09/17/2019
Dell'Ariccia Sara
On June 20, 2019, the Italian Supervisory Authority, so called Garante, confirmed its orientation about the “right to be forgotten”, and made it clear how to deal with a case like this, when an individual asks to erase a URL processing her or his personal data.
In the case examined by the Garante, a professional asked Google to remove a link to online content about him, as president of a Cooperative. The content was accessible, not by entering his name as a search term, but by entering his position as president of a specific Cooperative. More specifically, the online content was an article concerning a criminal proceeding in which the professional had been involved many years ago. Therefore, the professional filed his case before the Italian Supervisory Authority complaining, among other facts, that his reputation had been damaged and that his criminal proceeding had been terminated with his acquittal, but nothing about this fact could be found on Google.
The Garante states that it did not find arguments in Google’s brief that demonstrate that the damage that the professional (data subject) suffered is outweighed by the public interests served by making the story available to the public. This is especially true considering also that in the case of the Italian professional the information was incomplete, inaccurate and not updated.
The Authority makes it clear, definitively, that the Operator of a search engine has to conduct a balancing exercise on a case-by-case basis between the right to protect personal data and private life and, on the other hand, the right of the public to access the information. But this balance is not so simple to attain in complex cases and implies the valuation of the arguments on both sides, when an individual asks the Operator to remove a link which processes his or her personal data.
And now if we just think about all the information we find on Google which relates to individuals’ personal data, we can say just: it’s hell…! How many individuals are going to ask Google to remove links related to them?
All engine operators, and not just them, have to do a lot of work in balancing the aforementioned rights when individuals ask them to remove a link, according to art. 21 of the REGULATION(EU) 2016/679 which states that: “The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her….The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject…”
In order to prevent fines issued by the Supervisory Authorities of Each Member State of the European Union, when individuals file a case before them, which are responsible for monitoring the application of the REGULATION (EU) 2016/679, now all Engine Operators and Media companies have to re-evaluate their strategy in handling requests for erasure by EU citizens, before they go to the competent Authority according to art. 55 and following of the said REGULATION. In other words, it means more time and more work to gather information on each individual’s cases and more experts who must have the skill to evaluate in advance how to balance the said rights.
The Italian Supervisory Authority added something more in its judgment about the definition of “personal data”, which according to art. 4 of the REGULATION(EU) 2016/679 means any information relating to an “identified or identifiable natural person”. The Garante has specified that anyone can be identified online indirectly, by factors referring to his or her professional or social identity, therefore the position of president of a specific Cooperative made identifiable the person involved in the case examined.
Certainly, starting from April 27, 2016 something has changed forever in Europe and worldwide, as well, with the REGULATION(EU) 2016/679, and if we read its Considerando n.1 and n. 4, among others, we do understand better the ratio of it.
The Considerando n. 1 of it says: “The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.”
The Considerando n. 4 says that “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights”.
Starting from 2018 the judgments of the Italian Authority and the other European Authorities, have been applying the above principles and the above rules and have been making it clear how to get a balance among different rights, putting the mankind again in the centre of the case examination.
Rome, September 17, 2019
Avv. Sara Dell’Ariccia
With the assistance of David Holmes, a Temple University student and trainee to Vitale & Partners