On 6 June 2024, the Italian supervisory authority ('Garante') published its opinion that the Wikimedia Foundation, Inc ('Wikimedia'), a US-based non-profit which hosts the free-to-use encyclopaedia website Wikipedia, was not in violation of data protection laws for refusing a request to delete an article published on Wikipedia which contained an individual’s personal data.
The complainant, an individual, alleged that Wikimedia violated data protection laws as it disseminated their personal data (including the individual’s name, age, surname, nationality and role held) via an online article on Wikipedia without authorisation. The complainant requested that Wikimedia remove the article from the public forum, or implement remedial measures to make the article inaccessible to the public through search engines.
Wikimedia argued that, although it accepted that the GDPR applied to Wikimedia for the purposes of processing personal data in relation to its users’ accounts, the complaint should be dismissed on the basis that Wikipedia was a “neutral host” of information (given that it is an online forum which operates on the basis of a community of volunteer editors), and that Wikipedia, and by extension Wikimedia, did not therefore offer a service to users in the EU under the scope of the GDPR.
With respect to the question of applicability of the GDPR, the Garante concluded that the GDPR applies. The Garante determined that the Wikipedia website provides a service of disseminating information to users in the EU (since Wikipedia is offered to users in a number of member states). Further, the Garante considered that Wikimedia’s action in addressing and verifying Wikipedia content constituted evidence that Wikimedia carries out intermediary work, and is therefore involved beyond merely organising the publication of content from its community of volunteers.
With respect to the question of compliance, the Garante rejected the complainant’s request for erasure on the basis that the processing by Wikimedia was for journalistic purposes. In doing so, the Garante confirmed that processing personal data for journalistic purposes is lawful so long as it respects fundamental rights and is in the public interest. The Garante noted that the complainant did not provide any evidence or explanation of infringement of his fundamental rights and so concluded that the processing was in the legitimate interest of users (to exercise their rights of freedom of expression and access to information, which, if removed, could in some cases compromise historical research).
The Garante did, however, require Wikimedia to de-index the article, on the basis that it was not in the public interest to justify continued availability of the article outside the Wikipedia archive, given that the personal data involved in this case related to criminal convictions which were outdated (and which were not included on the complainant’s criminal record).
The newsletter is available here, and the decision here (both in Italian only).