*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 *** This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.

1. Dr David Erdos
Faculty of Law
University of Cambridge
Disclosure
Exposure

2. Introduction
 Google Spain described as a “clear victory for the protection of
personal data of Europeans” (Reding, 2014).
 Over 1.5m URLs have be delisted by Google alone to date.
 But are concerns that not fully/properly implemented.
 Presentation seeks to interrogate Google’s practice of notifying
deindexing decisions/URLs to webmasters (& also removals of
personal data to Lumen ‘research’ database & end users.)

3. DPA Action on Webmaster Notification
 A29 Working Party Guidelines (2014):
 Routine webmaster notification illegal (confirmed by EDPB 2019).
 In “particularly difficult cases” may be legitimate ex ante.
 Must be “all necessary measures” to safeguard subject rights.
 Spanish DPA Resolución R/02232/2016:
 Followed-up specific complaint about disclosure.
 Confirmed illegality.
 Issued €150K fine & injunction against future repeat.
 Google mounted legal challenge to this Resolution.

4. Google’s Legal Challenge
 Administrative Law Claim:
 Sanctioning Procedure wrongly established general position.
 Substantive Law Claims:
 No (new) personal data disclosed.
 Notification done with data subject consent.
 Even if not, has overriding legitimacy.
 Notification is anyway a legal obligation under DP.
 2019 (April): Spanish High Court supports admin claim.
 2020: Likely appeal to Spanish Supreme Court (& ?CJEU).

5. No (New) Personal Data & Have Consent?
 Google’s Claims:
 URL strings generally don’t include identified details.
 Even if do, would be known to webmaster (so not new).
 Anyway get subject’s agreement on webform.
 Why Claims are Wrong:
 Personal data covers identifiable not just identified data.
 Need to look at all means reasonably likely including use of
“additional information” (GDPR, Recital 26).
 Very simple means will identify including fact of deindexing.
 Finally, agreement not consent as tie to exercise of fundamental
right is clearly not “freely given” (GDPR, art. 4(11)).

6. Overriding Legitimacy of Notification?
 Focus has been on finding (another) ordinary legal basis.
 But purpose limitation principle (GDPR, art. 5(1)(b); 6(4))
most critical as data collected for a very particular purpose.
 Also may need to consider:
 Special legal basis where sensitive/special data (Ibid, art. 9-10)
 Data transfer legal basis where trans-border flow (Ibid, Ch. V)

7. Purpose Limitation = Purpose Quality Plus:
Compatible
Processing
(art. 6(4))
Link between
purposes
Context of
Collection
Nature of data
Possible
Consequences
Safeguards

8. Context of Collection & Nature of Data
 Context of Collection (GDPR, art. 6(4)(b)):
 Means to exercise fundamental right (& discharge legal duty).
 Massive power imbalance.
 No genuine freedom of choice.
 Nature of Personal Data (GDPR, art. 6(4)(c)):
 May be sensitive/special e.g. if concern health, sex life or crime.
 Even if not then highly likely to be stigmatic and/or misleading.
 Furthermore, deindexing claim itself is clearly private.

9. Link between Purposes? Core Purpose
 Purpose of notification is not defined.
 But webform (from Sept. 2015) implicitly suggests core purpose
is to help ensure deindexing decision correct.
 Would appear to be strong link with initial purpose but:
 Is this legitimate where ex post rather than ex ante?
 Is this credible where blanket notification – shouldn’t Google show
that necessary and proportionate case-by-case?
 Even where valid, would still need safeguards to protect
from adverse consequences.

10. Link between Purposes? Other Purposes
 At least some webmasters may desire to use data to:
 Exact revenge on data subject.
 Damage reputation of data subject.
 Publicize nature of deindexing decisions.
 With exception of safeguarded research, clearly not compatible:
 No positive link with initial purpose at all.
 Likely to directly undermine chances of data “sink[ing] into oblivion”.
 May even result in re-indexing of material.
 Wave of new publicity likely worse & may well chill use of right.
 Unfortunately, plenty of evidence of such processing eventuating with
clear adverse consequences for data subjects.

11. Webmaster notification  New Publicity

12. Appropriate Safeguards (GDPR, art. 6(4)(e))?
 Purpose limitations must clearly be specified to webmaster and
disclosure only following legal agreement to abide by these.
 Given risk of grave & irreparable damage must also consider specific
measures to counter deliberate disclosure.
 Suspension of cooperation for period may work for big players such as
the BBC and Facebook.
 Small players e.g. amateur blogs present greater challenge.

13. Ordinary Legal Basis for Processing (art. 6(1))
 In principle additional to compliance with DP Principles but
GDPR Recital 50 states that if purpose compatibility satisfied
then no “separate” legal basis required, although “rights,
including the right to object, should be ensured”.
 Two possible bases have been mooted:
 “necessary for compliance with a legal obligation”
 “necessary for legitimate interests … except where … overridden”
 Both flag requirement that disclosure necessary.
 Second basis would also trigger right to object – must take
into account opposition & show really compelling grounds.

14. Special Legal Grounds for Processing
 Deindexing claim may well be sensitive data e.g. if it concerns a
health or sex life matter.
 This triggers a default prohibition.
 Claim clearly not made public & processing not with consent.
 Must therefore rely on ̒public interest̕grounds:
 Criminal-related data (also special data) likely governed similarly.
“ necessary for the establishment, exercise or defence of legal claims”
(GDPR, art. 9(2)(f))
“ necessary for … research purposes or statistical purposes … based on Union or
Member State law which shall be proportionate … and provide for suitable and
specific measures to safeguard” (GPDR, art. 9(2)(j))

15. Legal Grounds for Data Transfers
 Webmaster disclosure will often be to controller based overseas.
 Unless State deemed “adequate”, then default prohibition.
 In principle may also be lifted where:
 But Google has obligation to choose least derogatory option:
 Should therefore generally make use of Commission’s standard
contractual clauses (GDPR, art. 46(2)(d)).
“ necessary for the establishment, exercise or defence of legal claims”
(GDPR, art. 49(1)(d))
“ the controller or process should make use of solutions that provide data subjects
with enforceable and effective rights as regards the processing of their data in the
Union” (GDPR, recital 114)

16. Notification Obligations under DP
 Google has suggested two specific provisions require it to disclose.
 Article 19 (modified from DPD) flows generally from erasure etc.:
 Article 17(2) instantiates GDPR’s new “right to be forgotten”:
“Where the controller has made the personal data public and is obliged
pursuant to paragraph 1 to erase the personal data, the controller … shall
take reasonable steps … to inform controllers which are processing the
personal data that the data subject has requested the erasure by such
controllers”
“The controller shall communicate any rectification or erasure or personal
data or restriction of processing carried out in accordance with Article 16,
Article 17(1) and Articles 18 to whom the personal data have been disclosed,
unless this proves impossible or involves a disproportionate effort.”

17. Why Webmaster Notification not Obligation
 Narrow Argument:
  Article 19 as webmasters are source not recipient of data.
  Article 17(2) as webmasters not search engines make public.
  Article 17(2) only triggered where subject requests action.
 Middle Argument:
 Deindexing is best seen as exercise of right to object (art. 21).
 Broadest Argument:
 These “right of the data subject” are all aimed at protecting
autonomy and safeguarding this individual.
 Other actions always “disproportionate” (art. 19) & not a
“reasonable step” (art. 17(2)) in context.

18. Other Forms of Disclosure
 Disclosure to Lumen/Chilling Effects:
 Clear Google discloses personal data as regards removal under
defamation, civil/traditional privacy.
 States likely to so in the future as regards deindexing.
 Disclosure to End Users:
 Information on deindexing has been largely generic.
 But individualised disclosure including via link to Lumen
resorted to for defamation, civil/traditional privacy etc.

19. Other Forms of Disclosure: Legal Analysis
 Disclosure to End Users:
 Directly undermines rights & so violates purpose compatibility.
 Unlikely legitimate interest in receipt & certain not overriding.
 Shouldn’t matter if rights are in defamation, civil privacy or DP.
 Disclosure to Lumen/Chilling Effects:
 States is an “independent research project” – may be questioned!
 Scientific research can in principle satisfy purpose limitation.
 But subject to legal grounds and “appropriate safeguards”
which rule out (negative) measures against data subject.
 Google’s disclosure & Lumen’s processing clearly fails these
safeguards.

20. Conclusions
 Google’s blanket webmaster notification unlawful, as is
disclosure of personal data on removals to Lumen & end users.
 Targeted notification can be lawful where:
 Purpose of better resolving claim and/or scientific research.
 Processing is reasonably necessary (and strictly if objection or
special data).
 Effective measures taken to prevent re-purposing (& further
protect subject where international transfer).
 Current disclosure practices are a serious threat to the Google Spain
ruling and so resolving this should be a priority for EDPB & EU DPAs.