On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C. and Others v. CNIL regarding (1) the territorial scope of the right to be forgotten, referred to in the judgement as the “right to de-referencing,” and (2) the conditions in which individuals may exercise the right to be forgotten in relation to links to web pages containing sensitive data. The Court’s analysis considered both the EU Data Protection Directive and the EU General Data Protection Regulation (“GDPR”).
Background
The CJEU previously held in its 2014 Costeja decision that individuals have a right to request, under certain conditions, that their personal data no longer be displayed by search engines in response to searches of the individual’s name. This is now recognized in Article 17 of the GDPR governing the right to be forgotten.
In the Google v. CNIL case, the French data protection authority (the “CNIL”) ordered that, in responding to such a request, Google must remove the links from the results on all of its search engine’s domain name extensions—meaning worldwide removal. Google refused to fully comply with the order. Instead, it limited removal to the results of searches made on domain names corresponding to EU Member States’ versions of Google’s search engine—in other words, removing results in the EU but not worldwide. Google also proposed a “geo-blocking” technique. This would prevent an Internet user searching from an IP address in an EU Member State, who used a different version of the search engine, from accessing the links. The CNIL found this to be an inadequate proposal, held that Google had failed to comply with the formal notice within the prescribed time limit and fined Google €100,000. Google appealed the decision before France’s Council of State (France’s highest administrative court). The Council of State decided to refer several questions relating to the territorial scope of the right to be forgotten to the CJEU.
In the G.C. and Others v. CNIL case, several individuals who wanted various links to web pages containing sensitive information (including, in one case, information related to criminal proceedings) removed from search results complained to the CNIL. The CNIL refused to take action against Google, a decision the individuals appealed to the French Council of State. The Council of State decided to refer to the CJEU several questions about how the general prohibition on processing sensitive data applied to search engine operators, and under what conditions those operators must grant requests to de-reference links to web pages containing sensitive data.
Judgments
Territorial scope of the right to be forgotten. The CJEU recognized that global de-referencing would meet the objective of EU data protection law, but acknowledged that many non-EU countries do not recognize the right to be forgotten or take a different approach to erasure issues. The CJEU also underlined that individuals’ right to the protection of their personal data is not an absolute right; crucially, that right must be balanced against other fundamental rights such as the freedom of information of Internet users – a balance which is likely to vary significantly around the world and even among EU Member States. The CJEU found that the EU legislature has not, to date, chosen to confer rights on individuals that would go beyond the territory of the EU Member States (although it commented that it would be within the scope of the EU legislature to do so). It found that there is no evidence that the EU legislature intended to impose on search engine operators, such as Google, an obligation affecting the national versions of its search engine other than those of EU Member States. Echoing the Opinion of Advocate General Szpunar in the Google v. CNIL case, the CJEU concluded that, currently, search engine operators are not required to de-reference the results on all of their search engine’s domain name extensions (i.e., worldwide), but are required to carry out that de-referencing on the domain names corresponding to EU Member States’ versions of the search engine. They must also put in place measures discouraging Internet users from gaining access from one of the EU Member States to the relevant links that appear on non-EU versions of the search engine.
That said, the CJEU went on to comment that, while EU law does not currently require de-referencing to be carried on all versions of the search engine, it also does not prohibit such a practice. In its own words:
“Accordingly, a supervisory authority or judicial authority of a Member State remains competent to weigh up, in light of national standards of protection of fundamental rights, a data subject’s right to privacy and protection of personal data concerning him or her , on the one hand, and the right to freedom of information, on the other, and, after weighting those rights against one another, to order, where appropriate, the operator of that search engine to carry out a de-referencing on all versions of that search engine.”
Prohibition on processing sensitive data. The CJEU considered that the prohibition and restrictions laid down in EU law on processing sensitive data apply, subject to the exceptions provided for by EU law, to all controllers processing such data, including search engine operators. However, the CJEU recognized that the specific features of search engines may have an effect on the extent of the search engine’s responsibility and obligations under those provisions. Accordingly, the prohibition and restrictions apply to search engine operators only after a request has been made to de-reference and the link to sensitive personal data has been verified under the supervision of the national supervisory authority. The prohibition and restrictions laid down in EU law on processing sensitive data cannot apply to a search engine operator as though it had itself caused the sensitive data to appear on the web pages referenced.
No systematic de-referencing. The CJEU underlined that the request to de-reference requires weighing the individual requester’s rights against the right of Internet users interested in that information. Its position is that while the requester’s fundamental rights override the freedom of information of Internet users as a general rule, that balance may depend, in specific cases, on the nature of the information in question and its sensitivity for the individual’s private life, and the public’s interest in having the information. The public’s interest may vary, in particular, according to the role played by the individual in public life. In light of that, the CJEU tasked the search engine operator with a specific articulation of the balancing required. The CJEU concluded that if a search engine operator receives a de-referencing request related to a search of the requester’s name that generates, in the results, a link and webpage displaying sensitive information, the operator must decide whether including that link in the search results is necessary to protect Internet users’ freedom of information. The search engine operator’s analysis should consider the relevant factors of the particular case and take into account the seriousness of the interference with the individual’s fundamental rights to privacy and protection of personal data. For instance, if someone requests a link be de-referenced because it leads to information about a now-irrelevant criminal proceeding, the CJEU noted the search engine operator’s assessment should consider factors including the nature and seriousness of the offense, the progress and the outcome of the proceedings, the time elapsed, what role the requester plays in public life and his or her past conduct, the public’s interest at the time of the request, the content and form of the publication and the consequences of publication for that person.
Next Steps
France’s Council of State will now decide both cases in accordance with the CJEU’s rulings, while the CNIL commented in a press release that it took note of the rulings and will publish FAQs explaining the practical consequences of the rulings for the individuals concerned.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code