Italian Data Protection Authority on the right to be forgotten
With decision n. 30 issued on February 26th, 2017, the Italian Data Protection Authority upholds the application lodged by an italian citizen claiming the "right to be forgotten".
The Italian Authority (Garante Privacy):
“a) accepts the claim against Yahoo! Emea Ltd, established in Italy through Yahoo! Italy s.r.l. and, consequently, orders the same, pursuant to article 150, paragraph 2, of the Code, to remove the URL mentioned in the application initiating proceeding with the name of the person concerned, within twenty days after receipt of this provision;
b) declares no need to adjudicate on the claim against Microsoft and AOL;
c) determines the amount of costs of the proceedings to the extent of EUR 500,00 lump charging EUR 200,00 to Yahoo! Emea Ltd and EUR 200,00 to Microsoft and AOL, the extent of EUR 100,00 each, which should be dismissed directly in favor of the claimant, compensating the remainder.
The American Dream
United States of America are told to be the place where everything is possible and where there is a chance to success for everyone. This is what an Italian man should have thought before heading to USA in 2015. The Land of People always offers a lot of adventures and it probably has been a matter of bad choice for him.
Maybe he has a little too much to drink, maybe speed limit’s control is a bit rigorous, maybe he fraternizes with the wrong fellow that tries to get you down the bad path, we really don’t know what happened but what is supposed to be a pleasant trip turns out to be a nightmare.
All is well that ends well
For an unknown fact, this Italian man happens to be arrested and soon landed by US Police before the Court to proceed to trial. But, good for him, a deep examination proves the fact to appear not so serious at all and the Italian man can walk off the Court with a reduced charge and a lighter heart.
Furthermore, he become happier because he does not have to appear anymore in front of the US Court. He was told, in fact, that the minor charge drops too.
He comes back at home in Italy and tries to forget this mishap but, despite how hard you bury your past under four feet of ground, it always pops up and kicks the door down. And whenever it wants or, obviously, when you least expect it.
The Court forgives, the web not
So, our man is going to search something on web and opens Yahoo! home page. He digits his name and finds out that the search engine returns an URL of a page with his name, his surname, his physical description and the related American mishap.
The problem is that Yahoo! has reported him to be charged only with the first, and more severe, crime. Further details of the case were omitted so that web’s people would never know that he was charged for a minor crime then definitely dismissed.
He tries another search on a different search engine, but Bing and AOL both return the same news too, linking to an URL that relates to just one side of the story. His reputation seems on the edge of the unrepairable.
From application to decision
The applicant lodges a complaint to Personal Data Protection Authority for Italy that decides to uphold it prima facie. Pursuant to Italian personal data protection Code (applied by legislative Decree n. 196 of 30 June 2003), the Authority invites all data collectors to response the claim.
All the parties have presented their arguments and exchanged fact sheets in favor of the Authority.
Without further hearing, the Court issues decision n. 30.
Parties argument over Authority calling
The complaint is filed against Yahoo!, Microsoft, and AOL – with Microsoft and AOL not brought before Court having complied with applicant’s request – pursuant to article 7 e 8 of the Code seeking: a) first, the removal of the URL to a US site’s web page containing inaccurate personal data of him, since the link was not reporting that the crime he was charged with before a US Court, was indeed not to be proceeded; b) in the alternative, the update of the inaccurate and outdated information returned by each search engine; c) payment of costs and expenses incurred in the proceedings.
The applicant premises that there are legal precedents ruling against search engine as data controller, and arguments that the search engine should be ordered to erase the link if refuses to supply, even if the information is not still out of date.
Yahoo! is the major respondent
The main objection moved by Yahoo! as respondent is about the lack of jurisdiction. It arguments that the only data controller of personal data available through Yahoo! Search is Yahoo! Emea Ltd., established in Ireland, while Yahoo! Italy s.r.l.’s activity is limited to promotion and sell of advertising.
Being Yahoo! Emea Ltd the parent company, only it has the power to control search results or to determine which results should be removed. Consequently, Italian Authority is not supposed to have the power to entertain the case.
AOL and Microsoft comply and respond
To the extent that they have been lodged against by the applicant, AOL outlined that its search service is controlled and dependent by Microsoft upon commercial agreements and that in no way it has control over shown search results, while Microsoft claims that it provided to comply with applicant’s request and removed the URL although it could be crawled again should not other search engine cease to index it.
The Authority upholds application discarding the lack of jurisdiction
The first issue pointed at by the Authority, is the lack of jurisdiction.
It is evaluated whether the Italian Data Protection Authority should be entitled to rule, whereas the data controller Yahoo! Emea Ltd is based in Ireland and not Italy.
This counterclaim is rejected by the Authority, on the premise that Yahoo! Italy s.r.l. should be considered a stable organization of Yahoo! Emea Ltd in the national territory; therefore, the Authority states that its jurisdiction applies to the case at hand as well as the Italian Data Protection Code provisions, pursuant to article 5, paragraph 1, of the Italian personal data protection Code, article 4, paragraph 1, let. A), EU Directive 95/46/CE, and article 29 of the Working Party’s opinion n. 8/2010 as updated on December 16th, 2015.
The Authority finds that the activities carried out by Yahoo! Italy as a subsidiary is linked with the data processing carried out by Yahoo! Emea Ltd and that the first’s scope is that of making “economically profitable” the service provided by Yahoo! Emea.
The Authority recalls principle established by the European Court of Justice through Google Spain or Weltimmo decisions and by Authority itself and Milan Court laws, finding necessary to ensure effective legal protection “against any damage caused by an unlawful processing of personal data occurred on line and whose harmful effects occurred in the Italian territory”.
On the merits of the case
On the merits, the Authority assesses that the URL is still available online returning information out of date and about a story that ended in a different way than reported.
This association between false information and personal data must be considered harmful for the applicant and unlawful according to article 11 of the Code and article 6, let. D), EU Directive 95/46/CE. Therefore, the application has been upheld against Yahoo! Emea Ltd. established in Italy by the means of Yahoo! Italy s.r.l., ordering the removal from its search engine of personal data associated to the URL at issue.
Right to be forgotten more and more on the way for its acknowledgment
The “right to be forgotten” is increasingly under evaluation, by local Authorities and Courts law. Recently, Eu has issued the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural person with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) where this principle is expressed as the right to ask for de-indexing of personal data under specific and outlined circumstances.
On the same grounds Italy has complied with the Data Protection Code, compelling data controller to process only updated and accurate data respecting human dignity. This enforcement tendency carries out the question about jurisdiction since many of the search engines spread out their activities thorough parent and subsidiaries.
According with the notion of establishment expressed in many legal precedents before EU Commission, the leading one of which should be considered Google Spain, based upon article 4 of Directive 95/46/CE, local authorities often declare the parent search engine established through their internal subsidiary, with the data protection law of this last one’s Member State to be applied to the case.
Local legal precedents
Although many unpublished, Italian Courts have often issued decisions about right to be forgotten as well as it does the Italian Data Protection Authority. The first of them is commonly supposed to be a Roman Court’s decision issued on 1995, stating that republishing a thirty years old information with outdated personal data on it, it is inaccurate and harmful and does not respond to a public interest.