‘Right to be forgotten’ may potentially apply to all top-level domains, says Swedish Data Protection Authority

The right to be forgotten (or forgiven) ...

Readers with an interest in data protection and privacy will be certainly familiar with the seminal 2014 decision of the Court of Justice of the European Union (CJEU) in Google Spain v Costeja, C-131/12, by which the top EU court addressed the so called right to be delisted (or forgotten) in the online sphere (more precisely, in relation to search engine results).

Readers will also know that in the aftermath of the Google Spain decision a (heated) debate has ensued as regards the scale on which the delisting must take place, with the French Data Protection Authority being one of the first in Europe to hold the view that delisting of results by Google should occur globally, not just in relation to the European top-level domains of the popular search engine.

The latest news is that also Swedes appear to share the view that de-listing could occur on a broad scale.

Katfriend Nedim Malovic (Sandart & Partners) reports on yesterday’s interesting decision [here] of the Swedish Data Protection Authority (DPA).

Here’s what Nedim writes:

“The Swedish DPA has recently investigated Google’s handling of the right to be forgotten (the possibility for users to file a request regarding the delisting of personal details from search results), and concluded that, if Google is required to delist the results of a specific search, it may also be necessary to de-list the search result when searches are made from countries outside Sweden and – more generally - Europe.  

In Google Spain the CJEU held that an individual may request that a search engine removes search results that, e.g., include the name of the individual in question and are inaccurate, inadequate, irrelevant, or excessive.

Following the CJEU judgment several people have turned to Google and filed requests to have their names removed from Google Search (to be precise: nearly 720,000 requests since 2014: see Google’s Transparency Report). Some of those who have not had their results removed have further submitted complaints to national data protection authorities, including the Swedish DPA.

Among the complaints received by the Swedish authority, thirteen have been selected and analysed further. Among them there were the following:

i)               A complaint relating to a person with the same name as an individual who had been pointed out as a criminal offender in a discussion forum. Through the application of the criteria set by the CJEU (ie that the information is inaccurate, inadequate, irrelevant or excessive), both Google and the DPA took the view that the search results did not include personal data about the complainant, and therefore no search results should be deleted;

ii)             Another complaint relating to a person whose first hit following a search for his/her name indicated that the person was registered on Lexbase (a Swedish public database listing individuals who have been convicted of a crime). The DPA, however, took the view that the information indicating that someone is registered on Lexbase cannot in itself be seen as harmful;

iii)            A third complaint related to a person who had set up an organisation for unaccompanied minors seeking asylum in Sweden, and who sought removal of search results relating to a xenophobic webpage that published information about him/her in a derogatory fashion. Google was of the opinion that the webpage contained political criticism of the complainant and that his/her role in public life and was thus of general interest. However, the DPA concluded that the search results must be deleted since they referred to information of a personal nature that was irrelevant for the criticism made towards the person in question, in his/her capacity of representative of the organisation.

A major part of the DPA’s investigation entailed the way in which a search result should be delisted.

The extraterritorial application of the right to be forgotten

The DPA acknowledged that there may be situations in which results must be removed when searches are made from countries other than Sweden. This may be the case if there is a specific connection with Sweden and the data subject, e.g. if the information on the webpage being linked to is written in Swedish, targeting a Swedish audience, contains information about a person who is in Sweden or if the information has been published on the Swedish top-level domain .se. 

The DPA set out that the right to be forgotten is applicable outside Sweden if:

a)               The Swedish Personal Data Act (here) is applicable to the situation at hand; and

b)             The Swedish Personal Data Act is regarded as having an extraterritorial application.

... after a 'crime'

With particular regard to the second point and further to a violation in the processing of personal data that occurs when using Google’s search service, the Swedish Personal Data Act may provide protection. This would be so no matter whether the viewing of personal data occurs in Sweden or not. 

According to the DPA, it is clear that there is a requirement that the registered subject has a specific connection with Sweden, and that the registered subject may – by relying on the Personal Data Act – require Google to prevent the viewing of a particular search result in a country other than Sweden.  

Factors that may prove a “connection” with Sweden include – among other things – that the website is written in Swedish, targets a Swedish audience, includes data about the specific individual (located in Sweden), that the information is published on the Swedish top-level domain .se, or that the viewing of the search result abroad harms the personal identity of the person in question.

In this sense, similarly to IP law – an example being the take of the CJEU in L’Oréal v eBay as regards applicability of EU trade mark instruments - targeting appears the relevant criterion to adopt when determining whether Swedish data protection law applies.”