Following on from the Advocate General Opinions published on 10 January (which I wrote about here), yesterday the Court of Justice released its decisions in two cases concerning internet search engines and the right to be forgotten.

The decisions primarily concern the repealed Data Protection Directive 95/46/EC, but they refer extensively to the GDPR and have potentially important implications for its application.  The Court states in each case that it has examined the questions referred to it in light of both the Directive and the GDPR “in order to ensure that its answers will be of use to the referring court in any event.

Google v CNIL

In Google v CNIL Case 507/17 the Court was asked “whether the provisions of Directive 95/46 require a national, European or worldwide de-referencing.

After a successful de-referencing request, CNIL required Google to affect the delisting in relation to all domain name extensions of its search engine. Google refused, and limited the delisting to (1) searches performed on the domain names corresponding to the versions of its search engine in the Member States of the EU; and (2) “geo-blocking” of the delisted results “regardless of the version of search engine used” on the basis of a search conducted using an IP address deemed to be located in the State of residence of the person concerned. CNIL regarded these steps as insufficient and fined Google 100,000 Euros by way of sanction. Google sought the annulment of CNIL’s decision before the Conseil d’État, which decided to refer several questions to the Court of Justice for a preliminary ruling.

The Court made four key determinations:

  • There was no obligation under EU law for a search engine operator to carry out de-referencing on all versions of its search engine, i.e. worldwide. [64]-[65]
  • A search engine operator is required to carry out de-referencing on all versions of its search engine corresponding to all of the Member States. [73]
  • There is nothing prohibiting a supervisory or judicial authority of a Member State from ordering a worldwide de-referencing, if it determines it appropriate on the facts of the case. EU law “does not prohibit such a practice.” [72]
  • A search engine operator must also take “sufficiently effective measures” that “effectively prevent,, or at the very least, seriously discouraging an internet user conducting a search from one of the Members States from gaining access to the links in question using a search conducted on the basis of a data subject’s name from gaining access, via the list of results displayed… to the links which are the subject of that request.” Whether this has been satisfied is a matter for the referring Court. [70] and [73]

While the headline conclusion is that de-referencing is usually confined to Member States, it should therefore be noted that the CJEU did not rule out that worldwide de-referencing may be appropriate and lawful on the facts of a particular case. The CJEU also notably refused to determine whether the steps taken by Google in relation to automatically assigning the version of its search engine based on the location of the internet user satisfied the requirement in (4) above (at [73]). That is a matter for the referring court.

GC & Others v CNIL

The Court was asked a number of questions, all of which broadly related to the question of how the prohibitions on processing sensitive personal data under the Directive applied to search engines.

The reference involved four separate cases joined by the French courts, in which the applicants each sought the dereferencing of various URLs which contained, inter alia, a satirical photomontage of a female politician posted online under a pseudonym, an article referring to one of the interested parties as the public relations officer for the Church of Scientology, the placing under investigation of a male politician and the conviction of another interested party for sexual assaults against minors. Both Google LLC and the French data protection authority (CNIL) refused to order the de-referencing the applicants sought.

The Court began by confirming that the relevant provisions of the Directive concerning sensitive personal data applied to search engine operators (at [48]).  It sharply differed from the approach of Advocate General Szpunar however as it decided that this did not preclude any balancing exercise. Szpunar concluded that once it was established that a de-referencing request concerned sensitive personal data he “did not see any place for… balancing in the context of Article 8 of Directive 95/46.” The Court rejected this approach and determined that balancing was necessary and appropriate, by reference to the EU Charter as well as the Directive (and the GDPR) (at [66]-[69] and [75]).

In such circumstances the search engine operator

must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights… ascertain, having regard to the reasons of substantial public interest… whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users…” (at [68]).

The Court reiterated that information “relating to the judicial investigation and the trial” constituted sensitive personal data (and Article 10 data for the purposes of the GDPR) and that this applied whether or not the individual in question was convicted (at [72]). Where a link included such information that “no longer correspond[ed] to the current situation”, for example where it related to “an earlier stage of the proceedings”, it was for a search engine operator to assess in all of the circumstances of the case whether the data subject had a right to de-referencing that overrode that of internet users (at [77] and [79]). The Court stated that the operator should consider, in particular

  • The nature and seriousness of the offence
  • The progress and outcome of proceedings
  • The time elapsed
  • The part played by the data subject in public life and his past conduct
  • The public’ interest at the time of the request
  • The content and form of the publication
  • The consequences of publication for the data subject

This approach ensured that there was no blanket prohibition on the processing of sensitive personal data by search engines under the Directive (a problem that does not directly arise under the GDPR) and avoided the strained approach of AG Szpunar to the question of journalistic material. In substance, it is not too dissimilar from that adopted by Warby J in NT1 v Google.

However, there was a notable sting in the tail, as the Court concluded that in the scenario of an out-of-date link relating to criminal proceedings (and perhaps any other sensitive personal data), even if the search engine operator determined that the inclusion of the link remained strictly necessary it was

in any event required, at the latest on the occasion of the request for de-referencing, to adjust the list of results in such a way that the overall picture it gives the internet users reflects the current legal position, which means in particular that links to web pages containing information on that point must appear in first place on the list.” (at [78]).

Ian Helme is a member of the Media and Information team at Matrix Chambers