Tietosuojavaltuutetun toimisto (Finland) - 6722/154/2018

From GDPRhub
Revision as of 22:15, 14 May 2020 by Ilkku (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - 6722/154/2018
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 17(1)(c) GDPR
Article 21(1) GDPR
Article 58(2)(c) GDPR
Article 87 GDPR
Data Protection Act (1050/2018)
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: 6722/154/2018
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

Finnish Deputy Data Protection Ombudsman holds that pursuant to Article 17 GDPR, Google LLC must delist a search result link that leads to a website containing the data subject’s social security number. Legitimate interest is not a valid legal ground for processing social security numbers under national law.

English Summary

Facts

The data subject requested Google to delist a link that leads to a website with information about the data subject’s criminal convictions and social security number. Google refused, on the grounds that access to the criminal conviction data is within public interest.

Dispute

Can the Deputy Data Protection Ombudsman instruct Google to comply with the data subject's request to remove the search result link as per Article 58(2)(c) GDPR?

Holding

Article 87 GDPR gives Member States the right to specify conditions for processing social security numbers. According to Article 29 of the Finnish Data Protection Act, the social security number may be only processed with the consent of the data subject or if provided by law. Because of this, the Deputy Data Protection Ombudsman accepted the data subject’s claims and instructs Google LLC to comply with the data subject’s request to remove the search link under Article 58 (2)(c) GDPR.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.



The applicant has filed a lawsuit with the Office of the Data Protection Officer regarding the removal of one of the url search results links from the Google Search service.

The url search result link leads to online content stating that in 2016, the applicant had been sentenced to one year and ten months of absolute imprisonment for multiple child sexual abuse. The exploitation of one victim had met the hallmarks of a felony. […] Information about the applicant's personal identity number can also be found behind the search result link.

The applicant has justified his request for deletion, inter alia, by the fact that information about his personal identity can be found behind the url search result link requested for deletion. According to the applicant, this information is not publicly available elsewhere. The applicant has emphasized that the personal identification number is confidential information identifying a natural person issued by the authority. According to the applicant, the availability of such information can lead to, for example, identity theft. The applicant has also referred to Google Search's own removal policies. The applicant has received an acknowledgment requesting, inter alia, “your social security or similar government ID number”.


Statement received from the controller

The applicant has submitted a request to the controller himself for the removal of the search results links and received a negative reply to his request. The controller has also been asked for clarification by the Office of the Data Protection Officer. The registrar has submitted his report on 11.3.2020.

The report states that Google LLC has reconsidered the matter. Google LLC has decided to stay with its original decision. It has been argued that the information available relates to the applicant's recent conviction for serious crimes. There had been several sexual exploitations, one of which had met the characteristics of a felony. The act had also included sexual intercourse with a minor.

Google LLC has also invoked the guidance of the Article 29 Data Protection Working Party that, in the context of crime, data protection authorities are more likely to consider removing search results for relatively minor and long-standing offenses and less likely to remove results for serious and recent offenses.

The report also found that in this case, the information describes criminal behavior. The availability of the information has been considered to be strongly justified in order to ensure the safety of the persons dealing with the applicant.

Google LLC has determined that the information available to it does not constitute inaccurate or out-of-date information. Therefore, and given the seriousness and nature of the offenses, the controller has considered that access to the data is still justified by a legitimate interest.


Legal question

The Assistant Data Protection Officer assesses and decides on the applicant's case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). In deciding the case, the EDPS will also take into account the European Data Protection Board's right to be forgotten in Guideline 5/2019 of 2 December 2019 on the criteria for the Right to be Forgotten in the search engines cases under the GDPR -131/12 and C-136/17 and, where applicable, the Article 29 Working Party on the interpretation of the above-mentioned judgment C-131/12 of 26 November 2014 Guidelines on the implementation of the Court of Justice of the European Union judgment is “Google Spain and Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González 'C-131/12 (later the Interpretation Guide of the Article 29 Data Protection Working Party).

The EDPS shall decide whether the controller should be instructed in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the data subject's request to remove the url search result link in question.

In this decision, the Assistant Data Protection Officer will assess the applicant's case in terms of the processing of personal data by the controller and the online service it provides. The decision does not comment on whether the other actor involved, ie the original publisher of the data, has the right to keep the data available on its own website.


DECISION

For the reasons set out below, I accept the applicant's claims and instruct Google LLC, pursuant to Article 58 (2) (c) of the General Data Protection Regulation, to comply with the applicant's request to remove the url search link in question.

Under Article 17 of the General Data Protection Regulation, the data subject has the right, if the conditions listed in that article are met, to have the controller delete personal data concerning the data subject without undue delay. The data subject may request the deletion of data on more than one of the grounds mentioned in this Article. The European Data Protection Board has taken a position on the application of the conditions set out in Article 17 (1) of the General Data Protection Regulation to internet search engines in the above-mentioned Interpretative Guideline 5/2019 on the criteria for the Right to be Forgotten in search engines cases under the GDPR.

Judgments C-131/12 and C-136/17 of the European Court of Justice have stated that the processing of personal data by Internet search engines when a search is performed in the name of the data subject can have a significant impact on the data subject's privacy rights.

Those judgments also state that the information published on a given individual website and its availability in the search results of internet search engines is always linked to two independent actors: 1) the website operator, the so-called original publisher, and 2) the internet search service operator. Judgment C-131/12 states that an internet search engine is an independent controller of the processing of personal data carried out by a search engine in order to provide url search results (see paragraphs 35 to 41, 82 to 83 and 88 of the judgment). The two separate actors mentioned above do not, in principle, process personal data on the same basis. In the judgment of the European Court of Human Rights M.L. and W.W. vs Germany (dated 28 June 2018), on the other hand, states that the balance of interests may lead to different results depending on the case (i) the original publisher's activities can be seen as at the heart of freedom of expression and expression, while (ii) the was not to publish the information in question per se, but to compile any information on the data subject in one place, thus enabling the creation of a profile of the data subject.

Judgment C-131/12 further states that a person's public or parastatal status is a factor which may lead to the so-called general public having the right to obtain personal data about him from an internet search engine. The judgment states, inter alia, that a data subject may, in respect of his fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, demand that the information in question no longer be made available to the general public by including it in such a search result list; It is clear from paragraph 81 that those rights in principle supersede not only the financial interest of the search engine operator but also the interest of the general public in finding that information when searching under the name of the data subject. However, that would not be the case if it appeared that, for specific reasons such as the data subject's public status, the interference with the data subject's fundamental rights was justified by the overriding public interest in obtaining that information as a result of that inclusion (see paragraph 97).

Judgment C-136/17 of the European Court of Justice, for its part, states that the right to the protection of personal data is not an absolute right but must be seen in the light of its role in society and, in accordance with the principle of proportionality, proportionate to other fundamental rights. It is further noted that, in particular, Article 17 (3) (a) of the Data Protection Regulation explicitly requires a balance between the fundamental rights to privacy and the protection of personal data enshrined in Articles 7 and 8 of the Charter and the freedom to provide information guaranteed by Article 11 of the Charter.

The abovementioned judgments have thus held that the data subject's rights in principle supersede not only the financial interest of the search engine operator but also the interest of the general public in obtaining access to the information in question by searching in the name of the data subject. However, the European Court of Justice has identified a number of factors that need to be taken into account in the assessment. These include, but are not limited to, the nature or sensitivity of the information in question, and in particular the interests of Internet users in obtaining information, which must be assessed in the light of, inter alia, the data subject's possible public or similar status.

The above-mentioned interpretation guide of the Article 29 Working Party defines the concept of public status. According to this interpretative guideline, a public position or a public person means that a person is, at least to some extent, subject to so-called media exposure through his or her actions or commitments. If a person has a public status, then there is a reason why the general public should be able to search the Internet search engine for information that is relevant to the person's public or similar role (see pages 13-14 of the 29th Data Protection Working Party's interpretative guide).

Assessment of the applicant 's case

The commission and conviction of a criminal act in principle gives a person a public position in society and exposes him or her to so-called media exposure for that act. The premise is that a person who has committed a criminal offense cannot, after his or her act, have the same reasonable presumption as to the extent of the protection of his or her privacy as a person who has not committed an offense.

The above principle is reflected, inter alia, in the judgment of the European Court of Human Rights in Sidabras and Džiautas v. Lithuania (2004, paragraph 49), which states that Article 8 of the ECHR does not protect against loss of reputation committing an offense. The judgment of the European Court of Human Rights in Axel Springer Ag v. Germany (2012, paragraph 83) also confirms the same line.

However, the above does not mean that the offender does not have any protection of privacy at all. Notwithstanding the criminal offense and the punishment received for it, part of the personal data of the person concerned remains covered by the protection of his or her private life and his or her fundamental right to privacy.

It is common ground in the applicant's case that he has been sentenced to several years and ten months' absolute imprisonment for the sexual exploitation of a child. I consider that the applicant has thus acquired a public or parastatal status within the meaning of Case C-131/12. Hereinafter, I will use the term “public status”. That public position gives, in principle, a legitimate interest to the general public in obtaining personal data concerning the applicant from the Google Search service, as outlined in Case C-131/12 (see paragraph 97 of the judgment). It should also be noted that, according to the Journalists' instructions, the name, image or other identifying information of a person convicted of a crime may be published, unless it is clearly unreasonable in relation to the convicted person's position or act.

Judgments C-131/12 of the European Court of Justice have specifically outlined the deletion of personal data (url search results) from an internet search engine. In assessing the need to delete personal data related to public status, an interest weighing must be carried out, which also takes into account the rights of other persons to obtain information about the data subject through url search results from the Google Search service. The balance of interests shall seek to strike a fair balance between the general public's interest in obtaining information and the fundamental rights of the data subject under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Although the data subject's rights protected by those articles supersede, as a general rule, the interest of internet users, the balance may depend on the nature and sensitivity of the data subject's privacy in specific cases and the public's interest in having access to such data. (cf. paragraphs 73-74, 81, 97, 99 of the ECJ judgment and Articles 6 and 8 (1) (8) of the Personal Data Act).

Furthermore, in the Interpretation Guide of the Article 29 Working Party, personal data processed in the context of a search engine operation are divided into both factual information (facts) and opinions / views that individuals have on a particular issue or person. The assessment of the inaccuracy / inaccuracy of personal data must take into account whether the matter is a fact whose accuracy cannot be disputed or whether it is a subjective opinion or view. The Interpretative Guidance states that DPAs are more likely to consider deleting search results that are objectively observable and therefore give an incorrect, incomplete or misleading picture of the person (see pages 15 and 17 of the Article 29 Working Party's Interpretative Guide).

The applicant has not denied that he has been convicted of several sexual exploitations of a child with an absolute term of imprisonment of one year and ten months. It is therefore not a question of having information behind the url search results in question that contains information about the applicant which is not true.

The assessment provided for in Article 17 (1) (c) of the General Data Protection Regulation must also be taken into account. According to the General Data Protection Regulation 21 (1), the data subject has the right at any time to object to the processing of personal data concerning him or her based on Article 6 (1) (e) or (f) on the basis of his or her specific personal situation. The controller shall no longer process personal data unless the controller can demonstrate that there is an overriding and justified reason for the processing which overrides the data subject's interests, rights and freedoms or is necessary for the preparation, presentation or defense of the legal claim. The EDPS Interpretative Guide states that, for example, any of the processing criteria set out in Article 17 (3) of the General Data Protection Regulation may constitute a significant and legitimate reason to override the data subject's interests, rights and freedoms (see page 7 of the EDPS Interpretative Guide).


In assessing the present case, notwithstanding the above, it must be borne in mind that the applicant's personal identity number is available behind the url search result link in question. Article 87 of the General Data Protection Regulation provides that Member States may further specify the specific conditions for the processing of a national personal number or other public identifier.

Section 29 of the Data Protection Act provides for the processing of personal identity numbers. The personal identity number may be processed with the consent of the data subject or if the processing is provided by law. In addition, the personal identity number may be processed if the unambiguous identification of the data subject is important, inter alia, for the exercise of the rights and obligations of the data subject or the controller. It is noteworthy that the processing of personal identification is not allowed to carry out the legitimate third party interest. The processing is not even allowed in order to fulfill the legitimate interests of the controller himself, but only to fulfill the rights and obligations of the controller.

Google LLC has determined that access to the information is justified to ensure the safety of those dealing with the applicant. Google LLC continues to believe that access to the information is justified by a legitimate interest. However, as stated above, the processing of a personal identity number is not permitted on the above grounds.

In the light of the above, I instruct Google LLC, pursuant to Article 58 (2) (c) of the General Data Protection Regulation, to comply with the applicant's request to remove the url search link in question.

The decision is not yet final.