Articles and Downloads
The Right To Be Forgotten back in the CJEU: Advocate General Opinions on sensitive personal data and the geographical scope of de-referencing – Ian Helme
This blog post was originally featured on Inforrm, the International Forum for Responsible Media blog.
“Reconciling the right to privacy and the protection of personal data with the right to information and freedom of expression in the age of the Internet is one of the main challenges of our time.” With these words, Advocate General Szpunar opened the first of two important opinions involving Google and the right to be forgotten he delivered yesterday, 10 January 2019.
While the law considered by the Advocate General is the now-replaced Data Protection Directive 95/46 and not the GDPR, both opinions consider a number of issues in which similar arguments will undoubtedly arise under the new regime. The judgments of the CJEU are expected in the coming months. The Court tends to follow the guidance of the Advocate General – although famously in Google Spain v Costeja itself they did not.
GC & Others v CNIL
The first Opinion, and that which is arguably of more general importance, was delivered in GC and Others v CNIL, Case C-136/17 (currently only available in French). In four separate cases joined by the French courts, the applicants each sought the dereferencing of various URLs which contained, inter alia, a satirical photomontage of a female politician posted online under a pseudonym, an article referring to one of the interested parties as the public relations officer for the Church of Scientology, the placing under investigation of a male politician and the conviction of another interested party for sexual assaults against minors. Both Google LLC and the French data protection authority (CNIL) refused to order the dereferencing the applicants sought.
The Conseil d’État considered that the cases raised “a number of serious difficulties in interpreting Directive 95/46” and referred several questions to the CJEU. The two most interesting concerned how the prohibitions on processing sensitive personal data under the Directive applied to search engines; and how the journalistic exemption should be considered where the links sought to be dereferenced contained journalistic material.
Advocate General Szpunar begins his Opinion by confirming that the prohibitions in Directive 95/46 cannot apply to the operator of a search engine as if it had itself placed sensitive data on the webpages concerned. Since the activity of a search engine logically takes place only after (sensitive) data have been placed online, those prohibitions and restrictions can apply to a search engine only by reason of that referencing and, thus, through subsequent verification, when a request for dereferencing is made. At that point, however, the prohibition imposed on other data controllers on processing sensitive personal data, in particular pursuant to Article 8, applied to the activities of the operator of a search engine
Critically, the Advocate General stated that the result of that analysis was that he “did not see any place for… balancing in the context of Article 8 of Directive 95/46. Once it is established that processing of sensitive personal data takes place, it is appropriate to grant a request for dereferencing”, subject only to applicable exemptions. This is contrary to the position advocated by both Google and the United Kingdom Government, and is strikingly at odds with the position adopted by all parties in the recent NT1 case. Indeed Warby J specifically noted this potential reading of the legislation and observed that “all agree that this is not a tenable approach; the reasoning process involved would be too mechanistic to be compatible with the requirements of the Charter and the Convention…Everyone agrees that I must address the Google Spain balancing exercise at some point, with due regard to the Working Party criteria.” 
Part of the basis for the approach of Warby J in NT1 was that Google could not rely upon the journalistic exemption, so that “free speech justifications for disclosing sensitive personal information” could not be considered. The Advocate General in GC here again proposes that the CJEU take a different approach, and conclude that a search engine could rely upon the journalism exemption in Article 9 of the Directive if the underlying material justified it. This relies upon a somewhat strained reading of Google Spain, but permits a balancing act between competing Charter rights to be undertaken even in respect of sensitive personal data and would appear to accord with the current position under GDPR Article 17.
Finally, the Advocate General considered requests for de-referencing personal data which have become incomplete, inaccurate or obsolete, such as, for example, press articles relating to a period before the conclusion of judicial proceedings. He proposes that the Court should hold that, in such circumstances, it is necessary for the operator of a search engine to conduct a balancing exercise on a “case-by-case basis” between, on the one hand, the right to respect for private life and the right to protection of data under Articles 7 and 8 of the Charter of the Fundamental Rights of the European Union and, on the other hand, the right of the public to access the information concerned, while taking into account the fact that that information relates to journalism or constitutes artistic or literary expression.
Google v CNIL
The second case, Google v CNIL Case 507/17 (also currently only in French) concerns a shorter point but one of potentially great significance, concerning the geographical scope of the right to dereferencing under European law and in particular “whether the provisions of Directive 95/46 require a national, European or worldwide dereferencing.”
After a successful dereferencing request, CNIL required Google to affect the delisting in relation to all domain name extensions of its search engine. Google refused, and limited the delisting to (1) searches performed on the domain names corresponding to the versions of its search engine in the Member States of the EU; and (2) “geo-blocking” of the delisted results “regardless of the version of search engine used” on the basis of a search conducted using an IP address deemed to be located in the State of residence of the person concerned. CNIL regarded these steps as insufficient and fined Google 100,000 Euros by way of sanction.
Google sought the annulment of CNIL’s decision before the Conseil d’État, which decided to refer several questions to the Court of Justice for a preliminary ruling.
The Advocate General takes the view that search requests made outside the EU should not be affected by the de-referencing of the search results and proposed that the Court adopt “a European dereference” right. He acknowledged that the idea of global dereferencing appealed by virtue of its “clarity, simplicity and efficiency” but concluded that such an approach failed sufficiently to account for all of the rights at issue and Directive 95/46 could not be extended or create rights beyond the boundaries of the European Union.
He identified the “key argument” against a worldwide dereferencing obligation as being the requirement that the fundamental right to be forgotten must be balanced against other fundamental rights, such as the right to data protection and the right to privacy, as well as the legitimate public interest in accessing the information sought. He stated that, if worldwide de-referencing were permitted, the EU authorities would not be able properly to define and determine a right to receive information, let alone balance it against the other fundamental rights to data protection and to privacy. A public interest in accessing information will necessarily vary from one third State to another depending on its geographic location.
There would also be a risk, if worldwide de-referencing were possible, that persons in third-party States would be prevented from accessing information and, in turn, that third-party States would prevent persons in the EU Member States from accessing information. He therefore proposed that the Court should hold that the search engine operator is not required, when acceding to a request for dereferencing, to carry out that dereferencing on all the domain names of its search engine in such a way that the links in question no longer appear, irrespective of the location from which the search on the basis of the requesting party’s name is performed.
However, the Advocate General did emphasise that, once a right to dereferencing within the EU has been established, the search engine operator must take every measure available to it to ensure full and effective dereferencing within the EU, including by use of the ‘geo-blocking’ technique in respect of an IP address deemed to be located in one of the Member States, irrespective of the domain name used by the internet user who performs the search.
Finally, it should be noted that the Advocate General did not rule out the possibility that it may be appropriate in some circumstances to order worldwide dereferencing: “This does not mean, however, that EU law can never require a search engine operator such as Google to undertake global actions. I do not exclude that there may be situations in which the [law] requires application of the provisions of Directive 95/46 beyond the territory of the Union.” On the approach of the Advocate General it is difficult to assess when such cases might arise, but he does appear to leave room for an Equustek-type injunction to protect data protection rights if ever the situation justifies such a Draconian order.