CJEU - C-136/17 - GC and Others (De-referencing of sensitive data)
CJEU - C-136/17 GC and Others (De-referencing of sensitive data) | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 9(1) GDPR Article 9(2) GDPR Article 10 GDPR Article 17(1) GDPR Article 21 GDPR Article 85 GDPR Article 8(1) Directive 95/46 Article 8(5) Directive 95/46 |
Decided: | 24.09.2019 |
Parties: | CNIL Google LLC |
Case Number/Name: | C-136/17 GC and Others (De-referencing of sensitive data) |
European Case Law Identifier: | ECLI:EU:C:2019:773 |
Reference from: | CE (France) Décision N°391000, 393769, 399999, 401258 |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | Matthias Smet |
Information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Article 10 GDPR). In addition the court judged that a search engine operator does not need to automatically delete links to specific sites following an erasure request made by the data subject. Instead, in order to determine whether to remove links to pages that contain sensitive personal data, the search engine operator would have to perform a balancing test of the competing rights in presence.
English Summary
Facts
Four applicants wanted to exercise their right to de-referencing concerning various links to third-party websites which contained sensitive data pertaining to them.
As the requests were rejected by Google, the applicants brought complaints before the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority. the CNIL refused, however, to serve formal notice on Google to carry out the de-referencing requested.
Thereupon, the applicants turned to the Council of State (Counsel d’État), which ordered a stay of the proceedings and referred to the Court four questions relating to the applicability of the prohibition of the processing of sensitive data in the context of search engines and to the de-referencing of such data.
Holding
The Court recalled that an activity of a search engine, which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and making it available to internet users according to a particular order of preference, must be classified as "processing of personal data" and that the operator of the search engine therefore needs to be considered a 'controller' within the means of article 4(7) GDPR.
In its preliminary ruling the court judged that:
- Information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Article 10 GDPR);
- The operator of a search engine is in principle required to accede to requests for de-referencing links to web pages containing sensitive personal data, unless an exemption is applicable;
- A search engine operator does not need to automatically delete links to specific sites following an erasure request made by the data subject. Instead, in order to determine whether to remove links to pages that contain sensitive personal data, the search engine operator would have to perform a balancing test of the competing rights in presence.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!