Europe’s so-called right to be forgotten ruling, handed down last year by Europe’s top court, is still in its infancy. Google and other search engines have been accepting and processing requests from individuals in the region wishing to have outdated, inaccurate or irrelevant information delisted from a search result for their name for some months — in Google’s case since last summer. But it’s still relatively early days for the implementation.
To wit, the Article 29 Working Party — the European body comprised of representatives from member states’ data protection authorities (DPAs) — has been considering how well the appeals process for the rtbf is working. Creating a set of guidelines for this was one of the things the group prioritized, last fall — coming up with draft criteria for the appeals guidelines.
It has conducted an initial evaluation of the appeals process so far, and professes itself largely happy with the current modus operandi. In a press release issued today, six months after national DPAs started handling complaints relating to delisting requests, the WP29 says it has surveyed national regulators and found the appeals system is operating “efficiently”.
Thus far, some 2,000 delisting complaints have been received by regulators — which is pretty small when you consider that the total number of requests received by Google as of this month is just shy of 272,000. (The ruling does apply to all search engines but Google has by far the dominant marketshare in Europe — and the 29WP notes the “majority” of rtbf complaints pertain to Google’s search engine.)
Regarding the merit of complaints, the WP29 says data protection authorities have found that “in the great majority” of cases the search engine’s decision to refuse a delisting request is “justified by the fact that the information is directly related to the professional activity of the individual, or that it is pertinent in regard to current events or to purpose of the processing”.
In terms of how DPAs process appeals, the WP29 notes they have all established a dedicated team responsible for “reviewing, evaluating and responding to the complaints in accordance with the adopted guidelines and delisting criteria”.
It notes some authorities have set up an “escalation system” so the most complex requests are subject to validation at a high level within each DPA. The WP29 does not specify which national regulators have done that, or what proportion of appeals are being escalated. Or indeed what constitutes “most complex” in this instance.
Consistency of decisions across national DPAs is being managed via the WP29s’ “common criteria” for rtbf appeals. The body again says it’s generally happy with these criteria — saying they “all appear to be relevant and efficient in the context of delisting requests”.
That said, the WP29 does also suggest that some criteria might need to be “refined” to improve clarity — making specific reference to the “role in public life” criteria as one that could benefit from being more explicit. That comes back to the delicate balancing act at the very heart of the rtbf ruling — which requires a weighing up of the right to the protection of private life and personal data with any public interest of the information being known.
Other shades-of-grey areas mentioned as requiring more thought/work by the WP29 are how DPAs assess to what extent a complaint is “well-founded”; and how they specify at what point a piece of information can be considered “outdated and thus irrelevant”.
Critics of the ruling have complained the judgments it requires are inherently subjective, and that commercial companies like Google are now legally required to draw these arbitrary lines in the sand. The appeals process does loop national regulators in as a fallback — although the difficulty of determining where the hard lines lie with mutable concepts such as relevancy and topicality (and where messy human lives and emotions are concerned) means the implementation is never going to be an exact science. And so there will always be margin for error and bandwidth for criticism.
But, given the appetite for the rtbf among European web users — with close to one million URLs submitted to Google for delisting since it started processing them last year, it’s a lot harder for tech giants to claim that privacy itself as a concept is outdated or irrelevant.