France

Court of Justice of the European Union: Search engines must accede to requests for the de-referencing of certain sensitive data

IRIS 2019-10:1/5

Gionata Bouchè

In its judgment of 24 September 2019, the Court of Justice of the European Union (“CJEU”) extended the prohibition to process special categories of personal data under EU data protection legislation to search engine operators acting as controllers. Building on its previous decision in Google Spain (see IRIS 2014-6/3), the CJEU ruled that operators of search engines are, in principle, required to accede to de-referencing requests regarding links to websites displaying sensitive data (for example, information related to religious or philosophical beliefs, sex life, criminal convictions, etc.), subject to certain exceptions.

In the main dispute, Google refused to comply with GC, AF, BH and ED’s requests to de-reference a series of links leading to third-party websites, displayed in response to the online searches for their individual names. In particular, the content of these websites consisted of a vignette satirically depicting the first applicant (a French politician) that was pseudonymously uploaded on YouTube, and several articles which reported on AF’s previous involvement with the Church of Scientology, the judicial proceedings brought against BH, and ED’s past criminal conviction.

The applicants requested the French data protection authority (Commission nationale de l’informatique et des libertés, CNIL) to take action against Google. After the CNIL had dismissed their claims, an appeal was brought before the Conseil d’État, which chose to refer a series of questions to the CJEU concerning the applicability of the general prohibition to process sensitive data to search engine operators and the conditions under which the latter would be required to de-reference links to websites containing sensitive data.

The CJEU reiterated that search engine operators needed to conduct their activities in compliance with the Data Protection Directive, which was replaced by Regulation 2016/679 (see IRIS 2018-6/7) only after the dispute at hand had already arisen. The CJEU therefore stressed that they remained subject to the prohibition and restrictions imposed under Article 8 (1) and (5) of Directive 95/46, which requires search engine operators to abstain from the processing of personal data disclosing sensitive information related to religious, philosophical and sexual orientation, etc., while allowing the processing of information concerning criminal convictions only under the supervision of a public authority. The reasoning behind this decision was that referencing to third-party websites displayed to users of search engines amounted to an act of verification capable of impacting the fundamental rights to privacy and data protection of users.

However, the CJEU acknowledged that although the fundamental rights of data subjects generally overrode the public interest, this may vary on the basis of the nature of the information, the sensitivity for the data subject’s private life and the interest of the public, also considering the data subject’s role in public life. For that reason, it found that before deciding on a request for the de-referencing of links to websites that expose sensitive data, search engine operators must determine whether a refusal to de-reference is strictly necessary in order to protect the freedom of potentially interested users in searching and gaining access to such information, while taking into account the relevant factors of the case and the seriousness of the interference.

In addition, the CJEU specified that where the sensitive data displayed corresponds to information about criminal proceedings no longer reflecting the current legal status, operators need to consider (a) the nature and seriousness of the offence, (b) the progress and the outcome of the proceedings, (c) the time elapsed, (d) the data subject’s public role and past conduct, (e) the public’s interest at the time of the request, (f) the content and form of the publication and (h) the consequences of publication for the data subject. To conclude, the CJEU held that search engine operators were obliged to provide an “overall picture” of data subjects closely reflecting the current legal situation by adjusting the list of search results associated with their names.


References


Related articles

IRIS 2018-6:1/7 Council of the EU: General Data Protection Regulation becomes applicable

IRIS 2014-6:1/3 Court of Justice of the European Union: Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos

This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.