New insights on the Right to request delisting as provided by Article 17 GDPR

A recent court decision of the European Court of Justice (ECJ) again shows a new interpretation of European data protection law. In the judgment of 8.12.2022, the ECJ dealt, among other things, with the question of the obligations under which search engine operators must comply when processing delisting requests under article 17 of the General Data Protection Regulation (GDPR). The interpretation of the Advocate General and the Court of Justice will also play an essential role in applying these standards in the future. In this blog, I will explain the court's arguments on using and interpreting this right.

Right to request delisting

According to article 17 GDPR, the so-called requests for de-referencing are a particular form of the right to deletion for entitled persons. It involves the deletion of links that lead to specific websites and are listed by search engine operators. Thus, persons concerned can also directly contact search engine operators without first contacting the persons responsible for the content of the websites. In practice, two different perspectives must be considered. On the one hand, when search engines, in the context of the activity, process personal data. On the other hand, when data controllers make these data available primarily on a website.

TU and RE vs Google LLC

In the present case, the plaintiffs applied to Google to remove website links to articles from search results because they allegedly represented inaccurate information about the couple and their company and to remove corresponding thumbnails.[1] However, Google did not comply with this de-referencing, claiming that a court decision or restraining order be presented as proof of the inaccuracy before the deletion.

The ensuing legal dispute reached the competent Federal Court of Justice in Germany. In the so-called preliminary ruling proceedings, it then asked the ECJ whether the plaintiffs would have had to prove the incorrectness or whether Google would have had to clarify the facts itself. In its final decision, the court followed the recommendation of the Advocate General in charge of the case. It held that data subjects are not obliged to submit a court decision or injunction as proof that the information needs to be more accurate. However, they must present initial evidence that the data is manifestly incorrect or that an insignificant part of it needs to be corrected. Search engine operators are obliged to the extent of their available resources to review the request and contact the publisher's website. However, search engine operators can refrain from actively cooperating in validating the information.

Search engine operators and the GDPR

Now, one may ask why this legal interpretation imposes this obligation on search engine operators when they are not responsible for the false information. Google, as the operator of a search engine, is the "controller", and the activity of a search engine is to be seen as the "processing of personal data" according to European rules.[2] Above all, the activity of a search engine contributes a great deal to the worldwide dissemination of personal data, as internet users can create a detailed profile of the person concerned based on the search results. Thus, in addition to being a publisher of web pages, this activity can significantly interfere with the fundamental rights to respect for private life and the protection of personal data. Nevertheless, these fundamental rights are set against the right to freedom of information[3], which belongs to internet users.

Thus, the ECJ could not base its assessment of the above facts purely on the infringement, but it had to balance the interests of the two fundamental rights. Article 17 of the GDPR also stipulates that the right to erasure is excluded if the necessity of the right to free information prevails. Therefore, the ECJ also emphasises that the right to erasure is not unlimited.

As an example of balancing the right to respect for private life and the right to information, the ECHR has identified the following criteria:

· Contribution to the debate of general interest;

· Name recognition of the person concerned;

· Reporting of preceding behaviour, person, content, form, and;

· Effect of the publication.

Furthermore, the Article 29 Data Protection Working Party has also drafted a catalogue of criteria following the first significant ruling on the data protection classification of search engines, as has the European Data Protection Board (EDPB) in Guidelines 5/2019,

De-referencing and thumbnails

In the second question of interpretation, the ECJ also addressed whether the search engine operator must consider the original context behind the thumbnails when assessing a delisting request. In this sense, thumbnails also process personal data and display corresponding website links. At the outset, no distinction is made between the search for information on natural persons and images. Therefore pictures, also in the form of thumbnails, must be considered in de-referencing applications. This search function for images may even constitute a more substantial prejudice to fundamental rights than the publication of information. Images have a more significant effect, as they are more likely to attract attention and entice search engine users to access the deposited website.

In the ECJ's view, unlike the Article 29 Working Party, the territorial effect of the delisting requests does not apply worldwide. Still, it is, in principle, limited to the domain of the member state in which this request was processed.

[1] “A thumbnail is an image with a reduced file size that is used as a placeholder for full-sized multimedia content.”https://www.ionos.com/digitalguide/online-marketing/social-media/what-is-a-thumbnail/. [2] Controller: Article 2 lit d Directive 95/46 and Article 4 No 1 and 2 GDPR. Processing of personal data: Article 2 lit b Directive 95/46 and Article 4 No 7 GDPR. [3] Article 11 Charter of Fundamental Rights.