CJEU - C-136/17 - GC and Others (De-referencing of sensitive data)

From GDPRhub
CJEU - C-136/17 Google LLC vs CNIL
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 9(1) GDPR
Article 9(2) GDPR
Article 10 GDPR
Article 17(1) GDPR
Article 21 GDPR
Article 85 GDPR
Article 8(1) Directive 95/46
Article 8(5) Directive 95/46
Decided: 24.09.2019
Parties: CNIL
Google LLC
Case Number/Name: C-136/17 Google LLC vs CNIL
European Case Law Identifier: ECLI:EU:C:2019:773
Reference from: CE (France)
Décision N°391000, 393769, 399999, 401258
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Matthias Smet


Information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Article 10 GDPR). In addition the court judged that a search engine operator does not need to automatically delete links to specific sites following an erasure request made by the data subject. Instead, in order to determine whether to remove links to pages that contain sensitive personal data, the search engine operator would have to perform a balancing test of the competing rights in presence.

English Summary

Facts

Four applicants wanted to exercise their right to de-referencing concerning various links to third-party websites which contained sensitive data pertaining to them.

As the requests were rejected by Google, the applicants brought complaints before the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority. the CNIL refused, however, to serve formal notice on Google to carry out the de-referencing requested.

Thereupon, the applicants turned to the Council of State (Counsel d’État), which ordered a stay of the proceedings and referred to the Court four questions relating to the applicability of the prohibition of the processing of sensitive data in the context of search engines and to the de-referencing of such data.

Holding

The Court recalled that an activity of a search engine, which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and making it available to internet users according to a particular order of preference, must be classified as "processing of personal data" and that the operator of the search engine therefore needs to be considered a 'controller' within the means of article 4(7) GDPR.

In its preliminary ruling the court judged that:

  • Information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Article 10 GDPR);
  • The operator of a search engine is in principle required to accede to requests for de-referencing links to web pages containing sensitive personal data, unless an exemption is applicable;
  • A search engine operator does not need to automatically delete links to specific sites following an erasure request made by the data subject. Instead, in order to determine whether to remove links to pages that contain sensitive personal data, the search engine operator would have to perform a balancing test of the competing rights in presence.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!