In recent years, the Data Protection Authorities in several member states of the European Union have voiced their concerns1 to a number of leading search engines and social networks about the compliance of their business practices with the requirements set by the Directives for legitimate processing of their users' personal information. Both, national Privacy Commissioners as well as the Article 29 Working Party2 took the view that many of the service features offered by these companies to their users appeared to be in patent breach of the strictly 'opt-in' system (and the notice and consent requirement) established by the Directives3.
The companies addressed by such concerns initially displayed strong objections (and intense lobbying) against the DPAs' compliance requests, mainly based on the argument that, having their legal seats outside the European Union and not performing their questioned business activities within the territory of member states, they could not be considered as bound by the EU privacy regulations. In the end, the search engines and social networks concluded that they could not maintain strictly such defense argument and therefore sought direct contact with the DPAs of several EU member states.
In Italy, a major search engine partially accepted the local Privacy Commissioner's constraints and tried to come – through meetings with the officials of the Italian DPA – to what the company considered as a reasonable compromise.
- Proper notice and consent practices,
- Online behavioral advertising targeted to users and profiling and monitoring practices performed on web site visitors' online conduct,
- Automated processing of users' personal information for purposes of commercial communication,
- Use of personal data collected for purposes different from those specifically required from users,
- Placement of cookies or of other personal identifiers (allowing to link personal information to specific individuals),
- Storage period of the data collected (considered as excessive, even after some improving modifications, while the search engine's indications as to its data removal or 'account dissociation' practices were considered as not sufficiently clear as to whether they actually granted efficient data 'anonymization').
The Privacy Commissioner then reminded the search engine of the general principles announced in the – widely commented – decision May 13, 2014 of the CJEU's Grand Chamber4, according to which:
- "the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as 'processing of personal data' .... when that information contains personal data" with the consequence that "the operator of the search engine must be regarded as the 'controller' in respect of that processing..".
- "processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, ... when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State".
- in order to comply with the requirements of the EU Privacy Directive, ".. the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful".
- a "data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject's name" (n.d.r. save cases in which preponderant reasons of public interest prevail).
On such premise, the Italian Privacy Commissioner served the search engine with the following prescriptions5 (to be implemented within 18 months from its decision):
- Users must receive exhaustive and efficient notice about the purposes of data collection, storage and processing.
- Users' in-advance consent has to be achieved with respect to the (inclusive automated) processing of their personal information performed in the context of the company's electronic mail service as well as through the interconnection of multiple functionalities made available to them or through the placement of cookies or other personal identifiers (allowing online behavioral advertising, screening, monitoring and analysis of web site visitors' online behavior); data subjects' right to object has also to be granted.
- With the exclusion of removal requests concerning search results available online through a mere and specific 'search' function, the search engine must:
- in general terms, adopt a data retention policy in line with the prescription of the Italian Privacy Code,
- in case personal information is stored on so-called 'active systems' (and when both, the applying individual as well as the object of his request, are easy to identify and do not involve any account verification), process a data subject's removal request within the 63rd day from the moment of receipt (where final cancellation has to be preceded by a 30 days deactivation period in order to prevent erroneous, accidental or fraudulent data removal),
- if data are stored on back-up systems, removal has to be performed within the 181st day from the receipt of data subject's request (during such six months period only recovery of lost personal information is allowed and data must be protected from unauthorized access through adequate encryption or anonymization means).
- By September 30, 2014 the search engine is hold to provide the DPA with a 'protocol of procedure' containing the measures taken or in preparation in order to comply with the prescriptions assigned.
The DPA's prescriptions can be challenged before an Administrative Court. According to a recent press release, the search engine has not mentioned that it considers accessing a court, but has commented the prescriptions by stating that it had been actively and successfully cooperating with the local Privacy Commissioner and is willing to follow such path also in the future.
Game over? Not really, as it appears from recent rumors.
On July 25, 2014, the Article 29 Working Party had an additional meeting with representatives of some major search engine companies. During the meeting, the company representatives found themselves served with twenty-six detailed questions6 about the modalities of their delisting procedures. Interestingly, questions focused on aspects such as:
- Whether data subjects were asked to provide 'justification' for their removal requests.
- Whether data subjects' location, nationality or place of residence became relevant in the context of the request's processing.
- Whether the delisting procedure would refer only to EU domains (or domains accessible from the EU) or would also comprehend all domains on a global basis, and
- Whether refusal to delist would be supported by adequate grounds.
Apparently, the relationship between the European DPAs and the search engine companies still suffers from some mutual distrust. The confrontation is therefore likely to see further developments.
1 See press release available at the URL: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20130227_pr_google_privacy_policy_en.pdf.
2 The Working Party was set up under Article 29 of Directive 95/46/EC. It acts as an advisory body to the EU Commission and has the specific task of: (a) offering expert opinion from member state level on questions of data protection, (b) promoting harmonized application of the general principles of the Directives in all Member States through co-operation between data protection supervisory authorities, (c) advising on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy. Its tasks are detailed in Article 30 of Directive 95/46/EC. All EU Member States have a representative is this body and the national DPAs will always conform their activities to the indications issued by this Advisory Board.
3 Reference is to Directive no. 95/46/EC of 24 October 1995 (available at the following URL: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF), Directive no. 2002/58/EC of 12 July 2002 (to be found at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0047:EN:PD) and Directive no. 2009/136/EC of 25 November 2009 (to be found at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:EN:PDF).
4 The CJEU's judgment is available at the following URL: http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=62563.
5 The decision is available – in Italian – on the Privacy Commissioner's web site at the following URL: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1267433.
6 For details on the questions check the Article 29 WP's press release at: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20140725_wp29_press_release_right_to_be_forgotten.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.