The European Court of Justice has published its rulings in two prominent cases addressing the scope of ‘the right to be forgotten’ under EU privacy laws. Both cases involved Google and the French National Commission on Informatics and Liberty (‘CNIL’).
The right to be forgotten was based on the ECJ’s interpretation of the previous Data Protection Directive in a 2014 case involving Google. The right, which was later implemented in the General Data Protection Regulation (GDPR), enables European data subjects to request the erasure and removal of all their personal information under certain conditions.
The first case stems from the CNIL’s decision regarding Google’s application of the right to be forgotten on a global basis. In 2015, CNIL requested Google to globally delist search results containing personal information that was subject to the right to be forgotten requests from its search engine. Google removed the links only from its European domain names, but refused to delist the search results from domain names available outside of Europe. In response the French regulator fined Google EUR 100,000. Google challenged the ruling at France’s Council of State, which turned to the European Court of Justice for guidance.
Earlier this year, Google won the support of the European Court of Justice’s Advocate General (AG), in a nonbinding recommendation delivered to the Court. The AG claimed that the right to be forgotten should be limited to Europe only. In its decision, the Court ruled that there is no obligation under EU law for search engine operators to delist search results that are subject to the right to be forgotten in all of their domains upon a de-referencing request from a data subject or regulatory body. Upon a justified request, the operator must delist the results for all European domains only.
The European Court of Justice emphasised that the Internet is a global network without borders, and although the delisting of all references from all domain names will meet the objectives of the right in full, it should be recognised that various countries did not acknowledge the right to be forgotten.
The second case focused on a dispute between four French data subjects and Google and CNIL, after both the tech giant and the French regulator refused a request to delist sensitive information from Google’s search engine.
According to the European Court of Justice’s decision, the restrictions and prohibitions on the processing of special categories of personal data, specifically when the data subject’s consent to such processing was revoked, apply to operators of search engines as any other processor or controller. Upon the data subject’s request, a search engine operator must delist results leading to a web page containing sensitive personal information (such as health related information or information on political view of an individual), even if this data was not erased beforehand by the web page.
In some circumstances, the operator may refuse to accede to a request for delisting. A refusal can be made when it establishes that the relevant links are covered by the exceptions listed in the GDPR (and the previous Directive), or where it deems that there is a substantial public interest and the links are necessary for exercising the right for freedom of information.