TOPICS: Data Protection, Right to be Forgotten, Google, CNIL, ECJ, France, EU
The European Court of Justice ("ECJ") has published its rulings in two prominent cases addressing the scope of "the right to be forgotten" under EU privacy laws. Both cases involved Google and the French National Commission on Informatics and Liberty ("CNIL").
The right to be forgotten was based on the ECJ's interpretation of the previous Data Protection Directive in a 2014 case involving Google. The right, which was later implemented in the General Data Protection Regulation ("GDPR"), enables European data subjects to request the erasure and removal of all their personal information under certain conditions.
The first case stems from the CNIL's decision regarding Google's application of the right to be forgotten on a global basis. In 2015, CNIL requested Google to globally delist search results containing personal information which was subject to the right to be forgotten requests from its search engine. Google removed the links only from its European domain names, but refused to delist the search results from domain names available outside of Europe. In response, the French regul
Earlier this year, Google won the support of the ECJ's Advocate General (AG), in a nonbinding recommendation delivered to the ECJ. The AG claimed that the right to be forgotten should be limited to Europe only.
In its decision, the ECJ ruled that there is no obligation under EU law for search engine operators to delist search results which are subject to the right to be forgotten in all of their domains upon a de-referencing request from a data subject or regulatory body. Upon a justified request, the operator must delist the results for all European domains only. The ECJ emphasized that the internet is a global network without borders, and although the delisting of all references from all domain names will meet the objectives of the right in full, it should be recognized that various countries did not acknowledge the right to be forgotten.
The second case focused on a dispute between four French data subjects and Google and CNIL, after both the tech giant and the French regulator refused a request to delist sensitive information from Google's search engine. According to the ECJ's decision, the restrictions and prohibitions on the processing of special categories of personal data, specifically when the data subject's consent to such processing was revoked, apply to operators of search engines as any other processor or controller. Upon the data subject's request, a search engine operator must delist results leading to a web page containing sensitive personal information (such as health related information or information on political view of an individual), even if such data was not erased beforehand by the web page. In some circumstances, the operator may refuse to accede to a request for delisting. Such refusal can be made when it establishes that the relevant links are covered by the exceptions listed in the GDPR (and the previous Directive), or where it deems that there is a substantial public interest and the links are necessary for exercising the right for freedom of information.
We would be happy to advise our clients on the practical implications of the new ECJ decisions on the implementation of data subjects' rights under the GDPR.
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.