The right to be forgotten: GDPR aspects and new EDPB Guidelines   

А judgment of the Court of Justice of the European Union from 2014, known as the  Costeja case, marked the beginning of the judicial life of the so called right to be forgotten - the right of a data subject to request from search engines to erase links, shown in search results of the subject’s name. Afterwards, the right to be forgotten became a legislative text with the adoption of the General Data Protection Regulation ( GDPR), which resulted in an increase of the requests to search engines providers for the deletion of links.

The lack of fixed and sector-specific criteria for approving or rejecting requests motivated the  European Data Protection Board (EDPB) to adopt Guidelines on the criteria of the Right to be Forgotten in the search engines cases under the GDPR. EDPB’s document provides clarity on different legal aspects of the right to be forgotten, as well as on the balancing test and other criteria, which should be taken into account.

Although the Guidelines cover the applicability of each specific ground for exercising the right to be forgotten, we will focus on the most commonly used legal basis.

In practice, we often encounter the application of the right to request delisting of search results when the data, contained in the link, is no longer necessary in relation to the search engine provider’s processing. One of the most common cases is when a data subject’s contact details are contained in a corporate website, but said person is no longer part of that company. This scenario is particularly relevant in the context of employment disruptions caused by the COVID-19 pandemic, and may often result in requests for exercising the right to be forgotten.

As per Article 17, paragraph 1, “c” of the GDPR, a data subject can request “to be forgotten” when an objection against the processing has been made pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2). The objection as per Article 21(1) of the GDPR may be applied, when the initial processing is legally based on (i) the performance of a task carried out in the public interest; (ii) legitimate interests pursued by the controller, as well as other sub-grounds.    

When reviewing such requests, search engine providers take into account the particular situation of the data subject and must prove “overriding legitimate grounds” in case the request is rejected . When assessing the particular situation, the following criteria is taken into account:   

► The public role of the data subject;   

► The impact of the accessible information - whether it is related to the professional or personal life of the respective person;   

► Factually inaccurate information, etc;   

► Whether the information is related to a minor criminal offence, which happened a long time ago and may cause prejudice to the data subject.

The factual accuracy of information may be proven through various approaches, which can include court rulings, findings of regulatory authorities (e.g. that a person does not owe any taxes), as well as by other means. From a practical perspective, this would mean that when a person applies for exercising the right to be forgotten, they may submit accompanying evidence confirming that the information, contained in a search result is not accurate from a factual standpoint.

Another application field of Article 17 of the GDPR is related to past minor criminal offences, which may cause prejudice towards the respective individual . From a legal perspective, additional clarity should be brought in terms of the meaning of “minor”. As per Article 93 of the Bulgarian Criminal Code, a "minor case" is one in which the crime perpetrated, in view of the lack of or insignificance of the harmful consequences, or in view of other attenuating circumstances, constitutes a lower degree of social danger compared to ordinary crime cases of the respective kind. Various provisions of the Criminal Code foresee a reduced punishment for minor cases, or even release from criminal liability. This in line with the data protection understanding that minor cases have a significantly smaller impact on the society and should be treated differently than other or standard criminal offences.

A common counterargument used by search engine providers against requests of data subjects to be forgotten is the right of freedom of expression and information – an exemption, provided under Article 17, paragraph 3, “a” of the GDPR. The EDPB Guidelines draw a clear line between requests for delisting brought against:   

► original content publishers, whose core business consists in informing the society and being protected by the freedom of speech and expression principle   

► search engine providers, whose main activity is to identify potentially accessible information, made available by original content publishers.

The type of organisation, against which a request to be forgotten is submitted, may lead to different results of the balancing test, which would determine whether the request should be approved or rejected.

The Guidelines do not give a definitive roadmap to resolving right to be forgotten requests to search engines. This would be practically impossible considering the multiple facts to be considered on an ad-hoc basis. Nevertheless, the EDPB lays out a solid foundation of principles to be observed in order to balance between the day-to-day life of data subjects and the right of the internet society to be informed. 

Subscribe to our newsletter and follow our LinkedIn page so you never miss important updates and expert analyses.