Case C-136/17 GC et al v CNIL – right to be forgotten; lawful grounds for processing of sensitive data
Four erasure requests not linked to each other and all having to do with de-linking news articles from Google search results pages, some of which contained sensitive data, were rejected by Google. The CNIL upheld Google’s assessment, considering the public’s right of information prevailed in all cases. The data subjects challenged CNIL’s decision in Court, which sent questions for a preliminary ruling to the CJEU. One key question was whether Google as a controller and within the limits of its activity as a search engine has to comply with the prohibition of processing sensitive personal data, which has very limited exceptions. In other words, should Google ensure that before displaying a search result leading to information containing sensitive data it must have in place one of the exceptions under Article 9(2)? So should there be a difference of treatment between controllers, depending on the nature of the processing they engage in? Another question was whether information related to criminal investigations falls under the definition of information related to “offences” and “criminal convictions” under Article 10 GDPR, so subject to the restrictions for processing imposed by it. The Court made detailed findings about the content of Article 17 GDPR (the right to be forgotten) and about the exceptions of the prohibition to process sensitive personal data.
- The Court makes it clear that its findings are equally applicable to the former provisions of the Directive, as well as to the current provisions of the GDPR.
- The Court reiterated that Google is a controller (#35, #36, #37) and found that the law doesn’t provide for a general derogation from the prohibition of processing sensitive data for processing conducted by an internet search engine. Therefore, that prohibition and the exceptions following it apply to search engines as well (#42, #43).
- In fact, the sensitivity of personal data is what justifies the obligations being applicable to all controllers equally, with the Court stating that exempting search-engine-controllers from the stricter regime applied to processing sensitive data would run counter to the purpose of the provisions to ensure “enhanced protection” for such processing, which “because of the particular sensitivity of the data, is liable to constitute … a particularly serious interference with the fundamental rights to privacy and the protection of personal data” (#44).
- This being said, the Court nonetheless acknowledged the practical difficulty of applying those restrictions a priori to hyperlinks that lead to webpages containing sensitive data. “The specific features of the processing carried out by the operator of a search engine in connection with the activity of the search engine … may have an effect on the extent of the operator’s responsibility and obligations under those provisions” (#45), the Court found.
- The Court added that a search engine is responsible for this processing “not because personal data referred to in those provisions appear on a web page published by a third party but because of the referencing of that page and in particular the display of the link to that web page in the list of results presented to internet users following a search on the basis of an individual’s name” (#46).
- As a consequence, the Court decided that the prohibition to process sensitive data only kicks in for search engines “by reason of that referencing, and thus via a verification, under the supervision of the competent national authorities, on the basis of a request by the data subject” (#47). This means that Google doesn’t have to justify any of the exceptions that would apply to its processing of sensitive personal data in hyperlinks displayed as search results before it receives a request from the data subject.
- So what happens after a data subject signals that a search result leads to content that includes sensitive data about them and ask for de-listing?
- The Court makes a thorough analysis of Article 17 GDPR – the right to be forgotten, by laying out its conditions of applicability as well as its exceptions. It highlights that the exercise of the freedom of expression and information is now expressly mentioned among the exceptions to the right to be forgotten, per Article 17(3) GDPR (#56, #57).
- It concludes that the GDPR “expressly lays down the requirement to strike a balance between the fundamental rights to privacy and protection of personal data guaranteed by Articles 7 and 8 of the Charter, on the one hand, and the fundamental right of freedom of information guaranteed by Article 11 of the Charter, on the other” (#59).
- The Court considers that the processing of sensitive data by a search engine can be justified by consent – Article 9(2)(a); if the data are manifestly made public by the data subject – Article 9(2)(e); or where the processing is necessary for reasons of substantial public interest – Article 9(2)(g), on the basis of EU or Member State law (#61).
- The Court then analyzes how all these three exceptions from the prohibition would apply to the processing of sensitive data by a search engine. Relevantly, the Court finds that “in practice, it is scarcely conceivable … that the operator of a search engine will seek the express consent of data subjects before processing personal data concerning them for the purposes of his referencing activity” (#62). It seems that the Court recognizes the practical impossibility for a search engine to obtain consent for its referencing activity. The Court also points out that in any case any request to have data de-listed would amount to a withdrawal of consent.
- The other possible exception – that the sensitive data have been manifestly made public, is intended to apply “both to the operator of the search engine and to the publisher of the web page concerned” (#63). The Court doesn’t further explain what “manifestly made public” means.
- When these conditions are met and provided that the other lawfulness provisions in Article 5 GDPR are complied with (purpose limitation, data minimization etc.), the processing of sensitive data is “compliant” (#64). It thus seems that the Court does not support the approach taken by the EDPB that a controller needs to first have in place a general lawful ground for processing under Article 6 GDPR and then the processing has to fall under one of the exceptions in Article 9.
- Even in the case of a compliant processing, the Court points out that data subjects can still object to that processing based on their particular situation, following Article 21 GDPR (#65).
- Ultimately, the Court shows that when dealing with a de-listing request involving sensitive data, a search engine must ascertain “having regard to the reasons of substantial public interest” per Article 9(2)(g) GDPR whether including the link at issue in the search results “is necessary for exercising the right of freedom of information of internet users potentially interested in accessing that web page by means of such a search, a right protected by Article 11 of the Charter” (#66). It thus seems that the Court links the right to information to a “substantial public interest”.
- Finally, the Court assesses the question of whether information related to ongoing criminal proceedings amount to data relating to “offences” and “criminal convictions”, falling thus under the restrictions pursuant to Article 10 GDPR. Subsequently, the Court provides guidance as to whether links leading to information relating to investigations should be deleted following a request from the data subject, if the investigation found the person concerned not guilty.
- The Court takes a broad approach and establishes that “information relating to the judicial investigation and the trial and, as the case may be, the ensuing conviction, is data relating to ‘offences’ and ‘criminal convictions’” pursuant Article 10 GDPR, “regardless of whether or not, in the course of those legal proceedings, the offence for which the individual was prosecuted was shown to have been committed” (#72).
- The Court then adds a couple of nuances concerning de-listing requests of such information.
- First, it states that “where the information in question has been disclosed to the public by the public authorities in compliance with the applicable national law” is an indication that the processing is appropriate (#73).
- Second, the Court adds that “even initially lawful processing of accurate data may over time become incompatible with [the GDPR] where those data are no longer necessary in the light of the purposes for which they were collected or processed” (#74).
- The Court provided some detailed guidance on the elements that need to be taken into account in the balancing of rights. Specifically, it made a reference to the jurisprudence of the European Court of Human Rights balancing Article 8 of the European Convention on Human Rights (privacy) and Article 10 of the Convention (freedom of expression) in cases where freedom of the press is at stake and highlighted that “account must be taken of the essential role played by the press in a democratic society, which includes reporting and commenting on legal proceedings. Moreover, to the media’s function of communicating such information and ideas there must be added the public’s right to receive them” (#76).
- The Court went further and recalled ECHR case-law stating that “the public had an interest not only in being informed about a topical event, but also in being able to conduct research into past events”.
- However, as a last point, the Court acknowledged that the public’s interest as regards criminal proceedings is “varying in degree” and “possibly evolving over time according in particular to the circumstances of the case” (#76). This last point could justify, in limited cases, de-listing of links falling in this category.
- The fact that the CJEU recalled ECHR case-law under Article 8 Convention is significant. After the EU Charter of Fundamental Rights entered into force, the CJEU built its profile as a human rights Court by building its own jurisprudence under the Charter.
- The search engine will then have to assess “in the light of all circumstances of the case” whether the data subject has the right to the information in question no longer being linked with his or her name by a list of results displayed following a search carried out on the basis of that name. The Court provides detailed guidance on the circumstances to take into account (#77):
- “the nature and seriousness of the offence in question”
- “the progress and the outcome of the proceedings”
- “the time elapsed”
- “the part played by the data subject in public life and his past conduct”
- “the public’s interest at the time of the request”
- “the content and form of the publication” and
- “the consequences of publication for the data subject”
- The last finding of the Court is perhaps also the most consequential: the Court found that even if the link will not be de-listed following the request of the data subject, the search engine is in any case required to rank first on the search results webpage information relating to the outcome of the criminal case.
- In the words of the Court, “the operator is in any event required, at the latest on the occasion of the request for de-referencing, to adjust the list of results in such a way that the overall picture it gives the internet user reflects the current legal position, which means in particular that links to web pages containing information on that point must appear in first place on the list” (#78).
Case C-507/17 Google – global de-listing requests
- In 2015, CNIL delivered a formal notice to Google that as a result of a successful de-listing request it must apply the link removal to all its search engine’s domain name extensions globally and not only to those versions of the website with EU Member States extensions (#30). Google challenged the decision in Court and that Court sent questions for a preliminary ruling to the CJEU on the interpretation of the scope of the right to erasure. Therefore, what was at issue was an automatic effect of successful de-listing requests: should a successful request be applied globally automatically?
- Court makes it clear that its interpretation concerns both the Directive and the GDPR (#41), so the effects of the judgment are valid for applying Article 17 GDPR too.
- The Court was deferential in its judgment to the legal systems outside the EU and it did emphasize that “numerous third States” don’t recognize a right to de-listing or that they have a different approach to that right (#60) and also that the balance between privacy, data protection and freedom of information “is likely to vary significantly around the world” (#60).
- The Court found that “currently” there is no obligation under EU law to de-list search engine results globally following a successful de-listing request. There is however an obligation to de-list them throughout the EU and not only in the Member State where the request was made (#64, #66).
- At the same time, the Court was also deferential to national Courts and to DPAs, explicitly allowing them to impose global de-listing orders. The Court “emphasized” that while EU law does not require search engines to automatically de-list results globally following a successful request, “it also does not prohibit such a practice” (#72).
- Citing its Melloni and Fransson jurisprudence, the Court stated that “a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine”.
- Therefore, global de-listing orders are still possible in those Member States whose fundamental rights practice allows it (and to the extent that practice does not conflict with the EU Charter of Fundamental Rights, per Melloni and Fransson), following a case by case analysis of individual cases.
- Interestingly enough, the Court does not make any findings concerning Articles 7 and 8 Charter in this judgment, other than mentioning them in one paragraph which recalled the findings in the first Google right to be forgotten judgment.
- The Court included two findings in its judgment that justify a potential future clear legislative measured that would require successful erasure requests to automatically have a global scope.
- Court states that the referencing of a link referring to information regarding a person whose “center of interests is situated in the Union” is likely to have “immediate and substantial effects on that person within the Union itself” (#57)
- The Court then informs the EU legislature that due to the consideration above, it is competent “to lay down the obligation for a search engine operator to carry out, when granting a request for de-referencing made by such a person, a de-referencing on all the versions of its search engine” (#58).
- In fact, the Court made a point of highlighting the current lack of a specific legal provision that extends the scope of GDPR rights outside of the EU. The Court thinks that “it is in no way apparent” that the EU legislature “would…have chosen to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States and that it would have intended to impose on an operator which, like Google, falls within the scope of that directive or that regulation a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States” (#62). Thus, the Court seems to not take into account the intention of the EU legislature to generally confer to the GDPR extraterritorial effects, which is shown by the inclusion of Article 3(2) into the GDPR.
- The consequences of the Court ignoring the potential extraterritorial scope of GDPR provisions has immediate effects on the cooperation and consistency mechanism. In the next paragraph the Court states that EU law does not currently provide for cooperation instruments and mechanisms at EDPB level as regards the scope of a de-referencing outside the Union (#63). Technically this means that if a global de-listing request is granted by one of the DPAs, then that DPA does not have to coordinate with the other DPAs at EDPB level and can act by itself.
- Further, the Court acknowledged that even at Union level there will be differences regarding the result of weighing up the interest of the public to access information and the rights to privacy and data protection, especially in the light of the GDPR allowing derogations at MS level for processing for journalistic purposes or artistic/literary expression (#67).
- If this occurs, in the case of cross-border processing, the Court stated that the EDPB must reach consensus and a single decision which is binding on all DPAs and with which the controller must ensure compliance as regards processing across the Union (#68). Therefore, for divergent practices concerning de-listing cases at Union level, the EDPB is competent to hear cases and to cooperate in order to reach a single decision and provide certainty, as opposed to divergent practices concerning de-listing cases globally where the Court decided the EDPB is not competent to cooperate on cases.