The Court of Justice of the European Union has ruled in Case C-507/17 Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés that a search engine operator is not required to carry out a de-referencing on all versions of its search engine.
However, it is required to carry out de-referencing on its EU member state versions. Further, it must put measures in place to discourage internet users from gaining access, from within an EU member state, to the links appearing on non-EU versions of the search engine.
In March 2016 the French data protection authority (CNIL) imposed a penalty of €100,000 on Google Inc because of Google’s refusal to apply de-referencing requests to all its search engine’s domain name extensions. In 2015, CNIL had given Google formal notice to apply the de-referencing to all versions.
Google brought proceedings to annul CNIL’s adjudication. It considered that the right to de-referencing does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.
The French court referred several questions to the CJEU to ask if EU law is to be interpreted as meaning that, where a search engine operator grants a request for de-referencing, that operator is required to carry out that de-referencing on all versions of its search engine. Or, on the contrary, it is required to do so only on the versions of that search engine corresponding to all the member states or only on the version corresponding to the member state of residence of the person benefiting from the de-referencing.
Previous CJEU case law stipulates that a search engine is obliged to remove from the list of results displayed following a search for a person’s name links to websites, published by third parties and containing information relating to that person. This also applies where that name or information is not erased beforehand or simultaneously from those websites, and even if its publication is lawful.
The court pointed out that Google’s establishment in French territory carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned. The search engine must, in view of the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google’s French establishment. Therefore it falls within the scope of EU data protection legislation.
The court emphasised that, in a globalised world, internet users’ access, including those outside the EU, to the referencing of a link referring to information about a person situated in the EU is likely to have immediate and substantial effects on that person within the EU itself. Therefore a global de-referencing would fully meet the objective of protection in EU law. However, numerous third countries do not recognise the right to de-referencing or take a different approach to that right. The court added that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society. It must be balanced against other fundamental rights, in accordance with the principle of proportionality. In addition, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.
However, it is not apparent that the EU legislature has struck such a balance regarding the scope of a de-referencing outside the EU, nor that it has chosen to confer a scope on the rights of individuals which would go beyond the territory of EU member states. Nor is it apparent that it would have intended to impose on an operator, such as Google, a de-referencing obligation which also concerns the national versions of its search engine outside the EU. In addition, EU law does not provide for cooperation instruments and mechanisms regarding the scope of a de-referencing outside the EU.
As a result, the court concluded that there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject following an injunction from a supervisory or judicial authority of an EU member state, to carry out such a de-referencing on all the versions of its search engine.
However, EU law requires a search engine operator to carry out such a de-referencing on the EU versions of its search engine and to take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Consequently, such a de-referencing must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage, an internet user conducting a search from an EU member state for a data subject’s name from gaining access, via the search results, through a version of that search engine outside the EU, to the links which are the subject of the request for de-referencing. It is for the national court to decide if the measures put in place by Google meet those requirements.
Lastly, the court pointed out that, while EU law does not currently require a de-referencing to be carried out on all versions of the search engine, it does not prohibit such a practice. Therefore, the authorities of each member state may weigh up, in the light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data and the right to freedom of information. After carrying out that assessment, a national authority could order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.