EU Issues “Right To Be Forgotten” Criteria
Last week the EU issued formal guidelines surrounding the so-called “Right to Be Forgotten” (RTBF). They are intended to help privacy regulators and search engines implement the RTBF. And they include some controversial elements. I’ve embedded the full document below and won’t try and treat it comprehensively. Below are the formal considerations that the EU […]
Last week the EU issued formal guidelines surrounding the so-called “Right to Be Forgotten” (RTBF). They are intended to help privacy regulators and search engines implement the RTBF. And they include some controversial elements.
I’ve embedded the full document below and won’t try and treat it comprehensively. Below are the formal considerations that the EU data protection authorities want considered in evaluating any RTBF request:
- Does the search result relate to a natural person – i.e. an individual? And does the search result come up against a search on the data subject’s name?
- Does the data subject play a role in public life? Is the data subject a public figure?
- Is the data subject a minor?
- Is the data accurate?
- Is the data relevant and not excessive?
- Is the information sensitive within the meaning of Article 8 of the Directive 95/46/EC?
- Is the data up to date? Is the data being made available for longer than is necessary for the purpose of the processing?
- Is the data processing causing prejudice to the data subject? Does the data have a disproportionately negative privacy impact on the data subject?
- Does the search result link to information that puts the data subject at risk?
- In what context was the information published?
- Was the original content published in the context of journalistic purposes?
- Does the publisher of the data have a legal power – or a legal obligation– to make the personal data publicly available?
- Does the data relate to a criminal offence?
These criteria were apparently established through review of the initial wave of RTBF requests following the announcement of the right by the Court of Justice of the European Union (CJEU) earlier this year. The EU says that no single criterion will likely be determinative and they should be seen as a “flexible working tool”:
The list of criteria should be seen as a flexible working tool which will help DPAs during their decision-making process. The criteria will be applied in accordance with the relevant national legislation.
In most cases, it appears that more than one criterion will need to be taken into account in order to reach a decision. In other words, no single criterion is, in itself, determinative.
Each criterion has to be applied in the light of the principles established by the CJEU and in particular in the light of the “the interest of the general public in having access to [the] information”.
The document asserts that successful RTBF requests should be applied globally and not just to specific country domain search results, as Google has been doing:
[D]e-listing decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com
While this is logical, any such global de-listing sets up a conflict of laws between nations that recognize RTBF and those that do not.
Google had been notifying publishers that their links were being removed, causing some to republish those links for re-indexing. This has frustrated some European officials who see this practice — both by the search engine and the publisher — as “undermining” RTBF. Accordingly, the EU says that publishers should not be notified of the removal of links:
Search engine managers should not as a general practice inform the webmasters of the pages affected by de-listing of the fact that some webpages cannot be acceded from the search engine in response to specific queries. Such a communication has no legal basis under EU data protection law.
The EU also doesn’t want Google to publish notices to users that links have been removed for similar reasons:
It appears that some search engines have developed the practice of systematically informing the users of search engines of the fact that some results to their queries have been de-listed in response to requests of an individual. If such information would only be visible in search results where hyperlinks were actually de-listed, this would strongly undermine the purpose of the ruling. Such a practice can only be acceptable if the information is offered in such a way that users cannot in any case come to the conclusion that a specific individual has asked for the de-listing of results concerning him or her.
The guidelines reaffirm that the RTBF only concerns search engines as “data controllers” and do not apply to the original source of information. This offers some “cover” against claims of censorship: “the information isn’t being removed entirely just from search indexes.” In other words RTBF doesn’t censor information it just makes that information more difficult to discover.
The guidelines state that beyond “external search engines” (e.g., Google) they may be extended to undefined “intermediaries.” However they immediately go on to apparently contradict that notion: “the right to de-listing should not apply to search engines with a restricted field of action, particularly in the case of search tools of websites of newspapers.”
RTBF is a legitimate attempt to mitigate the potentially negative impact of the internet’s unforgiving memory on personal reputations and private lives. However as implemented RTBF is sloppy, partly incoherent and potentially even dangerous in cases where non-public-figure bad actors (e.g., corrupt private company executive) seek to “cover their tracks” by removing damaging or incriminating information. Imagine that unscrupulous executive later runs for public office — s/he might seek RTBF in anticipation of a future non-declared political run depriving the public of important background information.
To protect against such situations RTBF should set a high bar for removal rather than the relatively low bar that has been set here.
Finally the guidelines suggest that only EU citizens may be eligible in practice to make RTBF requests. You can review the entire document for yourself below.