The Italian Data Protection Authority grants the right to be forgotten in the event of a criminal conviction
With judgement no. 153 of last July 24, the Italian Data Protection Authority (DPA) ruled on the matter of the right to be forgotten and upheld a claim against Google LLC, brought by a citizen involved in a criminal proceeding.
The applicant had sought an order against Google to remove two URLs, resulting from a keyword search carried out using his name. Those URLs, in fact, linked to web pages containing articles on a criminal proceeding that had resulted in a conviction, in which the claimant himself had been involved in 2010. The applicant claimed lack of a current public interest in the knowledge of the information, considering that the case had long since ended and, in the meantime, he was rehabilitated. In addition, the applicant highlighted that he did not hold any public office such as to justify the availability of such information on the Internet. On the contrary, the persistent availability of obsolete information on the Internet was causing harm to his personal and professional reputation, since he was no longer being investigated or charged with those facts.
Google replied that, in the case in question, the conditions for the exercise of the right to be forgotten, pursuant to Article 17 of EU Regulation no. 679/2016 (“GDPR”), had not been met. According to Google, in fact, the information was significant, as it concerned particularly serious crimes, was not obsolete since the judicial case had only ended in 2013, and was of public interest because the crime concerned the same business activity carried out at the time of the claim.
The applicant maintained that the information was not of interest, because the business activity carried out at the time of the claim concerned the production and sale of goods other than those in relation to which the penalty had been applied back then.
By granting in full the applicant’s requests, the DPA pointed out that under Italian law offenders’ rehabilitation, aimed at social reintegration, does not extinguish the crime, but removes accessory penalties and other criminal effects of the conviction. This circumstance, together with time passed since the occurrence of the facts, implied that the further processing of the claimant’s data by Google LLC, “realized through the persistent availability of the disputed URLs on the network, resulted in a disproportionate impact on his rights, which were not balanced by a current public interest in knowing the information (…), also taking into account that the aforementioned articles were not updated with regard to subsequent developments thereof (…)”.
The Authority therefore upheld the application and ordered Google to remove the URLs within 20 days.
In the decision commented on here, the Authority also recalled the 2014 Guidelines of the Article 29 Working Party[1] which, in order to ensure full protection to the right to be forgotten, recommended the deletion of the URLs from all relevant domains (both European and non-European), and noted that informing users that the list of search results is not complete due to a privacy decision is an acceptable practice only if it does not allow users to identify the individual who requested the deletion of the relevant URLs.
[1] Independent European advisory body competent in matters of data protection, replaced by the European Data Protection Board (EDPB) after the entry into force of the GDPR.