On December 2nd, 2019, the European Data Protection Board (EDPB) published their guidelines (the n. 5/2019) regarding the delisting requests to the search engine providers that the General Data Protection Regulation (GDPR) allows to the data subjects.
To understand what a “delisting” request is, it’s necessary to establish what “listing” is first.
“Listing” refers to the ordinary and automatic activity that search engine providers do via a specific kind of softwares (crawlers) that enables them to examine the content of existing internet sites, linking them to keywords that appear on each web page examined.
The search engine is therefore capable of showing these web pages too, when internet users search something on the web that contains any of these aforementioned keywords.
“Delisting,” thus, refers to the contrary situation, in which a certain web page is deleted from a list of web pages linked by a search engine to certain keywords, in a way that makes it impossible to find that page among the search results that correspond to those same keywords.
If on a newspaper web page, for example, there were an article about an inquiry on politician being charged for corruption, the search engine (Google, Yahoo, Virgilio, etc.) would link the politician’s name to this article with the news about his charge, via keywords like “inquiry” or “corruption.”
The EDPB guidelines, state that it would now be possible for the hypothetical politician to make a delisting request that will absolutely be honored.
This was the reasoning the CJEU followed:
if goal pursued by the search engine providers, via their listing activity, is to make it easy and completely possible for users to find content on the web, the fundamental rights and freedoms of the data subjects will always prevail.
It could be argued that the data subject’s right to privacy must always be balanced with the freedom of the press and information right even though this may lead to harm made to the politician as a result of the publication of the news.
The EDPB, however, recommends to look objectively and in a detached way to the interests at stake (such as those of the hypothetical politician).
the interests of the newspaper must be clearly distinguished from those of the search engine.
In fact, the interest that deserves a particular protection is only that of the newspaper, because that of the search engine provider isn’t directly connected, as the first instead is, to the right to report and to be informed.
It’s also possible to object that if the search engine will delete the name of the politician from the list of keyword linked to newspaper’s web page the news, even though will be actually “online,” they won’t be found by anyone because no one would come across it via an internet search.
That’s partially true, but the newspaper web page could be found via always through many other keywords, like, name of the newspaper, the politician’s administration or the name of the place where the corruption took place.
The more interesting aspect underlined by the EDPB, is that the delisting request can rely only just the right to object to the data processing, as stated by the article 21 GDPR, against whom controllers can only contrast the existence of “overriding legitimate grounds” to carry on the data processing.
A search engine, clearly, hardly will demonstrate those “overriding legitimate grounds” that force it to continue linking the personal data of the data subject to certain web contents.
The European Data Protection Board leaves room for the hypothesis that the law of the Member States may establish binding obligations for search engine operators, but until this happens, it appears that every single delisting request has to be accepted, as it is based on solely the right to object.
Francesco Cucci, lawyer