On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C. and Others v. CNIL regarding (1) the territorial scope of the right to be forgotten, referred to in the judgement as the “right to de-referencing,” and (2) the conditions in which individuals may exercise the right to be forgotten in relation to links to web pages containing sensitive data. The Court’s analysis considered both the EU Data Protection Directive and the EU General Data Protection Regulation (“GDPR”).
The CJEU previously held in its 2014 Costeja decision that individuals have a right to request, under certain conditions, that their personal data no longer be displayed by search engines in response to searches of the individual’s name. This is now recognized in Article 17 of the GDPR governing the right to be forgotten.
In the Google v. CNIL case, the French data protection authority (the “CNIL”) ordered that, in responding to such a request, Google must remove the links from the results on all of its search engine’s domain name extensions—meaning worldwide removal. Google refused to fully comply with the order. Instead, it limited removal to the results of searches made on domain names corresponding to EU Member States’ versions of Google’s search engine—in other words, removing results in the EU but not worldwide. Google also proposed a “geo-blocking” technique to strengthen its efforts to comply with the EU portion of the CNIL’s order. The CNIL found this to be an inadequate proposal, held that Google had failed to comply with the formal notice within the prescribed time limit and fined Google €100,000. Google appealed the decision before France’s Council of State (France’s highest administrative court). The Council of State decided to refer several questions relating to the territorial scope of the right to be forgotten to the CJEU.
In the G.C. and Others v. CNIL case, several individuals who wanted various links to web pages containing sensitive information (including, in one case, information related to criminal proceedings) removed from search results complained to the CNIL. The CNIL refused to take action against Google, a decision the individuals appealed to the French Council of State. The Council of State decided to refer to the CJEU several questions about how the general prohibition on processing sensitive data applied to search engine operators, and under what conditions those operators must grant requests to de-reference links to web pages containing sensitive data.
Territorial scope of the right to be forgotten. The CJEU recognized that global de-referencing would meet the objective of EU data protection law, but acknowledged that many non-EU countries do not recognize the right to be forgotten or take a different approach to erasure issues. The CJEU also underlined that individuals’ right to the protection of their personal data is not an absolute right; crucially, that right must be balanced against other fundamental rights such as the freedom of information of Internet users – a balance which is likely to vary significantly around the world and even among EU Member States. The CJEU found that the EU legislature has not, to date, chosen to confer rights on individuals that would go beyond the territory of the EU Member States (although it commented that it would be within the scope of the EU legislature to do so). It found that there is no evidence that the EU legislature intended to impose on search engine operators, such as Google, an obligation affecting the national versions of its search engine other than those of EU Member States. Echoing the Opinion of Advocate General Szpunar in the Google v. CNIL case, the CJEU concluded that, currently, search engine operators are not required to de-reference the results on all of their search engine’s domain name extensions (i.e., worldwide), but are required to carry out that de-referencing on the domain names corresponding to EU Member States’ versions of the search engine. They must also put in place measures discouraging Internet users from gaining access from one of the EU Member States to the relevant links that appear on non-EU versions of the search engine.
That said, the CJEU went on to comment that, while EU law does not currently require de-referencing to be carried on all versions of the search engine, it also does not prohibit such a practice. In its own words:
“Accordingly, a supervisory authority or judicial authority of a Member State remains competent to weigh up, in light of national standards of protection of fundamental rights, a data subject’s right to privacy and protection of personal data concerning him or her , on the one hand, and the right to freedom of information, on the other, and, after weighting those rights against one another, to order, where appropriate, the operator of that search engine to carry out a de-referencing on all versions of that search engine.”
Prohibition on processing sensitive data. As context: the EU’s prohibition and restrictions related to processing sensitive data generally apply to all controllers processing such data. The CJEU ruled, however, that the prohibition and restrictions apply to search engine operators only after a de-reference request is made and the relevant national supervisory authority has verified the link at issue. The prohibition and restrictions laid down in EU law on processing sensitive data cannot apply to a search engine operator as though it had itself caused the sensitive data to appear on the web pages referenced.
No systematic de-referencing. The CJEU underlined that the request to de-reference requires weighing the individual requester’s rights against the right of Internet users interested in that information. Its position is that while the requester’s fundamental rights override the freedom of information of Internet users as a general rule, that balance may depend, in specific cases, on the nature of the information in question, who the individual making the request is, and the public’s interest in having the information. In light of that, the CJEU tasked the search engine operator with a specific articulation of the balancing required. The CJEU concluded that if a search engine operator receives a de-referencing request related to a search of the requester’s name that generates, in the results, a link and webpage displaying sensitive information, the operator must decide whether including that link in the search results is necessary to protect Internet users’ freedom of information. The search engine operator’s analysis should consider the relevant factors of the particular case and take into account the seriousness of the interference with the individual’s fundamental rights to privacy and protection of personal data. For instance, if someone requests a link be de-referenced because it leads to information about a now-irrelevant criminal proceeding, the CJEU noted the search engine operator’s assessment should consider factors including the nature and seriousness of the offense, the progress and the outcome of the proceedings, the time elapsed, what role the requester plays in public life and his or her past conduct, the public’s interest at the time of the request, the content and form of the publication and the consequences of publication for that person.
France’s Council of State will now decide both cases in accordance with the CJEU’s rulings, while the CNIL commented in a press release that it took note of the rulings and will publish FAQs explaining the practical consequences of the rulings for the individuals concerned.