CJEU - C-136/17 - GC and Others (De-referencing of sensitive data)
CJEU - C-136/17 Google LLC vs.CNIL | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 9(1) GDPR Article 9(2) GDPR Article 10 GDPR Article 17(1) GDPR Article 21 GDPR Article 85 GDPR Article 8(1) Directive 95/46 Article 8(5) Directive 95/46 |
Decided: | 24.09.2019 |
Parties: | CNIL Google LLC |
Case Number/Name: | C-136/17 Google LLC vs.CNIL |
European Case Law Identifier: | ECLI:EU:C:2019:773 |
Reference from: | Conseil d'État Décision N°391000, 393769, 399999, 401258 |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | Matthias Smet |
Information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Art. 10 GDPR)
English Summary
Facts
Four applicants who wanted to exercise their right to de-referencing concerning various links to third-party websites containing sensitive data pertaining to them.
As the requests were rejected by Google, the applicants brought complaints before the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority, which refused to serve formal notice on Google to carry out the de-referencing requested.
Thereupon, the applicants made applications to the Council of State (Counsel d’État), which stayed the proceedings and referred to the Court four questions relating to the applicability of the prohibition of the processing of sensitive data in the context of search engines and to the de-referencing of such data.
Holding
The court recalled in its judgment that an activity of a search engine, consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and making it available to internet users according to a particular order of preference must be classified as "processing of personal data" and thus the operator of the search engine needs to be considered as a 'controller' within the means of article 4(7) GDPR.
The court judged in its preliminary ruling that:
- information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Art. 10 GDPR);
- the operator of a search engine is in principle required to accede to requests for de-referencing links to web pages containing sensitive personal data, unless an exemption is applicable;
- A search engine operator does not need to automatically delete links to specific sites following an erasure request made by the data subject. Instead, in order to determine whether to remove links to pages that contain sensitive personal data, the search engine operator would have to perform a balancing test of the competing rights in presence.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!