October 2, 2019
On September 24, 2019, the Court of Justice of the European Union (the “Court”) issued two rulings with respect to the online ‘right to be forgotten’.
In its first ruling, the Court provided important clarifications on the conditions under which data subjects may secure the de-referencing of a link displayed in a search result (Case C-136/17).
In the second ruling, the Court ruled on the territorial scope of the de-referencing obligation, concluding that, under EU law, Google LLC (“Google”) is not required to carry out a de-referencing on all versions of its search engine, but only on the versions of its search engine corresponding to all the Member States (Case C-507/17).
This client alert focuses on the key issues emerging from this second ruling.
The ruling is a result of proceedings between Google and the French Data Protection Authority (“CNIL”). On May 21, 2015, the CNIL issued a formal notice requiring Google to remove a link from the results of all its search engine’s domain name extensions. Google refused to do so and decided only to remove the links from the results displayed following searches on versions of its search engine in the Member States.
Considering this a failure to comply with the notice, the CNIL imposed a fine of €100,000 on Google on March 10, 2016. The company challenged the fine imposed and sought the annulment of the CNIL’s decision before the French Council of State (“Conseil d’Etat”).
Having concluded that the company’s argument raised serious issues on the interpretation of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Directive”), the Conseil d’Etat decided to refer several questions of interpretation of EU law concerning the right to de-referencing for preliminary ruling by the Court.
The key questions referred to the Court related to whether the rules of EU law relating to data protection are to be interpreted as meaning that, where a search engine operator grants a request for de-referencing, that operator is required to carry out that de-referencing on all versions of its search engine or whether, on the contrary, it is required to do so only on the versions of that search engine “corresponding to” all the Member States or only on the version “corresponding to” the Member State of residence of the individual benefiting from the de-referencing.
The Court answered these questions by reference not only to the Directive, which was applicable on the date of the request, but also the General Data Protection Regulation (EU) 2016/679 (“GDPR”) which became applicable on May 25, 2018.
In its decision, the Court first referred to its ruling on the ‘right to be forgotten’ (Case C‑131/12, Google Spain and Google dated May 13, 2014, the “Google Spain Ruling”) (1) and then concluded that, under EU law, a search engine operator has no obligation to carry out a de-referencing on all the versions of its search engine (2). Finally, the Court clarified that EU Member State authorities remain competent to order, in certain cases, the operator of a search engine to carry out de-referencing concerning all versions of that search engine (3).
1. Obligation to remove links to web pages resulting from a search based on individual’s name
In order to answer the questions referred by the Conseil d’Etat, the Court first noted its existing ruling on the interpretation of Articles 12 b) and 14 a) of the Directive.
In the Google Spain Ruling, the Court considered that, in order to comply with the Directive, the operator of a search engine is obliged to remove from the list of results, displayed following a search made on the basis of an individual’s name, links to web pages, published by third parties and containing information relating to that individual, even in cases where the name or information is not erased beforehand or simultaneously from those web pages, and where publication on those web pages was, in itself, lawful.
Besides, the Court stated in this case that the right to de-referencing applies against a search engine operator who has one or more establishments in the territory of the Union in the context of activities involving the processing of personal data concerning data subjects, regardless of whether the processing conducted by the operator takes place in the European Union or not. In this regard, the Court referred to the “inextricable link” criterion which it applied in the Google Spain Ruling and pointed out that Google’s establishment in France carries out activities which are inextricably linked to the processing of personal data carried out for the purposes of operating the concerned search engine and that such search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google’s French establishment. Such a situation therefore falls within the scope of the EU legislation on data protection.
2. Territorial scope of the de-referencing obligation
In its ruling of September 24, 2019, the Court determined the territorial scope of the de-referencing obligation, as follows:
3. Authorities of the individual Member States remain competent to order a search engine
operator to carry out a de-referencing globally
The Court held that, although there is no obligation of global de-referencing under EU law, it is not forbidden to order it. Therefore, the responsible supervisory authorities of each of the EU Member States may order, where appropriate, a search engine operator to delist results on all the versions of the search engine.
The case now reverts to the French Conseil d’Etat, which will assess the lawfulness of the decision of the CNIL issued in 2015 against Google, taking into consideration the ruling of the Court on matters of interpretation of EU law.
The following Gibson Dunn lawyers prepared this client update: Ahmed Baladi, Patrick Doris, Vera Lukic and Clémence Pugnet.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
James A. Cox – London (+44 (0)20 7071 4250, email@example.com)
Patrick Doris – London (+44 (0)20 7071 4276, firstname.lastname@example.org)
Penny Madden – London (+44 (0)20 7071 4226, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33-180, email@example.com)
Sarah Wazen – London (+44 (0)20 7071 4203, firstname.lastname@example.org)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, email@example.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, firstname.lastname@example.org)
Adélaïde Cassanet – Paris (+33 (0)1 56 43 13 00, email@example.com)
Guillaume Buhagiar – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Clémence Pugnet – Paris (+33 (0)1 56 43 13 00, email@example.com)
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
M. Sean Royall – Dallas (+1 214-698-3256, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Olivia Adendorff – Dallas (+1 214-698-3159, email@example.com)
Matthew Benjamin – New York (+1 212-351-4079, firstname.lastname@example.org)
Ryan T. Bergsieker – Denver (+1 303-298-5774, email@example.com)
Richard H. Cunningham – Denver (+1 303-298-5752, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, firstname.lastname@example.org)
Kristin A. Linsley – San Francisco (+1 415-393-8395, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, firstname.lastname@example.org)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, email@example.com)
© 2019 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.