Data ProtectionPrivacy

Google convicted for late deindexing following a right to be forgotten request

The court of Milan obliged Google to pay damages to the claimant

Google has to pay damages for the late deindexing of pages following a user’s request for the exercise of the right to be forgotten.

The Court of Milan held that Google LLC has to deindex a few Internet sites containing false information and defamatory content concerning a claimant, as well as to refund the latter € 25,000 as compensation for non-economic damages suffered as a result of the delay in the deindexing such information.

The case on the defamatory content that led to the right to be forgotten request

The decision follows a case that occurred in 2011 when the claimant had successfully brought a claim against a third party who disseminated false online information with defamatory content. The judgment on the case was final in 2017 when the claimant asked Google to delete all the URLs containing the defamatory information, exercising his right to be forgotten. But it obtained a denial from Google that led to a dispute before the Court of Milan.

In particular, the claimant asked the court to hold the unlawful processing of his personal data by Google – implemented through publication, online dissemination, storage, computer archiving and maintenance of such information – and to take the necessary measures to prevent the persistency of the damages to his privacy, reputation, and honor.

Google argued that, as a hosting provider, under the EU e-Commerce Directive, it was not responsible for the content of the news published on the sites that can be viewed as a result of a search. Therefore, there was no right to the cancellation of personal data, which can arise only in cases of unlawful processing.

The position of the court against Google on the right to be forgotten and late deindexing

The Court dissented, arguing that when Google acts as a hosting provider in the provision of the Google Web Search service, it also acts and operates a database relating to the “web pages taken from its spiders“, “stored on huge storage systems residing at its web-farm” and subsequently “offered for viewing in an aggregated manner and organized according to parameters chosen by Google” and covered by trade secret.

In carrying out this activity, Google plays the role of an autonomous data controller in the processing of personal data of the person concerned “with the consequent non-contractual liability for any damaging result determined by the mechanism of operation of this particular search system“, since “the absence of any harmful intent of the provider” is not relevant.

In the light of the foregoing, the Court declared Google liable for unlawful processing of the claimant’s personal data as a result of the failure to deindex the search results following a request to exercise the right to be forgotten. Consequently, it ordered Google to pay the plaintiff € 25,000 by way of compensation for non-material damage for the “suffering resulting from the continued availability of negative data concerning him by activating searches in his own name on the generalist engine and the frustration suffered at the rejection of the request made“.

My takeaways from the decision

Giulio CoraggioThe decision places an unparalleled burden on search engines, publishers, as well as any entity processing third parties’ personal data since the late cancellation of personal data might yield a claim for damages. Indeed, if we expand the scope of the decision to claims for breach of the obligation to cancel data on the expiry of the relevant retention period, any company might be at risk.

And the adoption and the implementation of an appropriate retention policy is an utmost concern for the vast majority of companies. On the topic, the fine of € 14.5 million issued in Germany is interesting and shows how data protection authorities are cracking down on companies regarding their compliance with data retention obligations.

You may find interesting also the article “Data retention period, an intrigued rebus under the GDPR“.

Don't miss our weekly insights

Tags
Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button
Close