CJEU - C-136/17 - GC and Others

From GDPRhub
Revision as of 11:38, 30 September 2021 by Matthias.smet (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C-136/17 Google LLC vs.CNIL |ECLI=ECLI:EU:C:2019:773 |Opinion_Link= |Judgement_Link=http://curia.europa.eu/juris/document/document.jsf?te...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-136/17 Google LLC vs.CNIL
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 9(1) GDPR
Article 9(2) GDPR
Article 10 GDPR
Article 17(1) GDPR
Article 21 GDPR
Article 85 GDPR
Article 8(1) Directive 95/46
Article 8(5) Directive 95/46
Decided: 24.09.2019
Parties: CNIL
Google LLC
Case Number/Name: C-136/17 Google LLC vs.CNIL
European Case Law Identifier: ECLI:EU:C:2019:773
Reference from: Conseil d'État
Décision N°391000, 393769, 399999, 401258
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Matthias Smet

Information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Art. 10 GDPR)

English Summary

Facts

Four applicants who wanted to exercise their right to de-referencing concerning various links to third-party websites containing sensitive data pertaining to them.

As the requests were rejected by Google, the applicants brought complaints before the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority, which refused to serve formal notice on Google to carry out the de-referencing requested.

Thereupon, the applicants made applications to the Council of State (Counsel d’État), which stayed the proceedings and referred to the Court four questions relating to the applicability of the prohibition of the processing of sensitive data in the context of search engines and to the de-referencing of such data.

Holding

The court recalled in its judgment that an activity of a search engine, consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and making it available to internet users according to a particular order of preference must be classified as "processing of personal data" and thus the operator of the search engine needs to be considered as a 'controller' within the means of article 4(7) GDPR.


The court judged in its preliminary ruling that: - information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Art. 10 GDPR); - the operator of a search engine is in principle required to accede to requests for de-referencing links to web pages containing sensitive personal data, unless an exemption is applicable; - A search engine operator does not need to automatically delete links to specific sites following an erasure request made by the data subject. Instead, in order to determine whether to remove links to pages that contain sensitive personal data, the search engine operator would have to perform a balancing test of the competing rights in presence.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!