How far does the GDPR's right to be forgotten go? The CJEU's Advocate General provides his views
Reconciling the right to privacy with the right to information and freedom of expression is one of the main challenges in the digital era. Recently, Advocate-General Szpunar (“AG”), a senior legal adviser to the CJEU, delivered two opinions (cases C-507/17 and C-136/17) on the scope of the “right to be forgotten”. Here’s what you should know.
Case: Google v CNIL (C-507/17)
Following the CJEU’s landmark decision in Google Spain and Google in 2014, when individuals asked Google to be delisted (“dereferenced”) from search results, Google only did so in relation to EU domain name extensions (e.g. google.fr, but not google.com). The CNIL, the French data protection authority, found this to be insufficient. To ensure effective protection of data subject rights, the CNIL demanded that Google delist search results from all domains worldwide. Google unsuccessfully proposed a “geo-blocking” measure linked to the IP address (determining, for example, that the user is based in France) regardless of the search engine domain used. The CNIL was not persuaded and imposed a €100,000 fine for failing to comply. Google then asked that the decision be declared null and void by the French Conseil d'État (Council of State), which referred a series of preliminary questions to the CJEU.
The AG suggests that – while extraterritorial application is attractive – a distinction should be made according to the place in which the search is carried out. Searches made outside the EU should not be dereferenced. While there may be examples of extraterritorial application (such as in EU competition law or trademark law), he finds that the internet as such is not a confined territorial unit.
The right to be forgotten must be balanced against the public’s legitimate interest to access certain information, a right that could vary in states outside the EU. A worldwide right to be forgotten would (i) render EU authorities unable to define and determine a right to receive information, and (ii) limit persons in third states from accessing information, which could lead to unwelcome censorship action by third states preventing persons in the EU from accessing information outside the EU.
Does it mean that the right to be forgotten should always be limited to Europe? No. The AG softens his stance, by indicating that the default position could be changed if the balancing of fundamental rights warrants this. However, the specific circumstances of the underlying case did not. Therefore, there is still a possibility that a search engine operator may have to take dereferencing actions at the worldwide level.
In conclusion, when handling a dereferencing request, a search engine operator is not required to do this on all its domains, irrespective of the location from which the information is accessed. The search engine operator must, however, take every measure available to ensure full and effective dereferencing within the EU, including by using “geo-blocking” measures linked to IP addresses determining an EU location, irrespective of the domain name used.
Case: GC and Others v CNIL (C-136/17)
Another opinion relates to the pending case GC and Others v CNIL. The AG proposes that the CJEU should hold that a search engine operator must, as a matter of course, agree to a request to dereference sensitive data while still protecting the rights of access to information and freedom of expression (similar to the Google Spain and Google case discussed above).
What exactly happened in this case? A dispute arose between four individuals and the CNIL in its refusal to order Google to dereference various links. The web pages in question included a satirical photomontage of a female politician posted online under a pseudonym, an article referring to one of the interested parties as the public relations officer for the Church of Scientology, an investigation into a male politician and the conviction of another interested party for sexual assaults against minors. After the four interested parties had brought proceedings, the Conseil d’État referred several questions (discussed below) to the CJEU.
What’s the difference with the Google Spain and Google case? The Google Spain and Google case only concerned non-sensitive data whose publication was, in itself, lawful. In this case, the CJEU firstly found that Google was obliged to remove links to web pages published by third parties containing information relating to a person - before, in a second step, balancing the rights of that person with Google’s economic interest and the public interest in accessing this information.
Conversely, GC and Others v CNIL concerns the processing of so-called sensitive data (such as data relating to political opinions, religious or philosophical beliefs, or sex live) where the legislator considers the processing to be unlawful. There is indeed a prohibition imposed on data controller (such as Google) on processing such data. This would then require Google to check that a list of results displayed does not contain a link to Internet pages containing such data ex ante and automatically (i.e. even in the absence of a request for dereferencing by a data subject).
This control is neither possible, nor desirable, for Google. Instead, according to the AG, Directive 95/46 should be interpreted in such a way as to take account of the responsibilities, powers and capabilities of Google. These prohibitions and restrictions cannot apply to Google as if it had itself placed sensitive data on the web pages concerned. Google’s activity logically takes place only after (sensitive) data has been placed online. The AG’s conclusion on this first question is that these prohibitions and restrictions can therefore apply to Google only by reason of that referencing and, thus, through subsequent verification, when a request for dereferencing is made by a data subject.
Is there an obligation imposed on Google systematically to dereference sensitive data material? Contrary to the Google Spain and Google case, there is according to the AG no scope for a balancing exercise in the context of sensitive data. As soon as it is established that sensitive data is being processed, a request for dereferencing should be granted. The AG also takes the view that the exceptions to the prohibition on the treatment of sensitive data (e.g. consent) apply even though some of the exceptions appear to be more theoretical than practical as regards their application to Google.
Can Google rely upon the derogations authorised under freedom of expression (journalism exemption)? Yes, where there is a request for dereferencing, Google must weigh up, on the one hand, the right to privacy and data protection and, on the other hand, the right of the public to access the information concerned and the right to freedom of expression of the information provider. There is room for a balancing exercise.
Lastly, the AG addresses the question of requesting dereferencing relating to personal data that is incomplete, inaccurate or obsolete, such as press articles relating to a period before the conclusion of judicial proceedings. The AG proposes that the CJEU should hold that, in such circumstances, it is necessary for the operator of a search engine to conduct a balancing exercise on a case-by-case basis between, on the one hand, the right to privacy and data protection under the Charter of the Fundamental Rights of the European Union and, on the other hand, the right of the public to access the information concerned, while taking into account the fact that that information relates to journalism or constitutes artistic or literary expression.
The CJEU’s final decisions in both cases are expected later this year. They are likely to have a significant impact on the online right to be forgotten for the coming decade in Europe.
