With the Provvbuilding April 24, 2024, n. 247 (text below) The Guarantor for the protection of personal data intervenes on the issue of the removal of content from a website that has been inactive for years.
1. The right to be forgotten
As is known, the cd right to be forgotten of which in theart. 17 of EU Regulation 2016/679 (GDPR), is configured as a sort of right to the cancellation of one’s own personal data in a strengthened form. In other words, a right to be forgotten.
From this right naturally follows an obligation, that for the owners who have published the personal data of the interested party and recipients of the exercise of the right to be forgotten to provide – if the circumstances exist – for the cancellation.
Among the conditions that justify the exercise of the right in question, the GDPR, to theart. 17, par. 1, lett. a)indicates the case in which the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
This condition takes on particular relevance in the world of journalism and blogs, especially those that deal with judicial news, since in such cases it is presumable that the passage of a considerable period of time with respect to the publication of the news may give rise to the interest in requesting and obtaining cancellation. The goal is naturally to no longer see one’s name associated with past events on the web.
However, doubts may arise as to whether the duty to provide for the privacy protection on a website may also be imposed on the owner and manager of a portal that has been inactive for several years, just as could be required of the manager of a fully active site.
On this point, the Privacy Guarantor intervened in a recent case, providing interesting insights and clarifications.
2. The facts
In February 2023, the Data Protection Authority received a complaint filed pursuant to theart. 77 of the Regulation with which an interested party asked the Authority to order the managers of two different websites and a blog to remove various articles, some of which referred to legal cases involving him and which had concluded some time ago, also highlighting the difficulty of exercising his rights given the encountered impossibility, for various reasons, of contacting the aforementioned managers.
As for the blog, following the investigations carried out by the Guarantor, it emerged that it had been removed and therefore the contested article was no longer visible either. Consequently, the very conditions for the continuation of the proceedings before the Guarantor no longer existed.
The situation is different, however, for the other two websites that were the subject of the complaint. In this case, in fact, the Guarantor had managed to identify the managers, to whom a request for clarification was therefore sent regarding the facts complained of in the complaint, also inviting them to make themselves available to accept the complainant’s requests.
A manager of one of the two sites wrote a memorandum in which he explained that the site had been opened around the year 2000 to continue the work of a well-known Milanese club created in 1985 by around one hundred founding members.
At the end of the club’s activity and of the monthly newspaper of the same name, in fact, it was decided to continue the activity on the web through the publication of articles, investigations and comments on corruption and mafia facts without any fixed periodicity.
The publishing activity then continued, in an increasingly sporadically manner, until 2015, the date of the last access to the site, so much so that none of the founders remembered the access credentials, but they nevertheless made themselves available to trace them with the help of an IT technician.
Finally, in October 2023, one of the managers communicated to the Guarantor that it had removed the disputed article from the website.
3. The arguments of the Privacy Guarantor
Preliminary to the arguments on the merits, the Guarantor starts from the indispensable activity of balancing the interests at stake and the role that the legislation on privacy plays to this end.
In order to reconcile the right to privacy with the freedom of expression, the Authority specifies, “the legislation on the protection of personal data provides specific guarantees and precautions in the case of processing carried out for journalistic purposes, confirming their lawfulness, even when they are carried out without the consent of the interested parties, provided that they are carried out in compliance with the rights, fundamental freedoms and dignity of the persons to whom the data processed refers (see. artt. 136 e ss. e art. 102, comma 2, lett. a)of the Code) and provided that they are carried out in compliance with the principle of essentiality of information regarding facts of public interest (art. 6 of the “Deontological rules relating to the processing of personal data in the exercise of journalistic activity”, published in the Official Journal 4 January 2019, no. 3, web doc. no. 9067692)”.
As for the merits, while for one site it was possible to confer with the manager, with reference to the other the Authority did not have any feedback, therefore, despite the investigations conducted, it was not possible to follow up on the complaint, noting, however, that the matter was pending with the judicial authority following a complaint filed by the complainant in relation to some hypotheses of crime, different from those pertaining to the protection of personal data.
The manager known to the Authority and discussed in the previous paragraph, had communicated that he had proceeded with the removal of the article indicated by the complainant, as well as having proceeded with the definitive closure of the website. Therefore, there were no grounds for the adoption of measures in this regard by the Authority.
However, the Guarantor notes, the aforementioned site did not contain any indication regarding the information regarding the data processing carried out by the publisher, as reported in articles 13 and 14 of the Regulation, starting from the identification details of the data controller and the contact details useful for the exercise of the rights by the interested parties.
This conduct was deemed to constitute a violation of the Articles 12, 13 and 14 of the Regulation.
The Authority has however taken into account the fact that the data controller, as soon as he was reached, had complied with the requests of the interested party, and there were no previous violations against him or against the site, which at the time of the Authority’s ruling was, as seen, already deactivated.
4. The decision
From the overall assessment of the elements that emerged, the Guarantor considered the application of the warning measure to be proportionate in the case in question.
More precisely, given that the website had been closed, there were no grounds for requiring the data controller to adopt suitable measures for the future. Furthermore, since the manager had eliminated the contested contents as well as the website itself, the grounds for adopting any other measures had ceased to exist.
However, the Guarantor considered that the site manager should still be warned for failure to comply with the provisions relating to the measures to be adopted to safeguard compliance with the principles of fairness and transparency in relations with interested parties, as well as those requiring the publication of information that meets the requirements set out in the Regulation.
What emerges from the decision is that if the manager had not proceeded with the cancellation of the articles that were the subject of the complaint, he could have faced further measures. It can therefore be considered that the prolonged inactivity of an information website does not exclude that its manager continues to have the duty to guarantee the rights of the interested parties in terms of privacy protection, on a par with active sites.
IN COLLABORATION WITH
>> Discover the Privacy Specialist Online Course by Altalex!
>> Discover the Online course on privacy protection and inspection activity of the Guarantor by Altalex!
Privacy Guarantor, Provision no. 247/2024