"To protect personal data, support innovation, preserve individual liberties"

Contenu

[Press release WP29] European DPAs meet with search engines on the " right to be forgotten "

25 July 2014

Following the CJEU ruling in case C-131/12, EU data protection authorities (DPAs), united in the Article 29 Working Party, met yesterday with representatives of Google, Microsoft, and Yahoo!.

The objective of this meeting was to ask search engines about their practical implementation of the ruling, and to provide input to future WP29 guidelines. These guidelines will aim at ensuring a consistent handling of complaints by European DPAs facing requests lodged by individuals following delisting refusals by search engines. The guidelines should also frame the action of search engines ensuring the consistent and uniform implementation of the ruling.

The questions listed below were addressed during the meeting and the representatives of the three companies explained their views. They questions dealt mainly with the modalities of their delisting process (e.g. the scope of application of the ruling, the particular reasons for which there would be a preponderant interest of the general public in having access to the information, the notification of the delisting to third parties, and the justification for refusal). DPAs have also asked search engines to answer some questions in writing by the end of July.


Additional meetings may be organized in the future with other stakeholders.

The WP29 guidelines are expected in the autumn.

Questions asked during the meeting

  1. What information do you request from a data subject prior to considering a delisting request e.g. URLs, justification? Do you ask further motivation from the data subjects to substantiate their request?

  2. Do you filter out some requests based on the location, nationality, or place of residence of the data subject? If so, what is the legal basis for excluding such requests?

  3. Do you delist results displayed following a search:

    a.    Only on EU / EEA domains?
    b.    On all domains pages accessible from the EU / EEA or by EU/EEA residents?
    c.  On all domains on a global basis?

  4. What criteria do you use to balance your economic interest and/or the interest of the general public in having access to that information versus the right of the data subject to have search results delisted?

  5. What explanations / grounds do you provide to data subjects to justify a refusal to delist certain URLs?

  6. Do you notify website publishers of delisting? In that case, which legal basis do you have to notify website publishers?

    Additional questions to be answered in writing by July 31

  7. Do you provide proper information about the delisting process on an easily accessible webpage? Have you developed a help center explaining how to submit a delisting claim?

  8. Can data subjects request delisting only using the electronic form that you provide, or can other means be used?

  9. Can data subjects request delisting in their own language?

  10. If you filter out some requests based on the location, nationality, or place of residence, what kind of information must be provided by the data subject in order to prove his nationality and / or place of residence?

  11. Do you ask for a proof of identify or some other form of authentication and if yes, what kind? For what reason? What safeguards do you put in place to protect any personal data that you process for the purpose of processing delisting requests?

  12. Do you accept general claims for delisting (e.g. delist all search results linking to a news report)?

  13. When you decide to accept a delisting request, what information do you actually delist?  Do you ever permanently delist hyperlinks in response to a removal request, as opposed to delisting?

  14. Do you delist search results based only on the name of the data subject or also in combination of the name with another search term (i.e. Costeja and La Vanguardia)

  15. How do you treat removal requests with regard to hyperlinks to pages that do not (no longer) contain the name of the data subject? [Examples: hyperlink to anonymised ruling, hyperlink to page where name of data subject was removed]. Do you immediately recrawl the sites after a removal request?

  16. Does your company refuse requests when the data subject was the author of the information he/she posted himself/herself on the web? If so, what is the basis for refusing such requests?

  17. Do you have any automated process defining if a request is accepted or refused?

  18. What technical solution do you use to ensure that links to material to which a removal agreement applies are not shown in the search results?

  19. Which of your services do you consider delisting requests to be relevant to? 

  20. Do you notify users through the search results’ page information that some results have been removed according to EU law? In that case, which is the legal basis for this? What is the exact policy?  In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by data subjects. Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?

  21. Have you considered sharing delisted search results with other search engines providers?

  22. What is the average time to process the requests?

  23. What statistics can you share at this stage (percentage of requests accepted / partially accepted / refused)? How many have you answered in total? How many per day?

  24. Will you create a database of all removal requests or removal agreements?

  25. What particular problems have you faced when implementing the Court’s ruling? Are there particular categories of requests that pose specific problems?

  26. Could you please provide us with contact details in case we need to exchange on a specific case?

 

 

 

Chargement en cours...