Which kind of Right to be Forgotten?

BitfaceOn 26th November, the Art. 29 WG, which gathers 28 national Data Protection Authorities, adopted its Guidelines on the implementation of the European Court of Justice Judgment of 13 May 2014 on the Right to be Forgotten. Art. 29 WG has been working on these Guidelines over the past months and has consulted various stakeholders (search engines or media companies).


The Guidelines are to be welcome as they aim at ensuring a consistent handling of complaints by European Data protection Authorities facing requests lodged by individuals following delisting refusals by search engines.


Basically, the Guidelines contain two parts:


- on interpretation of the ECJ ruling (Part I)


- on the list of common criteria for the handling of complaints by Data Protection Authorities (Part II)


Some relevant points in PART I refer to:


-          territorial effect of a de-listing decision. The Guidelines state that limiting de-listing to EU domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ECJ ruling, but de-listing should also be effective on all relevant domains, including .com.


-          refusal of delisting requests by search engines. Sufficient explanation to the data subject about the reasons for the refusal must be provided by the search engine, which should inform the complainant that they can turn to the Data Protection Authority or to Court if they are not satisfied with the answer.


-          scope of the ECJ ruling. While the ruling is specifically addressed to search engines, it can also be applied to other intermediaries whenever the conditions established in the ruling are met.


The PART II of the Guidelines sets out criteria to be considered by DPAs when handling a complaint such as:


-          what constitutes a role in public life?


-          when the data subject is a minor


-          accuracy of the data


-          relevant and not excessive data


-          data with a disproportionate negative privacy impact


The Right to be Forgotten has been one of the major issues of discussion within the ongoing Data Protection reform. However, building on the ECJ ruling on the Google Case, it is clear that Art. 17 of the proposed General Data Protection Regulation does not create a new Right to be Forgotten ex novo. This has been confirmed by the ECJ ruling which has recognised the existence of a Right to be Forgotten based on the data subject’s right to object to the processing of personal data relating to him/her under legitimate grounds (as already established by Art. 14 of the Directive 95/46/EC). For the ECJ the current legal framework already provides the data subject with recourse and the necessary protection.


Having said that, it is even more important that the future Data Protection Regulation limits very clearly the boundaries of the Right to be Forgotten in the interest of data subjects and data controllers. The future rules on the Right to be Forgotten need to provide legal certainty, as important Fundamental Rights are at stake.


In any case, a conciliation model between the freedom of expression and information should be clearly established, to ensure that those rights are not limited more than what is strictly necessary and acceptable in a democratic society.