Last week also brought new developments regarding the interpretation of the right to be forgotten - a widely discussed right of data subjects developed by the Court of Justice in its earlier jurisprudence (see our 2014 post Google as data controller...). More specifically, Advocate-General Szpunar delivered his opinions in the two pending cases: C-136/17 G.C. and Others v CNIL and C-507/17 Google v CNIL. Just like Google Spain, both cases relate to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (and not yet the General Data Protection Regulation). Both are also concerned with the scope of search engine operators' obligation to respond to de-referencing requests by data subjects.
Background of the cases
Both references of the French Conseil d’État pertained to disputed decisions of the national data protection authority (Commission for Information Technology and Civil Liberties, CNIL). The setting of each case was nevertheless quite different. In C-136/17 the CNIL refused to take measures against Google for failing to de-reference various links from search results and the affected data subjects complained about inaction. In C-507/17, by contrast, the search engine provider contested the sanctions imposed by the authority.
AG's opinions
The opinions presented last Thursday by the Advocate-General Szpunar shed light on several important aspects of the right to be forgotten: 1) the role of search engine operators in relation to sensitive data, 2) the nature of the respective obligation to respond to de-referencing requests, and 3) territorial reach of required de-referencing measures.
Processing sensitive data by search engine operators
As readers may recall, one of the controversial elements of the 2014 Google Spain judgment was the qualification of search engine operators as data controllers. This implied that the processing of personal data in the course of relevant activities needed to be authorized under one of the legal bases set out in the Directive. While the broader implications of this finding may not have been immediately apparent in the case of non-sensitive data, the picture became more complex as soon as special categories of data (e.g. about religious or philosophical beliefs) came into play. One of the questions asked in G.C. and Others was thus whether the prohibition of processing data falling within certain specific categories also applied to search engine operators.
The Advocate-General sought a balanced solution. He essentially replied in the affirmative, but observed that specific responsibilities, powers and capabilities of search engine operators should be taken into account as part of the interpretation. In particular, it was recognized that the processing carried out by such entities is secondary in its nature (an argument Google already tried to advance in the 2014 case). Hence, according to the AG, prohibitions and restrictions set out in the Data Protection Directive could only apply to an operator of search engine by reason of his referencing activities (searching, finding and making information available in an efficient way). Ex ante control of referenced web pages, which - so the AG - is covered neither by the responsibility, nor by capabilities of search engine providers, should therefore be excluded. Consequently, also with respect to sensitive categories of data, the primary focus remains on ex post verification of de-referencing requests, which was the subject of remaining questions.
Systematic de-referencing
In respect to the search engine operator's de-referencing duty (as a correlate of data subject's right to be forgotten), the Advocate-General first considered whether search engine operators are obliged to systematically de-reference web pages on which sensitive data appear, as soon as the absence of a legal ground for the processing is established. This matter appears to have divided the intervening parties and certainly needs to be looked at in more detail after all language versions of the opinion are available. For the time being, it suffices to report that, in view of the AG, an operator of a search engine should generally be required to accede, as a matter of course (i.e. without regard to elements other than the lack of legal ground), to requests for de-referencing relating to web pages on which sensitive data appear, subject to limited exceptions provided for in Article 8. Notably, however, if the contested processing of personal data falls within the scope of Article 9 of Directive 95/46, i.e. when the processing is carried out solely for journalistic, artistic or literary purposes, a balancing exercise can be required, possibly resulting in the refusal of de-referencing requests.
Territorial scope
The second of the discussed cases, Google v CNIL, dealt with the territorial scope of de-referencing measures. By way of illustration: in case of a request from a French data subject, should Google only deactivate links on Google.fr, on all EU domains, or on all worldwide domains? Or perhaps such de-referencing should (also) depend on the location from which the search is performed (assessed based on the IP address)? It this respect, the AG decided to put limits on the CNIL's extraterritorial ambitions. In particular, he insisted that search requests made outside the EU should not be affected by the de-referencing of search results. A different (broader) interpretation could, in view of the AG, create significant limitations in access to information, and as such should be approached with caution. Considering the facts of the case, worldwide de-referencing duty did not appear justified.
When it comes to the EU, however, the Advocate-General came out in favour of a rather broad territorial scope of de-referencing. Specifically, according to the opinion, once a right to be forgotten within the EU has been established, the search engine operator should take all measures available to it to ensure full and effective de-referencing within the EU, including by use of ‘geo-blocking’ in respect of an IP address located in the EU, irrespective of the domain name used by the internet user.
Concluding thought
Concluding thought
The opinions of the Advocate-General come at a time of a heated debate about the application of the European data protection framework following its recent reform. Both the right to be forgotten and the territorial scope of act have been exhaustively discussed in the legislative process leading to the adoption of the GDPR. As usual, the judgment of the Court of Justice is awaited with interest. This time, however, it will reveal not only whether the CoJ shares the view of its advisor, but also to what extent the interpretation eventually provided affects the framework applicable today.
