The right to be forgotten
Premessa: tale scritto, a cura di Roberta Freda, fa parte del Legal Research Group di ELSA Napoli intitolato “Right to private life: challenges and perspectives” organizzato da ELSA Napoli e curato da Francesco De Santis (professore di diritto processuale civile e procedure di tutela internazionale dei diritti umani presso il Dipartimento di Giurisprudenza dell’Università di Napoli “Federico II”).
Summary: Introduction – 2. The foundations of the right to be forgotten – 3. The evolution of the right: from the traditional media to a new meaning for the Internet and the digital technologies – 4. The landmark 2014 ECJ’s ruling regarding the right to be forgotten – 5. The European Legislation: from the Directive 95/46/EC to the General Data Protection Regulation 2016/679 (GDPR) – 6. The limits of the right to be forgotten according to the 2019 ECJ’s rulings- 7. Concluding remarks.
-
Introduction
Over recent years, the right to be forgotten has gained a prominent role in the international juridical debate.
In order to fully understand the right, this essay is to firstly examine the earliest version of the right to be forgotten, then to analyse the issues arisen around it as a consequence of the digital revolution and the spread of the Internet, which have led to the formulation of the right to erasure and the right to request delisting.
Subsequently, the paper considers the current value of the right to be forgotten in Europe, at first deepening the leading case of European Court of Justice and then elucidating the criteria laid down under EU legislation, namely Directive 95/46/EC and GDPR 2016/679. The analysis, ultimately, focuses on the guidelines recently provided by the ECJ, which has underlined further aspects of the right to be forgotten, reminding the need to find a reasonable form of balance with the opposite – but fundamental as well – freedom of information.
-
The foundations of the right to be forgotten
Between the right to privacy[1] and the right to a personal identity[2] there is a “grey zone” where the right to be forgotten takes place. The right to be forgotten is a subjective juridical situation with the body of the personal identity and with the soul of privacy[3].
In the multitude of expressions that have been used in recent years in the legal literature – such as right to forget, right to erasure, right to delete, right to oblivion, right to social forgetfulness – the “right to be forgotten” prevailed.
For a deeper understanding of this right, it should be borne in mind that it arose well before the emergence of Internet and it has developed before and independently from the adoption of the EU legislation on personal data protection, which entered into force by 1996.
The concept of the right to be forgotten is not new from the perspective of the case law of the European Union Member States and of legal doctrine. The traditional concept of the “right to be forgotten” in the offline world was conceived as a derivation of the protection of personal identity, as a specific safeguard arising in the context of the right to information. In fact, the right of personality can be balanced with the conflicting freedom of information, which is guaranteed by all the democratic societies.
The right to be forgotten has originally been construed as the individual’s right to avoid being perpetually stigmatised as a consequence of past actions, thus as the right of any individual to see himself represented in a way that is not inconsistent with his current personal and social identity. The aim is clearly to prevent not the publication of information, but an unjustified new publication of a piece of information which had already been lawfully disseminated in the past and, at a certain moment, lacked a public interest to further circulate it. It is strictly conditioned by the elapsing of time and concerns information made publicly available once again.
Within this initial perspective, the term “right to be forgotten” refers to the individual’s right to protect his own private sphere from the publication and dissemination of facts or news, when there is no public interest for the piece of news to lawfully circulate again, after having been lawfully disseminated in the past.
In the traditional offline environment, the passing of time makes the public interest to know a piece of news progressively disappearing. This explains the importance of the time factor within the original meaning of the right to be forgotten, as time lapse becomes a crucial parameter of it.
In other words, it is to be established whether the person or the information legally published in the past could be the object of a new diffusion or, otherwise, the passing of time renders the latter unlawful[4].
The right to be forgotten represents an aspect of privacy, but with substantial differences, because it concerns the interest not to evocate again a past event already known by the public.
In that regard, it has been said that the dimension of time – past or present – distinguishes privacy from the oblivion, despite being both rights relating to personality[5].
Along with the time factor, the other distinguishing feature of the right to be forgotten concerns the role played by the individual in the public arena[6]. The individual’s right, in fact, should not overrule the collective interest intended to get information, if it appears that the interference in his fundamental rights is justified.
-
The evolution of the right: from the traditional media to a new meaning for the Internet and the digital technologies
The right to be forgotten, as well as the right to privacy itself, has been structurally influenced by the pervasive diffusion of digital technologies and Internet, the most significant expression of this evolution.
The question is if the citizens still value privacy and integrity, while simultaneously participating in an increasingly transparent society where everybody shares personal information that remain visible and available almost without restriction.
The matter concerns specifically Article 8 of the European Convention of Human Rights (ECHR)[7], that guarantees the right to respect for private life, family life, correspondence and home, covering a broad range of personal interests.
The subject of privacy faces significant issues in a technological developed reality. The technological advancements have obviously brought positive effects for the individuals and their daily life, but have also implied risks.
The major problem is to compare the value of the right in exam and the freedom of information, in the guise of the public interest to be informed.
As said, the fundamental right to privacy is based upon the non-interference principle enshrined in Article 8 of the ECHR. In addition, although the protection of privacy, family life and private communications is also set forth in Article 7 of the European Charter of Fundamental Rights, its subsequent Article 8 secures the protection and control of personal data. In such a way, the Charter explains the centrality of data protection.
From this perspective, nowadays a substantial aspect of privacy consists of processing of personal data of individuals, who have an urge to be in control of their personal information[8].
Furthermore, in the today’s so called “technological society”, new forms of human rights have emerged. That is the case of the right to information, that has a twofold aspect: a right to give information and a right to receive information. The dichotomy may be evident as soon as one observes how the human communication has evolved, giving rise to the fourth sector of economy, the information sector.
As a consequence, the possibility to trade the information led to considerable repercussions on the right to privacy, since its sheltering walls have been digitally dissolved[9].
There is, in fact, a constant relationship between the technological change of information and the change of the idea of privacy, a variable notion depending on the changing times.
For this reason, the traditional meaning of privacy, as a right to be left alone, is no longer suitable in order to protect all of the new emerging interests. Nowadays, the individual needs to defend himself against web actors, which aim at transacting users’ data in exchange for services and features seen as essential.
The idea of privacy, therefore, cannot be confined solely to the ancient right to be left alone, but needs to be identified with the individuals’ power to exercise control over their personal data.
This evolution led the German Federal Constitutional Court at first to talk about a right to self-determination, when it comes to personal data.
The reasoning of the German Court drew the attention of the EU legislator, who intervened with the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Two other directives were enacted followed the one of 1995[10].
Later, on 25 January 2012, the European Commission announced it would attempt to unify data protection law across the EU via the proposed legislation called the “General Data Protection Regulation” (GDPR.) The EC’s objectives pursued with this new legislation were based on the harmonisation of 27 national data protection regulations into one unified regulation.
The legislative procedure came to an end with the final approval on 14 April 2016.
The European Commission fixed the deadline of 25 May 2018 to complete the harmonization, giving businesses time to prepare for compliance, review data protection activities, update privacy policies and review marketing plans. European institution strongly supported the new legislation, that they claimed to be responsive in analysing the web reality. Internet, in fact, offers the possibility to disseminate and acquire information in a potentially limitless way, acting as a means of manifestation of thought and as a source of information at the same time. This dual role leads to some issues in the matter of privacy protection.
As stated above, as an effect of the diffusion of Internet, the right to privacy has assumed a new shape, expressed as the individual’s power to exercise control over his personal data.
In this context, the new vision of the right to privacy has led to a renewed emphasis on the right to personal identity, that concerns all the information about an individual and through which he appears in the public eye. The evolutive interpretation of the idea of privacy has led to construe its meaning as the right of a person to be recognized by the society as whole in a genuine and authentic way.
Nowadays, the matter concerns the right to be represented in all respects, because of the prevalence of the individual’s right to his or her own personal identity.
Whereas previously the personal identity was intended in its static dimension – a mere representation of an inventory of data, already defined in the individual components – it has been noted that the evolution of society has led to a dynamic vision of the right, construed as a process constantly susceptible to change.
For this reason, the expression “digital identity” has gained more and more space and includes the safeguards granted to Internet users, with a focus on ensuring respect for privacy y and effective measures to protect the right to be forgotten.
-
The landmark 2014 ECJ’s ruling regarding the right to be forgotten
In the ruling of November 13th, 2014, the EU Court of Justice settled a dispute between the Google Spain and Google Inc. v. Agencia Española de Protección de Datos and Mario Costeja González (case C-131/12)[11]. This is a land-mark judgement in the area of protection of the right to be forgotten, with particular regard to the key role played by search engines.
The legal dispute stemmed from the request of a Spanish lawyer, who tried to obtain – at first, from the website manager and then from Google – the removal of some personal information from Internet. The information were contained in an old newspaper article and were allegedly considered outdated.
In greater details, by entering the name of the claimant in the search bar of the engine Google Search, a list of results appeared, each of them containing a link to two pages of the newspaper La Vanguardia, going back fifteen years behind.
Indeed, in 1998, the Spanish newspaper published two announcements concerning the forced sale of properties arising from social security debts. Those announcements were published by order of the Spanish Ministry of Labour and Social Affairs, for the exclusive purpose of drawing the attention of the potential bidders. Later, a web version was made available from the original printed edition.
One of the properties on sale described in that announcements belonged to Mario Costeja González, who was thereby mentioned by name. As introduced above, in November 2009, Costeja contacted La Vanguardia and claimed to remove that information relating to his past legal proceedings, by declaring that they were concluded and no longer relevant. La Vanguardia, replied that, since the old publication in paper format existed by order of the Ministry of Labour and Social Affairs of Spain, erasing it was not an option.
Several months later, Mario Costeja González turned to Google Spain, asking the removal of the links to the announcements that displayed his name. Google Spain forwarded the request to Google Inc. – located in California, United States – deeming the headquarters was the only one competent to decide on the request.
The Spanish lawyer subsequently lodged a complaint with the Agencia Española de Protección de Datos (the Spanish Data Protection Agency, AEPD), requesting it to order the newspaper to remove the personal data inserted in the article, and Google, either Google Spain or Google Inc., to remove the links to the data in question.
On July 30, 2010, the Director of AEPD rejected the complaint against the newspaper but approved the one against Google, intended in both its domestic branch and global headquarters, considering it competent for deleting the complained links.
On the one side, Costeja González complained the persistent availability to the general public of an information that was detrimental to his personal identity and his professional activity. On the other side, Google worried about an unfair compression of the freedom of expression, intended to be a fundamental value.
At this point, Google Spain and Google Inc. subsequently brought two actions against the decision before the Audiencia Nacional (the National High Court of Spain), the competent authority to judge on the appeal against the Agencia Española de Protección de Datos ruling.
In broad terms, the Company argued that Google did not fall within the scope of the EU Directive 95/46/EC (Data Protection Directive), presuming that there was no processing of personal data and that neither Google Inc. nor Google Spain could be regarded as a data controller. The Company’s submission claimed that, in view of this clarification, no further action was considered necessary, since the data subject – Costeja González – did not have the right to the erasure of lawfully published material.
The Audiencia Nacional suspended its proceedings and referred to the European Court of Justice for a preliminary ruling on the interpretation of the Data Protection Directive.
The questions concerned different aspects, such as the territorial scope of the Directive, the obligations and responsibilities of the Internet search engine service providers under the Directive, especially in the event that they could be regarded as a data controller. In addition to that, the Court was also asked to rule on the so-called right to be forgotten within the framework of the Directive.
Pending the proceeding, the governments of Austria, Greece, Italy, Spain and Poland and the European Commission gave their opinion. Later then, in June 2013, Advocate General Niilo Jääskinen gave his opinion.
The Advocate General[12] preliminary clarified that the 1995 Data Protection Directive predates the Google era. The AG then held that Google could not be regarded as a data controller: Google’s search activities involve the processing of personal data, but Google does not thereby become a data controller for the content of the material when the processing is carried out in a haphazard, indiscriminate and random manner. In the AG’s view, the sense of the Directive was that “the controller is aware of the existence of a certain defined category of information amounting to personal data and the controller processes this data with some intention which relates to their processing as personal data”[13].
The Advocate General then focused on the last question relating to a right to be forgotten and assumed that the rights of freedom of information and expression took precedence over any other right[14].
It should be recall that the Advocate General’s Opinion is not binding for the Court of Justice. The Advocates General to the Court simply propose a legal solution to the single cases, in complete independence.
In the present case, the Court of Justice of the European Union reached different conclusions than those supported by the AG. First of all, the Court ruled that an Internet search engine operator is responsible for the processing of personal data that it carries out where these data appear on web pages published by third parties. For this reason, the activities of the search engine must be considered as a processing of personal data[15], pursuant to Article 2 b) and d) of Directive 95/46/CE and, consequently, its manager has to be regarded as the data controller[16], since it determines both the purposes and the means of processing[17].
The reasoning of the Court[18] also considered that the search engine operates independently[19] from the publishers of websites, the real sources of personal data. According to the judges, a personal data processing occurs in any case, even if it is distinct from that of the single website.
On the basis of this assessment, the Court drew up the consequence that, even in cases where the information remains on the single website, the link to that website could be eliminated from the list of results generated by entering the data subject’s name in the search field.
In this respect, it should be noted that this last remark describes precisely the current meaning of “the right to be forgotten” in its online dimension: the right to obtain the removal from the list of results stemming from a research made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, including in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when the publication in those pages is lawful[20].
The Court, however, clarified the conditions that must be necessarily satisfied to come to such conclusion. First and foremost, the judges focused on the principle of establishment[21], stating that, since Google Spain is a subsidiary of Google Inc. on Spanish territory, it represents an ‘establishment’ within the meaning of the Directive. The activities of Google Inc. are partly carried out by the parent company, located in California – a third Country – where the web researches are indexed and stored, and partly by the subsidiary companies located in several Member States[22]. Therefore, Google Spain represents a branch of Google Inc. located in the Spanish territory and thus an ‘establishment’[23] in the context of which the data processing is operated[24].
That said, the Court ruled that, in the present case, Article 7(f) of the Directive 95/46/CE, relating to legitimacy of processing, requires a balancing of the opposing rights and interests of the data subject and the data controller. In this interpretative process, a prominent role is played by the Charter of Fundamental Rights of the European Union and, specifically, by Article 7 (respect for private and family life) and Article 8 (protection of personal data).
In light of these provisions, the Court underlined the principle that individual’s fundamental rights override, as a rule, not only the economic interest of the operator of the search engine, but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.
Exceptions to this rule have to be provided when the interference with the data subject’s fundamental rights is justified by the preponderant interest of the public. In this case, the right to erasure would not apply, overtaken by the right to information.
This situation occurs, for example, in cases where the data subject plays a role in public life. In such contexts, – the interference with one’s fundamental rights is justified by the preponderant interest of the general public in having access to the information in question on account of its inclusion in the list of results.
As regards the practical implications of the judgement, the data subject may seek the de-listing directly to the search engine, that should examine each request to decide upon its legitimacy.
If the request is considered inadmissible, the individual has the right to ask the administrative authorities or the judicial ones.
Conclusively, the Court of Justice, in the Google Spain vs. AEPD and Mario Costeja Gonzàles judgment, assigned a key role to the Authorities responsible for the data protection, at both domestic[25] and EU levels[26].
-
The European Legislation: from the Directive 95/46/EC to the General Data Protection Regulation 2016/679 (GDPR)
The Google Spain case led the European legislator to completely rethink the privacy and data protection legislation.
The judgment highlighted the constant tension between the right to be forgotten and data protection on the one hand, and to freedom of expression and the right to access to information on the other.
The right to erasure is not a new concept in EU data protection law. Under the 1995 Data Protection Directive, individuals had the right to ask data controllers to erase or block their personal data where its processing did not comply with the provisions of the Directive, in case of incomplete or inaccurate data.
In addition, the data protection law required data to be accurate, up to date, kept for no longer than necessary for the purpose for which it was collected, processed only in relation to a specified lawful purpose, and not excessive in relation to the related purpose. Even if there was not a clear definition of the right to be forgotten, the 1995 Directive allowed the individuals to have their personal data erased when reasonably.
From another perspective, however, the deletion of such data could inevitably lead to conflicts with the freedom of expression and the right to access information. In order to protect these rights as well, the 1995 Directive provided for an exemption from some obligations in the case of personal data processed for one of the special purposes of journalism, art, and literature.
In those cases, the Directive reasoning was based on the data controller’s reasonable belief that, having regard in particular to the special importance of freedom of expression, publication would be in the public interest.
As the information and communication technologies has evolved, it has become increasingly clear that the 1995 Data Protection Directive was not able to deal with a world in which information about individuals can be made publicly available on a global basis, potentially in perpetuity, possibly from another jurisdiction and effortlessly accessible. This idea became then a certainty with the 2014 Google Spain judgment.
The Court of Justice ruled that the right to be forgotten online needed to be applied to outdated and irrelevant data in search results, unless there was a public interest in the data remaining available and even where the search results linked to lawfully published content.
As the consequences of Google Spain played out, the European Commission worked towards a new General Data Protection Regulation (GDPR), approved in 2016 and applied across the European Union from 25 May 2018. The Court decision in Google Spain was definitely in line with the idea of the new regime adopted by the European legislator. The GDPR, in fact, has modernized the data protection law and introduced a consolidated right to be forgotten, but it also retained the principles requiring that personal data need to be accurate and up to date.
Following the clarification of its territorial scope (Article 3), Article 5 of the GDPR focuses on the principles relating to keeping and processing of personal data.
Furthermore, the most innovative aspect is Article 17, entitled “right to erasure”.
Under this provision, data subjects have the right to obtain erasure of their personal data without delay from the data controller who processed that data. Specifically, the obligation to erase occurs when the data is no longer necessary for the purpose for which it was collected or processed, or the data subject withdraws consent on which the processing is based.
As mentioned, the new legislation also provides for exceptions to the right to be forgotten. The derogations concern those cases where exercising the right of freedom of expression and information is prominent. These cases involve reasons of public interest in the area of public health, or archiving purposes in the public interest, scientific or historical research or statistical purposes.
Following the request under Article 17, Article 19 establishes that a controller who carries out erasure of personal data must communicate the erasure to each recipient of that data, unless impossible or involves disproportionate effort. The controller is required to provide the data subject with a list of these recipients if requested by the data subject.
Lastly, Article 85 GDPR deals with the balance between data processing and freedom of expression and information. Member States are required to “reconcile the right to the protection of personal data pursuant to the Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression”.
Member States must provide for exemptions and derogations from many of the requirements of the GDPR, including the right to erasure.
-
The limits of the right to be forgotten according to the 2019 ECJ’s rulings
The previous sections analysed the nature of the right to be forgotten and its remarkable evolution, which was previously obliged by technological advances and then properly enforced by the national and European legislations[27]. Therefore, it is opportune to comprehend the current meaning of the right to be forgotten.
The ruling of the European Court of Justice in the case C – 507/17, Google LLC – successor in law to Google Inc.- v. Commission nationale de l’informatique et des libertés (CNIL)[28] offers an interesting view, since the Court considered both the EU Data Protection Directive of 1995 and the EU GDPR of 2016, and it sets an important precedent by limiting the territorial scope of the right to erasure to the EU territory.
The case arose in 2016, after the CNIL (French Data Protection Authority)[29] fined Google LLC because of the company’s refusal, when granting a de-referencing request, to apply it to all its search engine’s domain name extensions[30]. It regarded the results based on the names of four individuals and the requests concerned a satirical photomontage of a female politician, an article which deemed someone as a public relations officer of the Church of Scientology, the placing under investigation of a male politician, and an individual’s conviction for sexual assaults against minors.
The CNIL served formal notice on Google that, when granting a request from a natural person for links to web pages to be removed from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions.
Google contested the decision of the French administration and sought annulment of that fine and lodged a complaint with the Conseil d’État (the French Council of State).
Google refused to comply with the notice from the CNIL, confining itself to removing the links in question from only the results displayed following searches conducted from the domain names corresponding to the versions of its search engine in the Member States, refusing to de-list sensitive information from search results globally upon request.
Google maintained that the penalty at issue was based on a misinterpretation of the provisions of the Law of 6 January 1978, which transpose Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, on the basis of which the Court, in its above-mentioned judgment of 13 May 2014, recognised a ‘right to de-referencing’. Google argued that this right does not necessarily require that the links at issue are to be removed from all its search engine’s domain names, without limiting it to the EU States. In addition, according to Google, the CNIL disregarded the principles of courtesy and non-interference, recognised by public international law, and disproportionately infringed the freedoms of expression, information, communication and the press which are guaranteed, in particular, by the Charter of Fundamental Rights of the EU.
The Conseil d’État decided to stay the proceedings and to refer to the Court of Justice for a preliminary ruling, asking to clarify the extension of the territorial scope[31] which must be conferred on a de-referencing in such a situation.
In the 2019 judgement, the Court preliminary clarified that the objective of the overall EU legislation on data protection is to guarantee a high level of protection of personal data throughout the European Union.
The ECJ then emphasised that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. Furthermore, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.
In particular, the Court did not see any reason to deem the EU legislation on data protection as aimed at going beyond the territory of the Member States. In other words, the EU legislator did not intend to impose to a search engine a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to any EU Member States -i.e,, one that operates globally, outside the EU territory.
Therefore, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, to satisfy that request on all the versions of its search engine[32].
In conclusion, the Court cautions the search engine operator to use, in such situations, measures which, while meeting the legal requirements, effectively prevent or, either way, seriously discourage the users conducting a search from one of the Member States[33] on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links still existing on the global domain concerning the subject of that de-listing request. The measures in question should therefore be sufficiently effective to ensure the effective protection of the data subject’s fundamental rights.[34]
Google[35] positively welcomed the judgement of the Court, pointing out its commitment[36] in the struggle for human rights and freedom, especially for maintaining a balance between the individual’s right to privacy and the public freedom of information.
-
Concluding remarks
The very recent decision of the ECJ demonstrates how the principles and the rights guaranteed to be protected by the Charter of Fundamental Rights of the EU have implications that go beyond EU borders and are projected on a worldwide dimension. This process, the first stage of which is represented by the historical sentence of May 2014, originated with Google’s obligation to de-list upon a data subject’s request. Subsequently, it should be recalled in this respect that the GDPR made the right to be forgotten – in its current meaning – a practical reality in the EU. However, the ECJ also underlined the necessity to imagine a unique global solution in the matter of right to privacy and respect for personal data, with a particular focus on the right to be forgotten. In this light, thus, the application of the EU model would be desirable, being an obvious example of a true balance between freedom of information and personal dignity.
***
[1] The right to privacy is one of the most important human rights issues of the modern age. According to the famous expression coined by Louis Brandeis and Samuel Warren in 1890, it can be defined as “the right to be let alone”, ensuring protection against the unwanted disclosure of private facts and recognising the respect for private life (L. BRANDEIS, S. WARREN, The Right to Privacy, in Harvard Law Review, 1890). Since then, the right to privacy has become widely known and has permeated every aspect of daily lives. Nowadays, the right to privacy has been acknowledged at a global level and is mentioned in several international legal instruments as well as in EU law.
[2] The right to a personal identity relates to the body of information concerning an individual, through which he himself appears in the eye of the community. It is an integral part of his personality that defines him publicly. According to a modern understanding of the right, the personal identity also refers to the right everybody has to be portrayed in terms that reflect the image of himself, free of inaccuracies or distortions. See G. RESTA, Identità personale e identità digitale, in Diritto dell’informazione e dell’informatica, 2007 and M. DURANTE, U. PAGALLO, Diritto, memoria ed oblio, in F. PIZZETTI (edited by), Il caso del diritto all’oblio, Torino, 2013.
[3] The expression is found in M. MEZZANOTTE, Il diritto all’oblio. Contributo allo studio della privacy storica, Napoli, 2009, p. 81.
[4] It is useful to remind the parameters drawn by the Italian Supreme Court for balancing the conflicting rights to privacy and personal identity with the freedom of information: 1) the time lapse since the first publication and the degree of public interest to know the information, the social value of the news; 2) the modalities utilized for the publication of individual’s information, the truthfulness of the information and the formal fairness of the exposition; 3) the person’s role in the fact.
[5] A. LA TORRE, Relazione di sintesi, in E. GABRIELLI (edited by), Il diritto all’oblio. Atti del Convegno di Studi del 17 maggio 1997, Napoli, 1999, p. 109.
[6] The American case law paid particular attention to that issue, with a detailed analysis of the public figure, as opposed to the private person, since the famous judgements New York Times v. Sullivan (1964) and Gertz v. Robert Welch Inc. (1974).
[7] Guide on Article 8 of the European Convention on Human Rights, updated on 31 August 2019- https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf
[8] There is a significant evolution of Louis Brandeis’ fear, who was the first legal scholar who elaborated on the right to privacy, together with Samuel Warren. Brandeis said: “the evil incident to invasion of the privacy of the telephone is far greater than that involved in tampering with the mails. Whenever a telephone line is tapped, the privacy of the persons at both ends of the line is invaded and all the conversations between them upon any subject, and although proper, confidential, privileged, may be overheard”. See “Olmstead v. United States”, 1928. See also L. BRANDEIS, S. WARREN, The Right to Privacy, in Harvard Law Review, 1890.
[9] D. LYON, The electronic eye: the rise of surveillance society, University of Minnesota Press, 1994, p. 180.
[10] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) and Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.
[11] Google Spain and Google Inc. vs. AEPD and Mario Costeja Gonzàles
[12] Court of Justice of the European Union, PRESS RELEASE No 77/13, 25 June 2013 – Advocate General’s Opinion in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González; http://curia.europa.eu/jcms/upload/docs/application/pdf/2013-06/cp130077en.pdf
[13] “Opinion of Advocate General Niilo Jääskinen delivered on 25 June 2013 – Case C‑131/12”. CJEU.
[14] The Advocate General Niilo Jääskinen warned the Court that a different solution would have led to an “automatic withdrawal of links to any objected contents or to an unmanageable number of requests handled by the most popular and important Internet search engine service providers.”
[15] The judges reminded the Bodil Lindqvist v Åklagarkammaren i Jönköping case (2003), in which the Court ruled that “Referring to various persons on an internet page and identifying them either by name or by other means constitutes processing of personal data by automatic means within the meaning of Community law”.
[16] According to the judgement, “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
[17] In paragraph 41 of the judgement, the Court rules: “Article 2(b) and (d) of Directive 95/46 are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d)”.
[18] Previously, the Article 29 Data Protection Working Party headed a panel examining the same topic, resulted in Opinion 1/2008 on data protection issues related to search engines, adopted on 4 April 2008 – https://ec.europa.eu/justice/article-29/documentation/opinionrecommendation/files/2008/wp148_en.pdf
[19] Even if that option for publishers of websites were to mean that they determine the means of that processing jointly with that operator, this finding would not exclude any of the latter’s responsibility as Article 2(d) of Directive 95/46 expressly provides that that determination may be made ‘alone or jointly with others’.
[20] According to Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46.
[21] The freedom of establishment and the freedom to provide services guarantee mobility of businesses and professionals within the EU, according to Articles 26 (internal market), 49 to 55 (establishment) and 56 to 62 (services) of the Treaty on the Functioning of the European Union (TFEU). Self-employed persons and professionals or legal persons within the meaning of Article 54 TFEU who are legally operating in one Member State may: carry out an economic activity in a stable and continuous way in another Member State (freedom of establishment: Article 49 TFEU); or offer and provide their services in other Member States on a temporary basis while remaining in their country of origin (freedom to provide services: Article 56 TFEU). This implies eliminating discrimination on the grounds of nationality and, if these freedoms are to be used effectively, the adoption of measures to make it easier to exercise them, including the harmonisation of national access rules or their mutual recognition. For further details, M. MACIEJEWSKI, C. RATCLIFF, Fact Sheets of the European Union, European Parliament, April 2019, available on https://www.europarl.europa.eu .
[22] The Google Search service operates globally through the Internet domain “.com”. Beyond that, every subsidiary company located in the Member States has a different domain. On this matter, G. CAGGIANO, L’interpretazione del criterio di collegamento del “contesto delle attività di stabilimento” dei responsabili del trattamento dei dati personali, in G. RESTA, V. ZENO-ZENCOVICH, Il diritto all’oblio su Internet dopo la sentenza Google Spain, Roma, 2015, p. 44.
[23] The judges mentioned previous guidelines and affirmed that: “in the light of the objective of Directive 95/46 of ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, those words cannot be interpreted restrictively” (para. 53).
[24] The opinion is also shared by the Article 29 Data Protection Working Party in the 23 May 2014 Press Release (see Note 26).
[25] See e.g. the dispute between Google Inc. and CNIL, the French Data Protection Authority, dealt with in Section 6 of the present paper.
[26] In the press release dated May 23 of the same year, the European data protection authorities, which met at the Article 29 Working Party (WP29) welcome the European Court of Justice (ECJ) ruling of 13 May 2014 which sets a milestone for EU data protection in respect of search engines and, more generally, in the online world.
[27] In the context of Regulation 2016/679, the right of a data subject to de-referencing is based on Article 17.
[28] It is worth mentioning the recent dispute between the same parties. On December 2020, in fact, the CNIL fined Google LLC (the parent company of Google’s French outfit Google France Sarl) for €60 million and Google Ireland Ltd (Google’s headquarters) for €40 million.
Both companies were deemed jointly responsible for an incorrect use of cookies and, specifically, for having placed advertising cookies on the computers of users of the search engine Google.fr, without obtaining prior consent and without providing adequate information.
For the full version of the decision: Délibération SAN-2020-012 du 7 décembre 2020, avaliable at https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635706.
[29] It has been observed that the French DPA (and the Italian DPA as well) drew inspiration in particular from Google Spain’s emphasis on ensuring the “effective and complete protection” of data subject rights and held that Google must ensure that deindexing was effective across all its global services. See D. ERDOS, Google v CNIL – The EU Court of Justice Seeks a Via Media on Global Internet Publication and European Data Protection, University of Cambridge, Legal Studies Research Paper Series, n. 15/2020, April 2020.
[30] As clarified above, the Google Search service operates globally through the Internet domain “.com”. Beyond that, every subsidiary company located in the Member States has a different domain.
[31] Both Article 4(1)(a) of Directive 95/46 and Article 3(1) of Regulation 2016/679 permit data subjects to assert their right to de-referencing against a search engine operator who has one or more establishments in the territory of the European Union in the context of activities involving the processing of personal data concerning those data subjects, regardless of whether that processing takes place in the Union or not.
[32] About the importance of that judgments for similar cases, see J. GLOBOCNIK, The Right to Be Forgotten is Taking Shape: CJEU Judgments in GC and Others (C-136/17) and Google v CNIL (C-507/17), GRUR International, Volume 69, Issue 4, April 2020, Pages 380–388, available on https://doi.org/10.1093/grurint/ikaa002.
[33] In this particular regard, a debate arose on the danger of empowering the national DPAs and courts to decide whether and when to pronounce a global de-referencing, since this somehow appears to contradict the claim to harmonize the European legal framework for data protection O. PROUST, European Court Limits the Right to De-referencing to the EU Territory, Privacy Law Blog, October 2019, at .
[34] For a critical opinion about the judgement, see O.J. GSTREIN, The Judgment That Will Be Forgotten: How the ECJ Missed an Opportunity in Google vs CNIL (C-507/17), VerfBlog, 2019/9/25, available on https://verfassungsblog.de/the-judgment-that-will-be-forgotten.
[35] Google deemed it “a victory for global freedom of expression”. The US firm was also supported by Microsoft, Wikipedia’s owner the Wikimedia Foundation, and the non-profit Reporters Committee for Freedom of the Press.
[36] Google also claimed to have handled more than 850thousand requests in Europe and to have opted for de-listing in over 40% of cases.
Immagine presa da: https://www.epdlp.com/