France

[FR] Annulment of CNIL’s demand that Google apply de-referencing to all its geographical extensions

IRIS 2020-7:1/6

Amélie Blocman

Légipresse

After the Conseil d'Etat (Council of State) issued a series of judgments on 6 December clarifying the implementation of the right to de-referencing (right to be forgotten), in particular where ‘sensitive data’ is concerned, France’s highest administrative court issued a decision on the geographical scope of this right.

In the case at hand, Google Inc. had applied for the annulment of the decision of the French data protection authority (Commission nationale de l’informatique et des libertés – CNIL) of 10 March 2016 to fine it EUR 100 000 for refusing, when granting a de-referencing request, to apply it to all its search engine’s domain name extensions, and for only removing the links in question from the results displayed following searches conducted from the domain names corresponding to the versions of its search engine in the EU member states. The CNIL also regarded as insufficient Google’s further ‘geo-blocking’ proposal, made after expiry of the time limit laid down in the formal notice, whereby Internet users would be prevented from accessing the results at issue from an IP address deemed to be located in the state of residence of a data subject after conducting a search on the basis of that data subject’s name, irrespective of the version of the search engine they used.

The Conseil d’Etat pointed out that, in its judgment of 24 September 2019 (Google LLC v CNIL, Case C-507/17), the CJEU had ruled that “where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.”

According to the Conseil d’Etat, this meant that, by sanctioning the appellant company on the grounds that only a measure that applied to all uses of its search engine, regardless of the extensions used and the geographical location of the Internet user conducting a search, was sufficient to meet the protection requirement established by the CJEU, the select panel of the CNIL had made an error of law in the disputed decision.

Moreover, although the CNIL argued, as the defendant, that the disputed sanction had been based on the Court of Justice’s view that the supervisory authorities could order the de-referencing of all versions of a search engine, there was no legislative provision in current applicable law that meant that such de-referencing could extend beyond the area covered by EU law and apply outside the territory of the member states. The authorities could only issue such an order after weighing the data subject’s right to privacy and the protection of personal data concerning him or her against the right to freedom of information. The very wording of the disputed decision showed that, before finding Google Inc. guilty of ongoing infringements and failing to meet its obligation to apply de-referencing to all versions of a search engine, the CNIL select panel had not weighed these rights against each other. There was therefore no reason to accept the legal basis given for the CNIL’s decision, which was annulled.


References


This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.