24th September 2019 is most likely to be remembered as the day the UK Supreme Court unanimously ruled that the Prime Minister, Boris Johnson, had unlawfully prorogued Parliament. As media attention focussed on the constitutional implications of this landmark judgment, you might be forgiven for not noticing another very important legal judgment delivered by the Court of Justice of the European Union (CJEU) in (Google LLC v CNIL (Case C-507/17). In contrast to the Prime Minister, the case went in favour of Google and provided clarification regarding the extent of its obligations to erase personal data under Article 17 of GDPR, the so called “Right to be Forgotten.”
This decision is, in many senses, a continuation of the Court’s landmark judgment in 2014 (Google v Spain (Case C-131/12) in which the CJEU ruled that Google, as a Data Controller, had to give effect to the data protection right of erasure provided in Article 12(b) and the right of objection under Article 14 of the EU Data Protection Directive 1995 (the 1995 Directive). Readers will know that the Directive has been repealed and replaced by the GDPR. Although, at the time of the case the operative law was the Directive, the Court decided that it would consider the questions raised in the light of both the Directive and the GDPR to ensure that its answers would be of relevance now that the GDPR is in force.
The Right to be Forgotten (or the right to erasure) is now found in Article 17 and the right to object to processing in Article 21 of GDPR. In Google v Spain the Court held that where a search engine operator received a request under Article 12 (b) of the 1995 Directive then it would have to take steps to remove those links to third party web sites that were displayed in a list in a search conducted against the Data Subject’s name (provided the conditions of Article 12 (b) were met). This meant that a Data Subject would have the right to request Google to ‘de-reference’ certain links to information held on third party web sites. This has been referred to as the “right to
de-referencing”. This right was not absolute.
Turning to the corresponding provisions of the GDPR (Article 17), the Court also notes that the Right to be Forgotten under Article 17 (3) of the GDPR is also not absolute.
A search engine operator may refuse the request if one of the conditions in Article 17(3) applies. Article 17 (3) specifically states that the Right to be Forgotten does not apply where processing is necessary for exercising the right of freedom of expression and information. Therefore consideration needs to be given to the specific circumstances of the case, the sensitivity of the personal data, and the interests of the public in having that information, which may vary depending on the public role played by the Data Subject.
What happened in the latest case?
In 2015 the French Data Protection Authority (the Commission National De l’informatique Et Des Libertés) instructed Google that when it received a request from a person to remove links to web pages about them, from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions.
Google responded by removing the links in question but only from the results displayed following searches conducted from the Google domain names in the Member States. It also implemented so called ‘geo-blocking’ measures that meant if an internet user in the EU switched to a non-EU version of Google it would automatically be re-routed to an EU version of Google (which would not display the ‘disputed’ links). Despite this the French Data Protection Authority, using its powers under the French law that implemented the Data Protection Directive, imposed a fine of €100,000 on Google. Google challenged this decision. The French Court considered that the case raised difficult legal issues regarding the interpretation of the Right to be Forgotten and the territorial scope of the Data Controller’s obligation.
The issue in this case was about what steps Google had to take in response to a request to de-reference links. Did it have to ensure that the link was removed from all the domain names used by its search engine so that the links no longer appear, irrespective of the place where the search is initiated or whether it is conducted from a place outside the European Union? In other words the issue was about the territorial scope of Google’s obligations to de-reference links when a Data Subject makes a valid request under Article 17.
The Court deals with this as follows:
- It begins by stating that the objective of the GDPR is to provide a high level of protection of personal data throughout the European Union, and a
de-referencing of all versions of a such engine would achieve that objective.
- But it recognises the ‘ubiquitous’ nature of the internet that is global in reach and without borders.
- And it also acknowledges that not all States that host the Google search engine recognise the right of de-referencing.
- Article 17 (3) strikes a balance between the rights of the Data Subject and the right of information, but does not strike such a balance as regards the scope of de-referencing outside the EU.
- There is nothing in Article 17 of the GDPR that suggests that the EU intended that the scope of the Right to be Forgotten would extend beyond the territory of the Member States of the EU.
- Consequently there is no obligation under EU Law, for a search engine operator, who grants a request for de-referencing, under Article 17, to carry out a de-referencing on all the versions of its search engine. It is only required to implement de-referencing in all the EU Member State versions of its search engine.
- However, where necessary the search engine operator is obliged to use measures which prevent, or at the very least, seriously discourage internet users in the EU from gaining access to the ‘offending’ links in question.
The CJEU then referred the matter back to the French Courts for them to determine whether the measures taken by Google (the geo-blocking measures) or proposed by Google meet these requirements. However, what is clear is that the ‘Right to be Forgotten’ in the context of Google searches has its limits. The extent to which Google, and other search engine operators, can prevent or discourage determined internet users from gaining access to ‘de-referenced’ personal data remains to be seen.
More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.