BREAKING: CJEU rules that in right to be forgotten cases a search engine cannot be ordered to undertake global delisting (but needs to delist EU-wide and undertake some geo-blocking)
In 2014, the Court of Justice of the European Union (CJEU) acknowledged the existence of a 'right to be forgotten', or a 'right to be delisted' from a search engine's results, upon fulfilment of certain conditions.
But on what scale must such delisting be made?
This was the key issue at the heart of the referral in Google v CNIL, C-507/17.
In today's ruling, the CJEU has held that the operator of a search engine is not required to carry out a de-referencing on all versions of its search engine. However, said search engine is required to carry out that de-referencing on the versions corresponding to all the Member States and to put in place measures discouraging internet users from gaining access, from one of the Member States, to the links in question which appear on versions of that search engine outside the EU.
In today’s judgment, the Court begins by recalling that it has already held that the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
The Court points out, next, that Google Inc.’s establishment in French territory carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google Inc.’s French establishment. Such a situation therefore falls within the scope of the EU legislation on the protection of personal data.
The Court emphasises that, in a globalised world, internet users’ access — including those outside the EU — to the referencing of a link referring to information regarding a person whose centre of interests is situated in the EU is likely to have immediate and substantial effects on that person within the EU itself, so that a global de-referencing would meet the objective of protection referred to in EU law in full. However, it states that numerous third States do not recognise the right to dereferencing or have a different approach to that right. The Court adds that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. In addition, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.
However, it is not apparent from the legal texts that the EU legislature has struck such a balance as regards the scope of a de-referencing outside the EU, nor that it has chosen to confer a scope on the rights of individuals which would go beyond the territory of the Member States. Nor is it apparent from those texts that it would have intended to impose on an operator, such as Google, a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States. What is more, EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU.
Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.
However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States and to take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Thus, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, through a version of that search engine ‘outside the EU, to the links which are the subject of the request for de-referencing. It will be for the national court to ascertain whether the measures put in place by Google Inc. meet those requirements.
Lastly, the Court points out that, while EU law does not currently require a de-referencing to be carried out on all versions of the search engine, it also does not prohibit such a practice. Accordingly, the authorities of the Member States remain competent to weigh up, in the light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.
A more details analysis will follow shortly. Stay tuned!
BREAKING: CJEU rules that in right to be forgotten cases a search engine cannot be ordered to undertake global delisting (but needs to delist EU-wide and undertake some geo-blocking)
Reviewed by 0x000216
on
Tuesday, September 24, 2019
Rating: 5