On December 2nd, 2019, the European Data Protection Board (EDPB) published their guidelines (the n. 5/2019) regarding the delisting requests to the search engine providers that the General Data Protection Regulation (GDPR) allows to the data subjects.
To understand what a “delisting” request is, it’s necessary to establish  what “listing” is first.
“Listing” refers to the ordinary and automatic activity that search engine providers do via a specific kind of softwares (crawlers) that enables them to examine the content of existing internet sites, linking them to keywords that appear on each web page examined.
The search engine is therefore capable of showing  these web pages too, when internet users search something on the web that contains any of these aforementioned  keywords.
“Delisting,” thus, refers to the  contrary situation, in which  a certain web page is deleted from a list of web pages linked by a search engine to certain keywords, in a way that makes it impossible to find that page among the search results that correspond to those same keywords.
If on a newspaper web page, for example, there were  an article about an inquiry on politician being charged for corruption, the search engine (Google, Yahoo, Virgilio, etc.) would link the politician’s name to this article  with the news about his charge, via keywords like “inquiry” or “corruption.”
The EDPB guidelines, state that it would now be possible for the hypothetical politician to make a delisting request that will absolutely be honored.
This was the reasoning the CJEU followed:
if goal  pursued by the search engine providers, via their listing activity, is to make it easy and completely possible for users to find content on the web, the fundamental rights and freedoms of the data subjects will always prevail.
It could be argued  that the data subject’s right to privacy must  always be balanced with the freedom of the press and information right even though this may lead to harm made to the politician as a result of the publication of the news.
The EDPB, however, recommends to look objectively and in a detached way to the interests at stake (such as those of the hypothetical politician).
the interests of the newspaper must be clearly distinguished from  those of the search engine.
In fact, the interest that deserves a particular protection is only that of the newspaper, because that of the search engine provider isn’t directly connected, as the first instead is, to the right to report and to be informed.
It’s also possible to object that if the search engine will delete the name of the politician from the list of keyword linked to newspaper’s web page the news, even though will be actually “online,” they won’t be found  by anyone because no one would come across  it via an internet  search.
That’s partially true, but the newspaper web page could be found via always through many other keywords, like, name of the newspaper, the politician’s administration or the name of the place where the corruption took place.
The more interesting aspect underlined by the EDPB, is that the delisting request can rely only just the right to object to the data processing, as stated by the article 21 GDPR, against whom controllers can only contrast the existence of “overriding legitimate grounds” to carry on the data processing.
A search engine, clearly, hardly will demonstrate those “overriding legitimate grounds” that force it to continue linking the personal data of the data subject to certain web contents.
The European Data Protection Board leaves room for the hypothesis that the law of the Member States may establish binding obligations for search engine operators, but until this happens, it appears that every single delisting request has to be accepted, as it is based on solely  the right to object.

Francesco Cucci, lawyer


P.IVA 02203350406

Cod. Fisc. CCCFNC66P18H294J