Press Announcement from the Court of Justice of the European Union
Judgment in Case C-507/17 Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)
The operator of a search engine is not required to carry out a de-referencing on all versions of its search engine. It is, however, required to carry out that de-referencing on the versions corresponding to all the Member States and to put in place measures discouraging internet users from gaining access, from one of the Member States, to the links in question which appear on versions of that search engine outside the EU.
By an adjudication of 10 March 2016, the President of the Commission nationale de l’informatique et des libertés (French Data Protection Authority, France) (‘the CNIL’) imposed a penalty of €100 000 on Google Inc. because of that company’s refusal, when granting a de-referencing request, to apply it to all its search engine’s domain name extensions.
Google Inc., having been given formal notice by the CNIL on 21 May 2015 to apply the dereferencing to all the extensions, had refused to do so and had confined itself to removing the links in question from only the results displayed following searches conducted from the domain names corresponding to the versions of its search engine in the Member States. Google Inc. requested the Conseil d’État (Council of State, France) to annul the adjudication of 10 March 2016. It considers that the right to de-referencing does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.
The Conseil d’État has referred several questions to the Court of Justice for a preliminary ruling seeking to ascertain whether the rules of EU law relating to the protection of personal data (1) are to be interpreted as meaning that, where a search engine operator grants a request for dereferencing, that operator is required to carry out that de-referencing on all versions of its search engine or whether, on the contrary, it is required to do so only on the versions of that search engine corresponding to all the Member States or only on the version corresponding to the Member State of residence of the person benefiting from the de-referencing.
In today’s judgment, the Court begins by recalling that it has already held (2) that the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
The Court points out, next, that Google Inc.’s establishment in French territory carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google Inc.’s French establishment. Such a situation therefore falls within the scope of the EU legislation on the protection of personal data.
The Court emphasises that, in a globalised world, internet users’ access — including those outside the EU — to the referencing of a link referring to information regarding a person whose centre of interests is situated in the EU is likely to have immediate and substantial effects on that person within the EU itself, so that a global de-referencing would meet the objective of protection referred to in EU law in full. However, it states that numerous third States do not recognise the right to dereferencing or have a different approach to that right. The Court adds that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. In addition, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.
However, it is not apparent from the legal texts that the EU legislature has struck such a balance as regards the scope of a de-referencing outside the EU, nor that it has chosen to confer a scope on the rights of individuals which would go beyond the territory of the Member States. Nor is it apparent from those texts that it would have intended to impose on an operator, such as Google, a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States. What is more, EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU.
Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.
However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Thus, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, through a version of that search engine ‘outside the EU, to the links which are the subject of the request for de-referencing. It will be for the national court to ascertain whether the measures put in place by Google Inc. meet those requirements.
Lastly, the Court points out that, while EU law does not currently require a de-referencing to be carried out on all versions of the search engine, it also does not prohibit such a practice. Accordingly, the authorities of the Member States remain competent to weigh up, in the light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised. Unofficial document for media use, not binding on the Court of Justice.
(1) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and Corrigendum OJ 2018 L 127, p. 2).
(2) Case: C-131/12 Google Spain and Google see Press release 70/14. www.curia.europa.eu
Full PDF Copy of the Court of Justice of the European Union Press Release No. 112/19, 24 September 2019Court of Justice of the European Union Press Release No 112:19 – 092419
- InfoCuria Case Law – Case 507/17 – Judgement – September 24, 2019
- InfoCuria Case Law – Case 507/17 – Opinion – January 10, 2019
- InfoCuria Case Law – Case 507/17 – Application – September 29, 2019
Have a Request?
If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.
ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.
ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.