A group of data protection watchdogs from across Europe have published guidelines for search engines and others on how to deal with requests made as a result of the recent 'right to be forgotten' decision.
Earlier this year, the European Court of Justice ruled that European citizens had the right to ask data controllers, such as search engines, to stop returning out of date, inaccurate or excessive information as results for searches performed on their name. Typically, most requests made have involved individuals who no longer want particular news articles associated with their names. Google has granted on average one-third of delinking requests made under the right to be forgotten.
Since the ECJ's ruling was handed down in May, search engines have been largely making the judgement calls on when to delink and when not to on their own. On Wednesday, the Article 29 Working Party (WP29), a group of privacy regulators from EU countries, has developed guidelines on how Google and others should weigh up requests.
Though the WP29 didn't publish the guidelines in full, the group said they provide 13 criteria that search engines should take into account when considering requests, balancing the subject's right to privacy against the public's right to be informed.
"The WP29 considers that in order to give full effect to the data subject's rights as defined in the Court's ruling, de-listing decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects' rights and that EU law cannot be circumvented," the group said.
The guidelines go on to detail how regulators should deal with appeals from citizens when their 'right to be forgotten' requests have been rebuffed by search engines.
The WP29 also clarified on Wednesday whether the right to be forgotten covered linking on a parent site, such as google.com, as well as country-specific sites, such as google.co.uk or google.es.
"Limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling. In practice, this means that in any case de-listing should also be effective on all relevant .com domains," the group said.
The issue has already been tackled on a local level when a French court recently decided that Google should return a link to a defamatory article for a particular search on both on its .fr and .com domains.
Interestingly, the WP29 also specified that as well as European citizens, data watchdogs should consider right to be forgotten requests from those with a link to the continent.
"Under EU law, everyone has a right to data protection. In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU member state," it said.
"We haven't yet seen the Article 29 Working Party's guidelines, but we will study them carefully when they're published," a Google spokesperson said.
Read more on this story