Google v CNIL

CNIL served formal notice requiring that when Google grants a de-referencing request by a natural person it delists the relevant results from all of Google’s domain name extensions. Google refused to comply and only removed results if the search was conducted from a Google domain name corresponding to a Member State.

After the expiry of the period laid down in CNIL’s formal notice, Google proposed to use geo-blocking to prevent internet users from accessing the results in issue if their IP address was deemed to be in the State of residence of the data subject, no matter which version of the search engine they used.

CNIL found that Google had failed to comply with the formal notice, considered that the geo-blocking proposal was insufficient, and imposed a public penalty of €100,000. Google applied to the Conseil d’État seeking an annulment of that finding. The Conseil d’État referred the proceedings to the CJEU under the preliminary ruling procedure.

1) Whether a search engine operator is required, when granting a request for de-referencing from a natural person, to carry out that de-referencing on all versions of its search engine;

2) if not, whether the search engine operator is required to carry out de-referencing on the versions of the search engine corresponding to all of the Member States, or only on the version corresponding to the Member State where the de-referencing request was made; and

3) in addition to (2), whether a search engine is required to use geo-blocking to remove results from searches conducted in the Member State where the de-referencing request was made, or more generally from any Member State, regardless of the domain name used to conduct the search.

Although these questions related to the interpretation of Directive 95/46 (“the Directive”), the Directive was repealed after the Conseil d’État submitted the request for a preliminary ruling. Therefore, the Court examined the questions in light of both the Directive and GDPR.

1) A search engine operator is not required to carry out a de-referencing on all versions of the search engine. The objective of the Directive and GDPR is to guarantee a high level of protection of personal data throughout the EU, and de-referencing on all versions of the search engine would meet that objective in full. However, numerous third States do not recognise the right to de-referencing, the right to protection of personal data is not absolute, and the balance between the right to privacy and freedom of internet users is likely to vary significantly around the world. Further, it is not apparent from Art 12(b) and 14(a) of the Directive or Art 17(1) of the GDPR, which prescribe the right to erasure, that the EU legislature intended to confer a scope on the rights beyond the territory of the Member States.

However, although EU law does not require global de-referencing, it does not prohibit such a practice. Authorities within Member States remain competent to weigh up the competing rights of data protection and freedom of information in accordance with national standards, and where appropriate require global de-referencing.

2) A search engine operator must carry out de-referencing on all versions of the search engine corresponding to the Member States. The EU legislature has chosen to lay down the rules concerning data protection by way of a regulation directly applicable in the Member States, to ensure a consistent and high level of protection throughout the EU. However, as the balance between a data subject’s rights and the interest of the public in accessing information may vary between Member States, it is for Member States to provide for the exemptions and derogations to reconcile those the data subject’s rights with freedom of information.

3) Where necessary, the search engine should use measures which effectively prevent or at least seriously discourage an internet user conducting a search from one of the Member States from gaining access to the links which are the subject of the de-referencing request.

A much-anticipated judgment that has been welcomed as clarifying that the ‘right to be forgotten’, recognised in the landmark Google Spain decision, does not have extra-territorial application. However, it is unlikely to resolve all uncertainty surrounding a data controller’s obligations when granting a de-referencing request for two reasons. First, the Court’s finding that global de-referencing is not prohibited by EU law leaves open the possibility of global application. Second, the suggestion that authorities within Member States could require global de-listing “where appropriate” could lead to Member States adopting contrasting approaches, in light of the differing balance struck between competing rights in different jurisdictions.

The Court’s suggestion that technologies such as geo-blocking could prevent or at least “seriously discourage” access to de-referenced links appears to acknowledge that geo-blocking has a deterrent effect, even if it has potential to be circumvented using VPN technology.

This judgment should be read alongside GC v CNIL, a judgment delivered by the Court the same day, which further clarifies the scope of de-referencing obligations in relation to special category data.

Judgment