Blog

The Right to be Forgotten: Search Engines under the Recent CJEU cases

The further we evolve into a post-GDPR world, the more we are starting to see guidance come from a variety of sources. The European Data Protection Board (“EDPB”) continues to provide guidelines to fill in ambiguities in areas of the GDPR that are less clear. In addition, the Court of Justice of the European Union (“CJEU”) is also starting to hear cases about the GDPR which is settling some issues that were unresolved. We provided a breakdown of some key summer guidance here, and here.

This week we saw the release of two important Judgments from the CJEU regarding data protection and search engines: (1) Case C-507/17, Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL) (“Google”) and (2) Case C-136/17, GC and Others v Commission nationale de l’informatique et des libertés (CNIL) (“GC”). This post will tackle each in turn.

Google and the CNIL: The Right to De-reference

Another in a long line of cases involving search engines that have been addressed by the CJEU, Google addresses whether search engines, when requested to remove a reference to link per the right to erasure under the GDPR (Art. 17), are required to remove that reference across all of search engines extensions or just those extensions that correspond to the EU Member States. See Google, at ¶39. In essence, the Google case directly implicates the territorial scope of EU data protection laws, and how far beyond the EU their protections can impact the business of a global company. See Google, at ¶53.   

In this case, Google appealed the Commission nationale de l’informatique et des libertés (French Data Protection Authority, France) (‘the CNIL’) decision requiring Google to apply a de-referencing request across all of its search engine’s domain name extensions. See Google, at ¶ 30-34. For those of you not aware, search engines use different extensions depending on what region you are located, based on a geo-location process. This allows the search engine to tailor its results to the region and/or language of the data subject. See Google, at ¶ 36. For example, when traveling in Paris, if you use the Google search engine, you will automatically be redirected to Google.fr for the search. Conversely, when sitting in New York City, you will be redirected to “Google.com.” (Of course, the user of the search engine can affirmatively select which domain it uses, regardless of that person’s physical location).

Back go the Google Judgment, the CJEU reiterated that it already affirmed that a search engine is required to remove search results if a data subject makes a valid request under EU data protection law. See Google, at ¶ 44-48. (As a reminder, this in reference to the very publicized C-131/12 Google Spain case decided in 2014).  The Court also affirmed that, because a search engine’s activities are “inextricably linked” to the processing of personal data, search engines are required to comply with EU data protection laws. See Google, at ¶ 52.

The CJEU clearly understood that “[t]he internet is a global network without borders” and “[i]n a globalised world, internet users’ access — including those outside the Union — to the referencing of a link referring to information regarding a person whose centre of interests is situated in the Union is thus likely to have immediate and substantial effects on that person within the Union itself.” See Google, at ¶ 56-57. Thus, the CJEU firmly recognized that the EU has jurisdiction over the search engine to require compliance with the EU’s data protection laws.

However, the CJEU recognized to mitigating components: first, other countries outside of the EU “do not recognize the right to de-referencing or have a different approach to that right.” See Google, at ¶59. Second, and frankly a key aspect of this opinion, went on to state:

the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality (see, to that effect, judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C92/09 and C93/09, EU:C:2010:662, paragraph 48, and Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, point 136). Furthermore, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.”

See Google, at ¶60 (emphasis added).

Here the Court is clearly recognized that other countries will balance these rights differently. It is also a clear recognition that it was not  the CJEU’s role to strike the balance “as regards the scope of a de-referencing outside the Union.” See Google, at ¶61. Thus, the CJEU held that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.” See Google, at ¶64.

What does the Google decision mean in the broader evolution of global data privacy?

It is clear that while the rights outlined by the GDPR and other EU data protection laws are important, and will be highly protected, they are not absolute. The belief that the GDPR protections will be taken to the extreme, and possibly produce absurd results, seems less likely. The Court also seemed willing to strike a reasonable balance when interpreting and enforcing the GDPR.

This is a good thing: technology is running at lightspeed and the ways in which it will impact the GDPR are an unknown. We need a judicial system that is willing to acknowledge that life is evolving and as technology evolves with it, they way we interact and protect data cannot remain stagnant. This Judgment highlights a Court that is willing to make a practical balance in the years to come. This is a win for technology, the law, and the right to privacy. 

Search Engine Processing Categories of Sensitive Personal Data

The second case released last week, GC, again focused on search engines, and again on the obligation to de-reference certain links. This time, the question surrounded the processing of special categories of data (defined under GDPR, Art. 9). The issue honed in on whether search engines are required to comply with the prohibition imposed on other controllers processing data falling within those certain special categories of data. See GC, at ¶31.

Under EU data protection law, special categories of data consist of “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” See Article 9(1). The GDPR creates a general prohibition of processing these special categories of data, unless an exception or derogation applies. See Article 9(2). 

The GC case arose when  four separate data subjects made a request to Google to de-reference links to third-party webpages where certain sensitive information was mentioned (i.e., Church affiliation, judicial investigations, criminal proceedings, etc.). See GC, at ¶¶25-28. Google rejected the requests to de-reference the links, and the data subjects brought complaints to the CNIL, which the CNIL refused.  On appeal, these data subjects brought their complaints to the higher court in France, that referred the matter to the CJEU. See GC, at ¶¶29-30. 

The CJEU affirmed that the activities of the search engine, finding information online, indexing that information, and making it available to other users constitutes the processing of personal data under EU data protection laws. See GC, at ¶35. Further, this activity is distinct from the processing of the third-party who publishes this information because a search engine “plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published.” See GC, at ¶36.

As such, since a search engine is processing data, it is subject to the requirements of EU data protection law, which includes the general prohibition of the processing of special categories of data. See GC, at ¶¶42-43. The CJEU noted that while the specific features of processing conducted by a search engine does not exempt it from this general prohibition, “those specific features may, however, have an effect on the extent of the operator’s responsibility and obligations under those provisions.” See GC, at ¶45.

The Court makes clear that the responsibility derives not from a third-party’s webpage with the content. Instead it found that because the search engine is “referencing of that page and in particular the display of the link to that web page in the list of results presented to internet users following a search on the basis of an individual’s name, since such a display of the link in such a list is liable significantly to affect the data subject’s fundamental rights to privacy and to the protection of the personal data relating to him.” See GC, at ¶46.

The CJEU ultimately held that a search engine, when determining the means and purposes of processing special categories of data, must ensure that the requirements of EU data protection law are met. This includes special categories of data (such as political opinions, health information, etc.), which are generally prohibited from being processed under the GDPR, unless an exception applies. See GC, at ¶48.

The Court next addressed what role a search engine has to assess whether to accept a de-reference request when that request addresses links that include special categories of data. In reviewing the right to erasure under the GDPR, the CJEU expressly noted, in line with its Google judgment, that “the data subject’s right to erasure is excluded where the processing is necessary for the exercise of the right of information” and “the right to protection of personal data is not an absolute right but, as recital 4 of the [GDPR] states, must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” See GC, at ¶57.

Ultimately, the Court directed the search engines to conduct a balancing test to determine whether to accept a de-referencing request:

“where the operator of a search engine receives a request for de-referencing relating to a link to a web page on which such sensitive data are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data laid down in Articles 7 and 8 of the Charter, ascertain, having regard to the reasons of substantial public interest referred to in Article 8(4) of Directive 95/46 or Article 9(2)(g) of Regulation 2016/679 and in compliance with the conditions laid down in those provisions, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter.”

See GC, at ¶68.

Key Take-Aways on the Processing of Special Categories of Data by Search Engines

GC provides some interesting insight into, on the one hand, how the courts will view the processing of special categories of data and, on the other hand, the role of search engines in the processing of data generally.

First, it is clear that the general prohibition on the processing of special categories of data is a red line; even if a company is not the entity putting the special categories of data on the internet, it can still be held to that general prohibition of processing this type of data. This is key because, when providing online services, it may not be initially clear that you are in fact processing special categories of data if you do not have visibility into all of the data associated with a specific activity. As such, it is very important that you ask questions of those entities you are engaging with (i.e. partners, collaborators, and third party vendors) and get a true understanding of the type of information being collected on a data subject. Otherwise, you may run afoul of Article 9’s prohibition and open yourself up to liability.

Second, and in line with the CJEU’s Google Spain (see above) judgment, the search engines are again being put into the  position of conducting a balancing test weighing the impact on a data subject rights vs. the public’s interest in the data being retained and avaiable. For now, the burden is on these search engines to conduct this balancing test which involves sensitive information.  And, it remains to be seen whether we, as a society, are comfortable with these search engines (i.e. for-profit organizations) playing that role.

Overall, both the Google and GC judgments shed some light and insight on the court’s approach and willingness to make some practical decisions in a post-GDPR world. Will these decisions end up being practical in the operational sense? That remains to be seen. But, the balancing of these varied rights that are directly, or in-directly, impacted by data protection laws, is starting to become clearer. And, businesses can learn from these judgments that informed, reasonable decisions will be considered by the EU and taken into account.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.