What to do when a loved one has passed away and some degrading and/or intrusive written content, images or videos are posted on the internet, in relation to his or her death?
How can the friends, family and heirs of such dead person re-establish an appropriate image and reputation of the deceased, on the virtual Far West that is the world wide web? How can one remove links about dead people from Google?
De-linking or de-listing: general facts and process
1.1. What is de-linking or de-listing?
De-linking, also called delisting, is the process of removing links to certain written/audio/video/photographic content available on the internet (the “Content”), from the results computed by search engine service providers, after some particular key words were set out in the search bar tool of such search engines. This is how to remove links about dead people from Google.
De-listing is a service which Google, as well as other search engines, can provide, either of its own accord, or after it has been forced to by court order.
De-linking must not be confused with the action of removing content from the internet by directly contacting the webmasters of the original websites which set out the Content.
Google being a search engine, it merely lists search results, and enables access to clickable links to the websites related to the key words one has entered into its search bar. Google, unlike webmasters of original websites, has no control over the content of the webpages which links it proposes to display. Thus, it would be useless to ask Google to have information removed from a webpage set out on a third party website.
1.2. What is the purpose of delisting?
Google is, by far, the most popular search engine in the world.
According to Net Marketshare, Google occupies 80.52% of the global search engine market. Most people rely on Google to find the Content they are looking for and to access web pages that interest them.
Therefore, simply having Google delist a URL link from its rankings makes that Content much harder to find by web users. The Content will be nearly impossible to find by accident, and still quite hard to find even when looking for it specifically.
1.3. How to send delisting requests to Google?
While there is no legal obligation to do so, it may be wise to, as a first step of the de-linking process, contact the webmasters of the third party websites displaying the Content you would like to have removed.
In most cases, this step is unfortunately frustratingly ineffective since many webmasters and websites’ publishers will either not even reply or refuse to remove the Content in question from their website.
If you have attempted to contact the webmaster and publisher of the third party website in vain, your next step would then be to make a request to the search engine Google to have the URL links, linking to the infringing Content, removed from its search listings, so that, even though the Content remains on the internet, web users will not find it using Google search engine, Google Images, Google advance search or Google alerts.
If you have decided to not contact the webmasters and publishers of the Content directly first, as is your right, your first step would be to contact Google and request the removal of those links, as explained above.
While it is possible to exercise your right with search engine operators like Google using any adequate means, Google has made this relatively easy for you.
So, how to remove links about dead people from Google? Google created and listed some forms online, which can be filled out from its website.
There are two different Google forms:
- the “search removal request under data protection law in Europe” form : this form enables you to fill out a request to have Google delist information under European data protection laws. This form can be used by any European. However, a European living outside of Europe may not be able to use this form, according to Google’s guidelines.
- the “remove information from Google” form: this form allows you to fill out a request to have Google remove information concerning you from its search results, more generally. It is destined to European residents as well as non-European residents.
These forms require you to give the following information:
- the full name of the person whose data you want removed;
- your full name, if you are acting on behalf of someone else;
- your relationship to the person whose data is the object of the Google delisting request (for example, “parent”, “attorney”, etc.);
- a contact email address;
- the country under which law the request should be examined;
- the URLs you wish to see deleted from Google’s listings;
- some written explanations setting out why you want these URLs to be delisted (limited to approximately 500 characters, which, in practice, allows you to give very little explanation) and
- a scanned copy of the proof of identity of the person whose data you want removed.
1.4. Rates of success of delisting requests
Google deleted 345 million URL links in 2014, 558 million URL links in 2015 and 908 million URL links in 2016.
Although the number of deleted links has increased drastically from year to year, so has the number of delisting requests.
By March 2016, Google had received over 400,000 demands, examined over 1.4 million URL links, and removed 42.6% of the URL links for which they had received delisting requests.
However, the rate of deletions, compared to the number of demands, is now decreasing.
Is this because more and more people are making unreasonable delisting requests and/or because Google is becoming tougher in its selection process of those URL links that should be delisted?
2. Regulatory framework in Europe: the most “data subjects friendly” in the world
Regulations on data protection are, in the European Union, drafted by each member state separately, as of the date of this article.
2.1. The Costeja CJEU decision: the right to be forgotten established in the EU
This decision is a judgment from the Court of Justice of the European Union (“CJEU”), adopted on 26 November 2014, commonly referred to as the “Right to be forgotten” ruling.
This groundbreaking judgment recognises that search engine operators, such as Google, process personal data and qualify as data controllers within the meaning of Article 2 of Directive 95/46/EC.
Pursuant to the provisions of Directive 95/46/EC, data subjects shall be able to request delisting of URL links to Content deemed in breach of their fundamental rights (i.e. rights to privacy and to the protection of personal data).
The CJEU ruling recognises that a data subject may “request (from a search engine) that the information (relating to him/her personally) no longer be made available to the general public on account of its inclusion in (…) a list of results”. The Court then forces search engines such as Google to remove, when requested, URL links that are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.”
If the search engines do not grant such delisting requests, data subjects may file a complaint with the European Data Protection Authorities (“DPAs”), or the relevant judicial authority, of their respective European states. The DPAs will then examine the complaint, relating to the refusal or part-refusal to de-list the Content, using a list of common criteria. Indeed, a first analysis of the complaints so far received from data subjects whose delisting requests were refused by Google and other search engines, has enabled DPAs to establish a list of common criteria to be used by them to evaluate whether data protection law has been complied with. DPAs will assess complaints on a case-by-case basis, using criteria such as:
- Does the search result relate to a natural person – i.e. an individual? And does the search result come up against a search on the data subject’s name?
- Does the data subject play a role in public life? Is the data subject a public figure?
- Is the data subject a minor?
- Is the data accurate?
- Is the information sensitive within the meaning of Article 8 of the Directive 95/46/EC (i.e. it has a greater impact on the data subject’s private life than ‘ordinary’ personal data, such as Content about a person’s health, sexuality or religious beliefs)?
- Is the data up to date? Is the data being made available for longer than is necessary for the purpose of the processing?
- Was the Content intended to be made public? Could the data subject have reasonably known that the Content would be made public?
- Does the data relate to a criminal offence?
The CJEU ruling was received, in particular in Great Britain and the USA, with criticism. A New York Times editorial stated that it “could undermine press freedoms and free speech.”
The Article 29 Data Protection Working Party, an Independent European advisory body on data protection and privacy, has analysed the CJEU judgment, and written some comprehensive guidelines to implement it. One of the most important points of these guidelines drafted to implement the CJEU ruling, is that when it is ruled that URL links should be removed from a search engine, or when a search engine accepts to remove URL links, the effect of this de-linking should be effective world wide, and not be limited only to the country extension (i.e. EU domains) where the demand was made. In practice, this means that in any case de-listing should also be effective on all relevant domains, including “.com”.
The CJEU decision is a huge step forward for personal data protection in Europe, since it reinforces a person’s right to control access to her personal data on the internet, and puts in place an acknowledged “right to be forgotten”.
So, how to remove links about dead people from Google? The CJEU ruling only relates to the protection of data and privacy of the living. Indeed, it specifies that the delisting request must be made by the person whose data is being displayed on the internet.
2.2. General Data Protection Regulation
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, entered into force on 24 May 2016 and shall only apply from 25 May 2018 (“General Data Protection Regulation” or “GDPR”).
The GDPR enshrines in law the right to be forgotten set out in its Article 17. In compliance with its overarching goal of enabling data subjects to take control of their own data, the GDPR sets out the right to erasure (“right to be forgotten”) which will enable data subjects to request data controllers (including search engines such as Google) to delete their data, if there are no legitimate grounds for their retention.
The innovation in the GDPR, compared to the existing regime set out in Directive 95/46/EC, is that currently data subjects only have the right to seek a court order to cease the data processing, when the latter causes damages, while the GDPR enables data subjects to bypass expensive and lengthy court intervention, by settling the issue directly with the data controller (including any search engine).
Since a data subject is broadly defined as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” in the GDPR, it is worth checking whether such definition encompasses both living and dead persons.
In its “Considering 27”, the GDPR gives each member state the choice to extend the protection to dead people, or not. It sets out that “this Regulation does not apply to the personal data of deceased persons. Member states may provide for rules regarding the processing of personal data of deceased persons”.
Consequently some EU member states, such as France, chose to include the deceased in the definition of natural persons to whom the provisions of the GDPR will apply, while others, such as the United Kingdom, explicitly exclude the deceased from its rules (see below).
In this context of an imminent Brexit, and according to the UK DPA, which is called the Information Commissioner Office (“ICO”), “the GDPR will apply in the UK from 25 May 2018 as the government has confirmed that the UK decision to leave the EU will not affect the commencement of the GDPR”, although there are still questions as to how the GDPR will apply once the UK leaves the EU.
Since the GDPR came into force in May 2016, most EU member states have already started to adapt their own internal regulations so as to conform to it.
2.3. UK Data Protection Act 1998
The Data Protection Act 1988 sets out the law relating to the protection of personal data in the United Kingdom.
It however clearly states, from the outset, that it does not apply to data of deceased persons. Indeed, in its Part I “Basic interpretative provisions”, the Data Protection Act 1998 states that ““personal data” means data which relate to a living individual who can be identified”. This therefore excludes dead people.
The Data Protection Act 1998 will probably not be amended in the future, since the GDPR allows member states to limit their data protection laws to the living.
Therefore, the Data Protection Act 1988 and the UK DPA, the ICO, offer no solution for, or protection to, people wanting to see hurtful Content and links about their deceased family members, removed from search engines such as Google.
2.4. French “Loi informatique et libertés”
The French “Loi n°78-17 of 16 January 1978 relating to IT, databases and freedoms”, commonly referred to as “Loi informatique et libertés”, is way more sympathetic towards family members and/or friends of a dead person facing such situation. Indeed, it sets out a whole section dedicated to deceased people.
The “Loi informatique et Libertés” was amended by the law n°2016-1321 of 7 October 2016, to take into account the new set of rules resulting from the upcoming GDPR.
Firstly, Article 40 of this law allows natural persons to request that a data controller modify personal data relating to them. This personal data can be rectified, completed, updated, locked or deleted if it is inexact, incomplete, equivocal, outdated, or if its collection, use, communication or conservation is forbidden.
Natural persons are therefore given a large amount of control over their personal data on the internet. However, the “Loi informatique et libertés” goes beyond, by granting rights over personal data relating to deceased persons.
Indeed, Article 40-1 of the “Loi informatique et libertés” sets out that “any person can set some guidelines relating to the conservation, withdrawal and communication of her personal data after her death”. Moreover, “when no such guidelines have been drafted by someone, his or her heirs can access personal data processors relating to such dead person, in order to identify and obtain communication of such data”. One of the advantages of this law is that it allows a person to give instructions as to what should be done with her personal online data after her death. The person can decide in advance the deletion, conservation or communication of her personal data after her death. It also gives rights to the person’s heirs to act even when the deceased person has left no instructions. Part III of this same Article 40-1 enables heirs of a deceased person to have data controllers take into account the death of this person, and to, in this respect, oppose the processing of the deceased person’s data, and to have such personal data removed or modified or updated.
So, how to remove links about dead people from Google? If Google refuses to grant the request to de-list some URL links that link to web pages setting out some infringing Content about a dead person, it may be well worth complaining to the French DPA, the “Commission Nationale Informatique et Libertés” (“CNIL”), that Google breached the provisions of the “Loi Informatique et Libertés”. As long as the search engine has a subsidiary in France, the CNIL will confirm that it is competent to examine such complaint made by an heir of the deceased person, even though such heir or deceased person are not French residents.
3. Regulatory framework in the USA: no protection for dead people so far
3.1. Basic regulations
In the USA, specific regulations vary from one state to another, but, there is a very clear common trait, in relation to data protection, which is that freedom of speech (i.e. the first amendment of the US constitution), outweighs a person’s right to control their own personal data.
With this in mind, it is clear that, when the personal data in question is that of a deceased person, the balance between privacy and freedom of speech is even more skewed towards the latter, in the USA.
3.2. The Nicole Castouras case
This outlook became entirely visible in the Nicole Castouras litigation case, which took place in Orange County, California, between 2006 and 2012.
Nicole Castouras, 19 years’ old, died on 31 October 2006, crashing her father’s Porsche, which she was not allowed to drive, into a concrete toll booth near the Alton Parkway interchange on the 241 Toll Road in California. Pictures of her dead body were leaked by the California Highway Patrol, the law enforcement agency in California which has patrol jurisdiction over all California highways and can also act as the state police. Those photographs were so gruesome they sparked an unhealthy curiosity from the general public and reposted thousands of times on the internet, going viral.
Nicole’s parents then started an extremely expensive and protracted legal battle, against search engine Google and the California Highway Patrol, which lasted for years. The Castouras family lost the case against Google, further to requesting that the search engine de-link the articles and Content containing the images. Their only victory was to reach a settlement with the California Highway Patrol, under which the family received around USD2.37million in damages, caused by negligence and intentional infliction of emotional distress.
How to remove links about dead people from Google, when based in the USA? As the right to be forgotten CJEU ruling and the GDPR provide that the delisting of the infringing URLs must be done on all domain name extensions, including the .com domain name, and although Google does not comply with this rule for the time being (see below), it may be worth for heirs of a deceased US citizen to file a complaint against Google with the French CNIL, as long as the infringing Content about the dead person is visible from France, on the internet.
4. The effects of a successful de-linking request
4.1. Only the URL links are de-listed from Google, the Content is not deleted
If Google accepts your request to have links removed (or if it is forced to do so by a DPA or by court order), this does not mean that the Content, to which those links lead, will be removed from the internet. The Content will remain exactly as it was, and you will still be able to find it on the world wide web.
However, this does not mean that it is useless to file delinking requests with Google. Delinking remains useful, since it makes the Content much harder to access and find. Indeed, delinking means that you will not be able to find the Content by looking for it on Google, since Google will have removed the URL links from its search results. It also means that members of the public who do not know about this Content that you want to hide, will never stumble across it while casually browsing the web.
Therefore, even though the Content remains online, only people who already knew about it and are prepared to spend a significant amount of time and resources to access it, will be able to find it, as they will need to go out of their way and use a search engine other than Google, to access the Content.
Of course, you may file several delisting requests with as many search engines as you want, not only Google. They will all have to comply with the case law set by the CJEU ruling and with the provisions of the GDPR on the right to be forgotten, by either granting such delisting requests, or by replying to you and explaining why they refuse to do so.
4.2. Country-specific/geolocalisation: a country specific limitation so far
For now, granting de-linking requests remains country-specific. That means that if Google has accepted, or was forced by court order to remove URL links, and that the delisting request was made in France, then only if you search on the French Google extension “Google.fr”, will you not be able to find those links. Indeed, if you take the time to also check “Google.com”, or any other country extension, then you will find the URL links to the Content. This means that the links will not be found by accident anymore, but they will still be easily available to members of the public actively searching for them.
The above-mentioned Article 29 Data Protection Working Party, the European working group that wrote guidelines for the implementation of the Right to be forgotten CJEU ruling, set out in its guidelines that the de-linking should be effective on all Google extensions, including “Google.com”. However, Google still refuses such interpretation of the CJEU judgment, explaining that less than 5% of European searches are made from “Google.com” and that Google automatically directs internet searches to local extensions. Therefore, by simply removing the URL link from a European country extension, it was already avoiding nearly all accidental findings of the link in question, according to Google. Google further went on saying that the people finding the URL link were those who were actively looking for it anyway, and would have ended up finding it by using for example another search engine if they had continued their search.
4.3. CNIL’s action against Google: a forward-thinking approach
This standoffish approach taken by Google, in relation to the narrow geographical restriction of the delisting process of the URL links to the infringing Content, did not go down well in Europe.
On 10 March 2016, after several cease and desist letters and an aborted attempt to settle this amicably, the French CNIL sentenced Google to a fine of 100,000 euros for breach of the provisions of the Directive 95/46/EC, the provisions of the “Loi informatiques et libertés” and the CJEU judgment on the right to be forgotten. Specifically, the CNIL pointed out that Google had to de-list the URLs on all country domain extensions, including “Google.com”.
CNIL made two major points in its decision:
- Google’s search engine services constitute a single data process and that its geographic extensions cannot be considered as separate data processing. Indeed, the company initially only exploited « .com » and gradually added extensions for each country to provide more adapted services to each country and national language.
- Therefore, in order for French residents’ right to have URLs concerning personal data delinked properly complied with, the delinking must be applied to all Google country extensions.
Google swiftly appealed the publicly published CNIL decision by filing a summary request before the French “Conseil d’Etat”. A decision from the “Conseil d’Etat” is expected to be handed over during the second quarter of 2017, so watch the space!
5. The best strategy to obtain the de-listing
How to remove links about dead people from Google?
Different countries across Europe have different policies concerning data protection.
If you are a resident or national of an EU member state, then it is worth taking a look at the personal data protection rules in force in other member states, in order to do some forum shopping.
If you are a resident or national of the USA however, your best strategy is not to try to beat Google in court, in the USA, as you will in most cases undoubtedly fail. The most sensible approach is to aim for the person or legal entity who leaked the personal data and information in the first place, if this is applicable to your case, in order to obtain damages from them.
5.1. The best strategy is to escalate your request through the French Data Protection Authority, the CNIL
As we have seen above, the French personal data protection regulations are among the most protective in the world, in particular for the personal data of dead people. That is why it is worth going through the French DPA, the CNIL, to have URL links removed, rather than through, say, the UK DPA, even for a UK resident.
In any case, before contemplating filing a court case, it is cheaper and wiser to first file a complaint with the CNIL. The complaint process with CNIL is free, and quite easy to undertake since it can be done entirely online. Furthermore, their website also has an English version, making the process much easier for nationals of another country.
The complaint can be filed online, on the CNIL website. You will need to fill out a form with your personal information, and then upload a copy of your Google request, a copy of Google’s refusal message, as well as any material that can back up your complaint. There is also space for any explanations you wish to send CNIL for their examination. The filed complaint will then be distributed to a CNIL examiner, who has two months to start examining Google’s refusal and your complaint.
CNIL examines your request according to French law. This is why your chances to succeed are way higher by going through the CNIL than through the ICO, especially if you want to de-list URL links about a deceased person.
Furthermore, the CNIL has already showed its effectiveness (and robustness) against Google, for example when it inflicted a 100,000 euros penalty against Google, as described above.
5.2. Take incremental steps: removal request, escalation to CNIL and, as a last resort, lawsuit with French court
Firstly, you must have already received a refusal from Google to remove the links to start the escalation process.
And before you make a delisting request to Google, it may be wise (but by no means a statutory obligation) to attempt to contact the webmasters of the websites setting out the infringing Content, as these publishers may decide to simply remove it.
The reason you need to first file a delisting request with Google and wait to receive a refusal, is because the CNIL reaches out to Google to know its reason for refusing to delist the Content, and then assesses whether Google was in its right or not to refuse.
If the complaint process before the CNIL fails (or even instead of going before the CNIL), it is possible to take the matter to French courts. However, it is advisable to start with a complaint request filed with the CNIL, since the process is free (unlike court action) and shorter than a law suit.
Article 79.2 of the GDPR sets out that proceedings against a data controller, such as Google, can be brought before the courts of the EU member state where the data controller or processor has an establishment. Google has an establishment in France: its subsidiary, Google France. Therefore, citizens of other EU member states can file a lawsuit in France, against Google, in order to enforce their right to be forgotten, or that of their close deceased. This however, will only be an option for UK citizens as long as the United Kingdom is a EU member state. After the completion of Brexit, UK citizens will no longer be able to enforce their right to be forgotten in France, unless appropriate bilateral agreements between the EU and the UK are put in place.
The advantage of starting legal proceedings in France, to enforce one’s right to be forgotten, is that French law will apply pursuant to Article 82.6 of the GDPR which sets out that the applicable law is that of the country whose courts the proceedings were brought before. This is good news for data subjects, since French law is much more favourable to data protection than UK regulations, in particular in relation to the right to be forgotten of dead people.
Alix de la Tour and Annabelle Gauberti
Tel: +44 20 3318 9603
-- Download as PDF --