By an adjudication of 10 March 2016, the Commission nationale de l’informatique et des libertés (French Data Protection Authority, France) («the CNIL») imposed a penalty of €100 000 on Google Inc. because of that company’s refusal, when granting a de-referencing request, to apply it to all its search engine’s domain name extensions.
Google Inc., having been given formal notice by the CNIL on 21 May 2015 to apply the de-referencing to all the extensions, had refused to do so and had confined itself to removing the links in question from only the results displayed following searches conducted from the domain names corresponding to the versions of its search engine in the Member States. Google Inc. requested the Conseil d’État (Council of State, France) to annul the adjudication of 10 March 2016. It considers that the right to de-referencing does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.
The Conseil d’État has referred several questions to the Court of Justice for a preliminary ruling seeking to ascertain whether the rules of EU law relating to the protection of personal data1 are to be interpreted as meaning that, where a search engine operator grants a request for de-referencing, that operator is required to carry out that de-referencing on all versions of its search engine or whether, on the contrary, it is required to do so only on the versions of that search engine corresponding to all the Member States or only on the version corresponding to the Member State of residence of the person benefiting from the de-referencing.
In today’s judgment, the Court begins by recalling that it has already held2 that the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
The Court points out, next, that Google Inc.’s establishment in French territory carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google Inc.’s French establishment. Such a situation therefore falls within the scope of the EU legislation on the protection of personal data.
The Court emphasises that, in a globalised world, internet users’ access – including those outside the EU – to the referencing of a link referring to information regarding a person whose centre of interests is situated in the EU is likely to have immediate and substantial effects on that person within the EU itself, so that a global de-referencing would meet the objective of protection referred to in EU law in full. However, it states that numerous third States do not recognise the right to de-referencing or have a different approach to that right. The Court adds that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. In addition, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.
However, it is not apparent from the legal texts that the EU legislature has struck such a balance as regards the scope of a de-referencing outside the EU, nor that it has chosen to confer a scope on the rights of individuals which would go beyond the territory of the Member States. Nor is it apparent from those texts that it would have intended to impose on an operator, such as Google, a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States. What is more, EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU.
Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.
However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Thus, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, through a version of that search engine, outside the EU, to the links which are the subject of the request for de-referencing. It will be for the national court to ascertain whether the measures put in place by Google Inc. meet those requirements.
Lastly, the Court points out that, while EU law does not currently require a de-referencing to be carried out on all versions of the search engine, it also does not prohibit such a practice. Accordingly, the authorities of the Member States remain competent to weigh up, in the light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.
CJEU Judgement C-507/17 of 18 October 2019
Source: CJEU press release no. 158/18
- 1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and Corrigendum OJ 2018 L 127, p. 2).
- 2 Case: C-131/12 Google Spain and Google see Press release 70/14.