DSB (Austria) - 2021-0.187.619: Difference between revisions
(enginge → engine) |
(Rephrased the already well written heading) |
||
Line 63: | Line 63: | ||
}} | }} | ||
The Austrian DPA held that | The Austrian DPA held that the operator of an online search engine is obliged to delete a link to a database which contains the home address of the data subject if the data subject fears for his physical safety after receiving a death threat. | ||
== English Summary == | == English Summary == | ||
Revision as of 17:21, 10 May 2022
DSB - 2021-0.187.619 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 6(1)(f) GDPR Article 17(1)(d) GDPR Article 17(3)(a) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 07.04.2022 |
Published: | 26.04.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2021-0.187.619 |
European Case Law Identifier: | AT:DSB:2021:2021.0.187.619 |
Appeal: | Not appealed |
Original Language(s): | German |
Original Source: | RIS (in DE) |
Initial Contributor: | Fabian Dechent |
The Austrian DPA held that the operator of an online search engine is obliged to delete a link to a database which contains the home address of the data subject if the data subject fears for his physical safety after receiving a death threat.
English Summary
Facts
The data subject is a court-certified expert and as such can be found in the publicly accessible database of court experts of the Austrian Federal Minister of Justice. The controller operates an online search engine and has offices in Austria, Ireland and the USA, among other countries.
The data subject had in the past posted on his LinkedIn analytical article concerning historical events in the Balkan region and subsequently received threats from unknown persons. When entering the name of the data subject in the controller’s search engine, a link to the internet address "edikte.justiz.gv.at" appeared, where the data subjects residential address was directly visible. The data subject feared for his physical integrity and even received a death threat in the recent past
The data subjects requested the Austrian entity to delete the link via an online form. This request was refused as the Austrian entity claimed that it is neither legally authorised nor factually able to process deletion requests from users. The request was forwarded to the US entity of the controller which refused to delete the link and argued that the public interests to access to the internet site had to be weighted higher as the allegation of being in danger.
Subsequently, the data subject lodged a complaint with the Austrian data protection authority.
Holding
The DPA held that the US entity of the controller must delete the link to the database of court experts of the Austrian Federal Minister of Justice within two weeks pursuant to Article 17(1)(a) GDPR. The exception of Article 17(3)(a) GDPR does not apply in this case.
Pursuant to Article 17(1) GDPR, the data subject has the right to require the controller to erase personal data without undue delay if the personal data are processed unlawfully. However, according to Article 17(3)(a) GDPR, the right does not exist if the data processing is necessary for the exercise of the right to freedom of expression and information. Therefore, the legitimate interests of the controller and the general public who use the search engine must be assessed and weighed against the interests and possible consequences for the data subject.
The interests of the controller lie in operating an internet search engine and making it (or its search results) available to the general public. In contrast, the data subject invokes that he is exposed to an increased risk to his physical integrity due to the facilitated findability of his residential address. The DPA held that the interests of the data subject prevail as the data processing leads to an increased risk with regard to the physical integrity of the data subject.
The argument of the controller, that the database of the Federal Minister of Justice is publicly available cannot be accepted. The purpose of the data base is to enable a generally available search facility for the appointment of court experts and court interpreters. This purpose can be fulfilled without the controller linking to the database via its search engine. This is not altered by the fact that unknown third parties could in principle also research the complainant's residential address. This requires the additional knowledge that the data subject is registered in the above-mentioned database and makes searching for his residential address without this additional knowledge considerably more difficult or even impossible.The additional argument that the data subject could have his name removed from the database cannot be accepted, since in this case he would no longer be considered as an expert by judges.
Therefore, the DPA held that the interests of the data subject must be weighted higher than the interests of the controller. The DPA further held that the Austrian entity cannot be requested to delete the link as the request was only directed to the US entity but not to the Austrian entity of the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
text GZ: 2021-0.187.619 from April 7, 2021 (case number: DSB-D124.2575) [Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.] NOTICE SAY The data protection authority decides on the data protection complaint of DI Ahmed A*** (complainant), represented by B*** & Partner Rechtsanwälte, ***straße *4, **** U***, of August 21, 2020, improved on September 18, 2020, against 1. N***, Inc., ****, United States of America (first respondent) and 2. N*** Austria GmbH, ***straße *5/**/2 *, **** I***, Austria (second respondent) for violation of the right to erasure as follows: 1. The complaint against the first respondent is upheld and it is found that the first respondent violated the complainant's right to erasure by not complying with the complainant's request for erasure of March 19, 2020 until the conclusion of the proceedings before the data protection authority Has. 2. The first respondent is instructed, immediately, but no later than within a period of two weeks in other cases of execution, the URL https://sdgliste.justiz.gv.at/edikte/sv/svliste.nsf/1**** and the URL https://edikte.justiz.gv.at/edikte/sv/svliste.nsf/2**** from the N*** search index in connection with a search for the names “Ahmed Á***” and “ Ahmed A***" [Editor's note: These are two different spellings of the complainant's name]. 3. The complaint against the second respondent is dismissed as unfounded. Legal basis: Article 2 paragraph 1, Article 3 paragraph 2 letter b, Article 6 paragraph 1 letter f, Article 17 paragraph 1 and paragraph 3, Article 51 paragraph 1, Article 57 Paragraph 1 letter f, Article 58 paragraph 2 letter g and Article 77 paragraph 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5 .2016 p. 1; Sections 18 (1) and 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 3b (1) of the Experts and Interpreters Act (SDG), Federal Law Gazette No. 137/1975 as amended. REASON A. Submissions of the parties and course of the proceedings 1. With a complaint dated August 21, 2020, improved with a submission dated September 18, 2020, the complainant submitted in summary that the second respondent had violated his right to erasure because she had not complied with a requested erasure. The complainant had in the past posted an analytical statement of facts [editor's note: the subject, concerning historical events in the Balkan region, has been removed in order to increase the pseudonymisation of the complainant's identity.] on his LinkedIn profile and subsequently by unknown persons a Threat to [Editor's note: language has been removed to increase the pseudonymization of the complainant's identity.]. The complainant therefore fears for his physical integrity. When the complainant's name was entered in N***'s search engine, a link to the Internet address "edikte.justiz.gv.at" appeared, where the complainant's home address was directly visible. The complainant therefore requested the deletion of the link on March 19, 2020, which was rejected by letter dated March 31, 2020. Based on the feared impairment of the complainant's physical integrity (murder threat), a significant endangerment of the person concerned was to be assumed. In terms of balancing interests, the protection of physical integrity should be given priority over other interests (e.g. the person responsible). The request for deletion is attached to the file. 2. In a statement dated October 27, 2020, the second respondent argued in summary that it was neither legally authorized nor factually able to process users' requests for deletion. The complainant's request for deletion was therefore forwarded to the first respondent. 3. In a statement dated November 18, 2020, the first respondent submitted (albeit without being asked by the data protection authority) that the "right to be forgotten" pursuant to Art Right to information is necessary (Art. 17 Para. 3 lit. a GDPR) or if this is necessary to fulfill a legal obligation of the person responsible (Art. 17 Para. 3 lit. b GDPR). The complainant was listed as a generally sworn and court-certified expert in connection with his work as [editor's note: profession removed to reinforce the pseudonymisation of the complainant's identity] in a publicly accessible database, which is part of the main website of the Austrian judiciary. There is a legal basis for this public list. The complainant's assertion that the publication posed a danger to his life and limb was unsubstantiated and therefore the public interest in access to legally legitimate information from an authority was to be given greater weight in the present case than the individual right to be forgotten. Since the complainant was still certified as an expert until the end of 2022, the information was up-to-date and relevant from the public's point of view. In addition, in this case the complainant has the option of having his entry removed directly from the body responsible for this database. 4. On 4 December 2020, the Data Protection Authority issued a request for assistance to the Irish Data Protection Authority (DPC) as to whether the First Respondent or N*** Ireland Limited has jurisdiction over requests to remove search engine results from N***. The Irish supervisory authority has stated that the first respondent has jurisdiction. The information from the Irish Data Protection Authority of 10 December 2020 was also sent to the complainant. 5. In a letter dated March 3, 2021, the complainant submitted in summary that the complaint was also directed against the first respondent and that the applications would be upheld. B. Subject of Complaint Based on the complainant's submissions, it follows that the subject of the complaint is the question of whether the respondents violated the complainant's right to erasure by not fully complying with the complainant's request for erasure from March 19, 2020 until the end of the proceedings before the data protection authority have corresponded. C. Findings of Facts 1. The complainant is a court-certified expert and can be found as such in the publicly accessible database of court experts and court interpreters of the Federal Minister of Justice. The complainant's entry is specifically as follows (formatting not reproduced 1:1): [Editor's note: The complainant's entry in the list of court experts, which is reproduced here as a graphic file, cannot be pseudonymised with reasonable effort. It contains the name (including titles and academic degrees), year of birth, occupation, field of expertise as an expert, address, e-mail address and a telephone number of the complainant.] When the complainant's name is entered via the N*** search engine, the link to the complainant's entry above appears on the first page of the N*** search results. Specifically, the following N*** search result is displayed (formatting not reproduced 1:1): [Editor's note: The result of a search using the N*** search engine, which is reproduced here as a graphic file, cannot be pseudonymised with reasonable effort. The first two links found are visible, the first leading to a social network, the second directly to the above entry of the complainant in the list of court experts.] The N*** search engine is operated by the first respondent. Evidence assessment: The findings are based on the corresponding statements of the complainant of August 21, 2020 and the statement of the first respondent of November 18, 2020. In addition, the data protection authority conducted official research in the form of an N*** search query (entering the name of the complainant in the N*** search engine) and in the form of a database query of the list for court experts and court interpreters (requested on April 7, 2021). The finding that the N*** search engine is operated by the first respondent results from the first respondent's statement of November 18, 2020. 2. The complainant published a post on the Z*** platform. In it he dealt with [Editor's note: the topic concerning historical events in the Balkan region has been removed in order to increase the pseudonymisation of the applicant's identity]. The applicant then received a threat from unknown persons. Assessment of evidence: This finding results from the submissions of the complainant in his statement of August 21, 2020. The respondents have not expressly disputed this submission. There are no other indications to cast doubt on this argument. 3. On March 19, 2020, the complainant submitted the following application to the first respondent using an electronic sample application form from the first respondent (formatting not reproduced 1:1): [Editor's note: The complainant's request for deletion, which is reproduced here as a graphic file, cannot be pseudonymised with reasonable effort. It contains the details of two URLs that should no longer be displayed, the name and email address of the complainant, the statement that he/she requested deletion on his/her own behalf, and the reason for unknown persons because of a website that has since been deleted -Postings to have been threatened by phone.] The first respondent responded to the above-mentioned request by the complainant in a letter dated March 31, 2020 as follows (excerpt, formatting not reproduced 1:1): [Editor's note: The reply letter reproduced here as a graphic file cannot be pseudonymised with justifiable effort. Under a reference number, it contains the message that the search results in question will not be blocked, among other things because the relevant content is made available to the public by an authority, the recommendation to contact those responsible for the relevant websites directly, and the note that a complaint to the "data protection authority of your country" is possible.] Assessment of evidence: These findings result from the complainant's statement of September 18, 2020 and the enclosures submitted therein. The screenshots shown here can be found in Enclosure ./A. The finding that the complainant used N***'s request form to remove personal data stems from the consideration that N*** provides an electronic form for requests for removal of search engine results and the content of the complainant's request basically corresponds to the content of the electronic form. The N*** web form is available at: https://www.n***.com/*** (accessed 7 April 2021). 4. The above sample request form for the removal of personal data from N*** includes the following (excerpt, formatting not reproduced 1:1): [Editor's note: The text reproduced here as a graphic file from the Respondent's website, which cannot be pseudonymised with reasonable effort, contains the information that the Respondent is "responsible for the processing of personal data used in the determination of search results in of the N*** search is performed".] Evaluation of evidence: These findings result from official research by the data protection authority of the website https://www.n***.com/*** (accessed on April 7, 2021). D. In legal terms it follows that: 2. Regarding point 1 (first respondent) a) On the distribution of roles under data protection law The first respondent processes the complainant's personal data within the meaning of Art. 4 Z 2 GDPR by recording it and then providing search results in the form of URLs that contain the data entered by the complainant. By automatically, continuously and systematically scouring the Internet for the information published there, the complainant collects personal data within the meaning of Art. 4 Z 1 GDPR, which it then reads out, stores in an organized manner on its servers and makes it available based on a search query. Since the first respondent thus decides on the purposes and means of the processing of the personal data, it is responsible within the meaning of Art. 4 Z 7 DSGVO (cf. the judgment of the ECJ of May 13, 2014 - C-131 /12). A request for assistance from the Data Protection Authority and subsequent information from the Data Protection Authority of Ireland dated 10 December 2020 confirmed that the First Respondent (and not the Second Respondent or N*** Ireland Limited) is the data controller. Finally, the first respondent has never disputed its responsibility for the data processing relevant here in the ongoing proceedings. b) Right to erasure: i) Legal bases According to Article 17 (1) (d) GDPR, a data subject has the right, among other things, to demand that the person responsible delete personal data relating to them immediately if the personal data is being processed unlawfully. According to Art. 17 Para. 3 lit. a GDPR, there is in Para. 1 leg. However, this does not apply if the data processing is necessary to exercise the right to freedom of expression and information. As a result, the legitimate interests of the respondent to the first complaint (as the operator of the search engine) and third parties (the general public using the search engine) must be assessed within the meaning of Article 6(1)(f) GDPR and these must be compared with the interests and to weigh possible consequences for the complainant resulting from the processing in question. ii) balancing of interests The interests of the first respondent lie in operating an internet search engine and making it (or its search results) available to the general public (cf. the decision of January 15, 2019, GZ: DSB-D123.527/0004-DSB/ 2018, according to which the right to freedom of expression and freedom of information enshrined in Art. 11 EU-GRC or the right to freedom of expression enshrined in Art. 10 ECHR - in addition to the expression of opinions - also expressly includes the receipt and transmission of messages or protects ideas). On the other hand, the complainant relies on the fact that he is exposed to an increased risk of his physical integrity and comparable facts due to the fact that it is easier to find his home address via a search with the respondent's search engine. This in particular against the background that the complainant has received a death threat in the recent past. In its guidelines 5/2019 on the criteria of the right to be forgotten in cases relating to search engine entries, the European Data Protection Board stated in margin no. 13 that the "special situation" of a person must be taken into account when weighing up interests. As an example, the committee cites “disadvantage in private life”. Even more explicit was the former Art 29 Working Party, which in its "Guidelines on the implementation of the Court of Justice of the European Union Judgment on ,Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González' C-131/121" on page 13 as an important criterion in the context of the balancing of interests on the "risk for data subjects" associated with the search engine result. In the case at hand, the data processing means that the complainant is exposed to an increased risk in terms of his physical integrity. The Respondent's argument that the database of court experts and court interpreters is publicly accessible cannot be upheld: Basically, it should be noted that Art. 8 EU-GRC and the GDPR - unlike § 1 Para. 1 DSG - do not exclude the protection of personal data due to their (permitted) general availability. Pursuant to Section 3b (1) SDG, the purpose of the database to be set up by the Federal Minister of Justice is to enable a generally available query option for the appointment of court experts and court interpreters. However, this purpose can also be easily achieved if the request for deletion of the complainant relevant here is fulfilled: It can be assumed that judges do not use the search engine operated by the first respondent for careful research by court experts and court interpreters, but directly access the database of the Federal Minister of Justice. In addition, such a search is carried out precisely in order to find an expert whose name is still unknown - for example a civil engineer like the complainant - within a certain district. Likewise, the Respondent's argument that the Complainant could arrange for his removal from the database cannot be upheld, since in this case he would no longer be considered as an expert by judges in the database research mentioned above, which in turn would significantly limit his Freedom of occupation according to Art. 15 EU-GRC or entrepreneurial freedom according to Art. 16 EU-GRC. However, this argument also fails because the ECJ affirmed that the Respondent's obligation to delete data was independent of that of the operator of the original website. In other words: Just because no deletion was or was not requested on the original website, this does not mean that deletion in the result list of the search engine operated by the respondent is inadmissible (judgment of the ECJ of September 24, 2019, C-136/17 , margin nos. 62 to 64). Due to his expert work, the complainant is not publicly known or even a person of public life. It is true that unknown third parties could in principle research the complainant's home address without N***; However, this requires the additional knowledge that the complainant is entered in the above-mentioned database of the Federal Minister of Justice, which is why researching his residential address is considerably more difficult or even impossible without this additional knowledge. Against the background of all these considerations, the interests of the complainant prevail, which is why the facts of Art. 17 (3) lit. a GDPR are not met. This result also corresponds to the general assessment of the ECJ, according to which the right of the person concerned, protected by Art. 8 EU-GRC, generally outweighs the interest of internet users to access information from search engine results (cf. again the judgment of the ECJ of 24 September 2019, Rz 66 mwN). There are no indications to deviate from this general assessment of the ECJ in the present case. iii) Outcome The first respondent wrongly failed to comply with the complainant's application of March 19, 2020. 2. Regarding point 2 (performance mandate) The first respondent was therefore to be ordered to delete (or delist) the data pursuant to Art. 58 (2) (g) GDPR in conjunction with Section 24 (5) DSG. A period of two weeks seems appropriate to delete two URLS as search engine results in connection with the name "Ahmed A***" or "Ahmed Á***". 3. Regarding point 3 (second respondent) As is clear from the facts, the complainant directed the request for erasure pursuant to Art. 17 GDPR (only) against the first respondent, but not also against the second respondent. In the electronic model form from N***, it was also clear to the complainant that the application was (only) sent to the first respondent. The second respondent therefore did not have to deal with the complainant's request for deletion of March 19, 2020 and was not obliged to react within the meaning of Art. 12 (4) GDPR. The complaint against the second respondent therefore proves to be unfounded for this reason alone, and further investigative steps with regard to the responsibility of the second respondent could therefore be omitted. It was therefore to be decided accordingly.