines who have been under intense scrutiny by DPAs regarding the manner in which they implement the findings of the Ruling in practice. However, non-search engine controllers are also receiving RTBF requests.
The legal test
The Guidelines do not discuss the CJEU’s interpretation of Articles 12 (right to erasure) and 14 (right to blocking) of the Directive on which the RTBF is founded. However, they acknowledge the fact that the conditions laid down by these rights must be met in order to be able to exercise the RTBF.
The WP29 confirmed that search engines are controllers in their own right and their processing activities are separate from those of the website publishers that originally published the information.
The WP29 also argues that, as a general rule, the rights of individuals must prevail over the economic interests of the search engines and the right of the general public to access such information. However, it also acknowledges the necessity to find a balance between the different rights at stake. The outcome of this balancing exercise may depend on the nature of the personal data processed and the interest of the public to access information depending on the role of the individual in public life.
Furthermore, it describes the set of criteria that the DPAs will use in order to assess complaints, such as the role of the individual in public life; the accuracy of the personal data; the sensitive nature of the data; whether the individual is a minor; any prejudice caused to the individual; the relevance of the personal data; whether the individual has withdrawn his/her consent for the processing of his/her personal data; whether the controller originally published the personal data on the basis of a legal obligation, etc.
The WP29 emphasises that the criteria (1) are a 'flexible working tool' that will have to be applied on the basis of national legislation; (2) are likely to be combined with one another; and (3) must be implemented in light of the interest of the general public in having access to the information.
In line with the Ruling, the Guidelines argue that Google’s personal data processing operations as a search engine are carried out in the context of Google's establishments in EU countries, and therefore, the local laws of the EU member states where those establishments are located, will apply. As a result, WP29 argues that:
- national DPAs may take actions against the local subsidiaries of the search engine;
- individuals may exercise their rights before the national subsidiaries of the search engines; and
- individuals cannot be forced to deal with other establishments of the search engines.
The WP29 also indicates that its Chair will contact search engines in order to clarify ‘which EU establishment should be contacted by the competent DPA’, which seems to indicate that DPAs might allow a certain degree of centralisation on the part of the search engines when dealing with the DPAs. This echoes some aspects of the draft GDPR under which controllers would be allowed to identify a ‘main EU establishment’ for the purpose of dealing with DPAs.
One of the most controversial conclusions in the Guidelines is that limiting the de-listing to the EU domains of the search engines cannot be considered sufficient to satisfactorily guarantee the rights of the data subjects, and therefore, de-listing decisions should be implemented in all domains, including ‘.com’.
The above confirms the trend of extending the application of EU privacy laws (and regulatory powers) beyond the traditional interpretation of current territorial scope rules under the Directive and will present search engines with legal uncertainly and operational challenges.
The WP29 confirms that the Ruling only affects searches carried out by using the name of the individual and that the de-listed information may still be available through the search engines via other search criteria and on the website of the publishers that originally published the information.
The Guidelines argue that the precedent set out by the judgment against Google only applies to generalist search engines and not to search engines with a limited scope of action (for instance, search engines within a website).
However, controllers should not be complacent. Both EU-based and non-EU-based search engine and non-search engine controllers are already receiving these types of requests. Furthermore, under the draft GDPR, individuals would be able to exercise their RTBF before any data controller so it is only a matter of time before the scope of this right becomes broader.
What will happen in practice?
In its Guidelines, the WP29 advises that:
- Individuals should be able to exercise their rights using ‘any adequate means’ and cannot be forced by search engines to use specific electronic forms or procedures;
- Search engines must follow national data protection laws when dealing with requests;
- Both search engines and individuals must provide ‘sufficient’ explanations in their requests/decisions;
- Search engines must inform individuals that they can turn to the DPAs if they decide not to de-list the relevant materials;
- Search engines should be encouraged to publish their de-listing criteria;
- Search engines should not inform users that some results to their queries have been de-listed (WP29’s preference is that this information is provided generically); and
- Search engines should not inform website publishers that originally published the information about the fact that some pages have been de-listed in response to a RTBF request.
The WP29 emphasises that the impact on the freedom of expression of original publishers and users will be ‘very limited’. Only time will tell whether this is the case. What we know now is that:
- EU data protection law is clearly heading towards the establishment of a legal regime that enhances the rights of individuals. However, the RTBF is not an automatic right and its regulation under the draft GDPR is still far from being agreed.
- European DPAs support the findings of the Ruling. The Guidelines, to a certain extent, reduces the level of legal uncertainly surrounding the Ruling.
- The Ruling interprets Articles 12 and 14 of the Directive broadly and takes into account the way in which the RTBF is regulated in Article 17 of the draft GDPR.
As a result, the case law that will gradually develop around this precedent may influence the DPAs’ future interpretation of the RTBF under the Regulation.
Controllers subject to EU data protection law, especially those that are not search engines, face challenging times. Whilst a full regulation of the RTBF under the GDPR is delayed by the slow progress of the legislative process, EU Regulators are inclined to make decisions with the forthcoming Regulation in mind. Controllers are therefore are advised to:
- Closely follow the decisions and the views of the EU Regulators as they develop.
- If they think they are likely to receive RTBF requests (or indeed have already started to receive them) put procedures in place in order to efficiently deal with RTBF requests. Such procedures should be based on the national data protection laws they are subject to today and take into account the criteria set out in the Opinion.