Update | Wikipedia must also comply with the GDPR: this has been established by the Italian Data Protection Authority
Does Wikipedia have to comply with the GDPR and privacy rules? The Italian Data Protection Authority (‘Garante‘) recently expressed its views on the concepts of de-indexing and deletion of a news item related to a judicial matter dating back to 2017 published on a webpage of Wikipedia, the well-known online encyclopaedia.
The issue originated from a complaint by an individual who complained about the failure to remove, from the Wikipedia webpage referred to him, a plea bargaining sentence that had seen him charged with the crimes of sexual assault and possession of child pornography.
The complainant, in particular, had sent a request to the Wikimedia Foundation Inc., creator of the encyclopedia (“Foundation”), for access to his personal data and the removal of the biographical article related to him, or alternatively, the adoption of technical measures to deindex the article from search engines based on the assumption that the public had already become aware of the news and that its continued online presence had caused reputational damage to him with repercussions on his family relationships and social life.
The Foundation, despite having promptly contacted the interested party, defended itself by arguing that the GDPR did not apply to the present case since Wikipedia only hosts information entered by the community of volunteers but does not offer a service.
In reality, the Foundation provides, through the Wikipedia site, information services on a wide variety of topics, also aimed at the European market, regardless of the fact that they are free of charge. Therefore, given the Foundation’s intention to also target the European market, the Garante clarified that the Foundation is fully subject to the application of the GDPR, despite not having an establishment in Europe (but having appointed a European representative).
The Garante, in its decision, drew a line between the deletion of the article and its deindexing from search engines.
Indeed, on the one hand, with reference to the deletion, it pointed out that:
- the data processing was carried out, at the time of the news publication, in the exercise of the right to freedom of expression and was in response to the public’s interest in knowing the facts;
- retaining the article in the website’s archive serves a legitimate purpose of historical-documentary interest;
- a website’s archive, like that of an online newspaper, plays a role in reconstructing historical events, especially when they concern people who play a certain role in public life.
As for the request for deindexing, the Garante found the complaint to be justified, giving the Foundation a period of forty days to take steps to make the news item non-searchable online (for example, through the application of the “NOINDEX” metatag), as there are currently no reasons of public interest in the news’s discoverability.