Articles

The right to be forgotten – caselaw round-up

• Share

19th February 2019

Originally published on LexisPSL

Information Law analysis: How can the ‘right to be forgotten’ be balanced against freedom of expression and information? Iain G Mitchell QC, barrister at Tanfield Chambers, examines the Advocate General’s opinions on recent cases GC and Others v CNIL Case C-136/17 and Google v CNIL Case C-507/17.

What is the background to these opinions in GC and Others v CNIL Case C-136/17 and Google v CNIL Case C-507/17?

The cases concern the right to be forgotten, or, the right to de-referencing. Effectively, they take up a number of issues which were left unresolved in the leading case of Google Spain v AEPD (Marion Costeja Gonzalez) Case C-131/12, [2014] All ER (D) 124 (May). In particular, the questions of the territorial scope of the right to be de-referenced, and the extent of the obligations upon and discretion afforded to a search engine operator when in receipt of a de-referencing request are considered.
The Google Spain case decided—on the basis of Articles 12(b) and 14(a) of Directive 95/46/EC (the Data Protection Directive) and Articles 7 and 8 of the Charter of Fundamental Rights of the EU—that an individual was entitled to request that a search engine not show links to websites containing his/her personal data. The
practice has grown up that, upon receiving such requests, search engine operators exercise discretion in determining which requests to grant and which to refuse. Since 2014, Google has accepted about 44% of such requests.
If such a request is granted, it leads to the suppression of the relevant link in the search results displayed, but does not affect (and, in particular, does not erase) the data on the web page to which the link would lead. Furthermore, de-referencing does not prevent access to the website, whether directly or through a search engine, or, indeed, by means of the search engine operated by the operator who had granted the dereferencing request where the search uses alternative search terms. It is rather like having a book which makes comments about an individual, but where there has been excised from the index any reference to the passages concerning that individual.

What are each of the cases about?
GC concerned the extent of the discretion of a search engine operator (in this case, Google) to refuse dereferencing requests, and Google v CNIL concerned the territorial extent of the requirement to de-reference.

What are the circumstances in GC?
In GC, a number of individuals each requested Google to de-reference various links. GC had been shown in a satirical photomontage posted on YouTube when she was a local government candidate which referred to her position as a special advisor to the mayor and explicitly referred to her intimate relationship with him. At the time of the request, she had left her post as special advisor and was no longer involved in local government.

AF sought de-referencing of a link to a newspaper report of his activities as PR Officer of the Church of Scientology—a post he no longer held. BH sought de-referencing of links to a number of press reports relating to a judicial investigation in 1995 into his alleged involvement in political corruption, and to his subsequent indictment. The proceedings against him had been discontinued in 2010.

ED requested de-referencing of links to two press articles reporting on court proceedings in which he had been sentenced for offences of sexual assault on minors.
Google refused each of those requests. The individuals concerned lodged complaints with the Commission Nationale de l’Informatique et des Libertés (CNIL). As the CNIL had rejected the complaints, the individuals brought proceedings against the European Commission. The Conseil d’etat sought a preliminary ruling from the Court of Justice.

What is the legal context?
The applicable law was the law in force at the time of the original de-referencing requests. Accordingly, the case fell to be determined on the basis of the Data Protection Directive and the relevant French implementing legislation, rather than the General Data Protection Regulation, (EU) 2016/679 (GDPR).

What are the questions?
The first question is whether the prohibition under Article 8(1) of the Data Protection Directive—which prohibits the processing of sensitive personal data—applied to a search engine operator as it applies to other data controllers. The answer to this question has an impact on the next two questions.

The second question relates to how de-referencing requests are dealt with in the event that a search engine operator is bound by Article 8(1) of the Data Protection Directive. In particular, does it require automatic granting to all requests for de-referencing links to sensitive personal data?

The third question—which arises in the event that processing of personal data by a search engine operator is not prohibited—concerns how the search engine operator is to deal with a link to a website publishing sensitive personal data, the processing of which is unlawful.

The fourth question (whatever the answer to the first question) is, in effect, whether a search engine operator is obliged to grant a de-referencing request where the data is incomplete or inaccurate or no longer up to date, and whether the reporting of a trial or conviction amounts to data relating to offences and criminal convictions, processing which in terms of Article 8(5) of the Data Protection Directive may be carried out only under the control of the public authority, or subject to specific safeguards in national law.

Why do the answers to these questions matter?
Following Google Spain, search engine operators in general, and Google in particular, have developed systems for dealing with de-referencing requests in which they attempt to balance privacy rights of individuals against wider concerns over freedom of expression. Such systems tend to weigh all of the relevant factors and seek to come to a balanced and proportionate outcome. Such an approach involves the exercise of a high level of discretion. If the questions are answered in such a way as to require automatic granting of requests in relation to sensitive personal data, that would effectively remove the element of discretion, and might also tend to have a chilling effect on journalism and freedom of expression.

However, even if the data controller is a data processor subject to the prohibition against the processing of sensitive personal data, that prohibition is not absolute, but may take place subject to the exceptions and safeguards contained in the Data Protection Directive. Therefore, the search engine operator would not be obliged in every such case to grant the request.

At root, the case is about how to balance data protection rights against wider considerations of freedom of expression and journalism.

Has the Court given us an answer yet?

No. But the Advocate General has published his opinion.

What has the Advocate General said?
He reaches the view that the search engine operator is, indeed, a data controller who is subject to the prohibition under Article 8 of the Data Protection Directive of processing sensitive personal data, and that information on internet pages reporting on judicial proceedings constitutes sensitive data falling under Article 8(5) of the Data Protection Directive. He therefore proposes a general rule that internet links to sensitive personal data should be systematically removed. He does, however, argue that a search engine operator must be able to refuse a request for de-referencing if the processing of the data falls within the exceptions provided for under Article 8 of the Data Protection Directive.

However, he is explicit in also stating that freedom of expression must be respected. He refers to Article 9 of the Data Protection Directive—the saving for journalism or artistic and literary expression. He resists a strict interpretation of the directive, which would accord Article 9 protection only to the publisher of a web page and deny it to a search engine operator. Accordingly, he suggests that a search engine operator might refuse a de-referencing request upon determining whether Article 9 applies.

What about the GDPR?
Although the case concerns the interpretation of the Data Protection Directive, the Advocate General also makes extensive reference to the GDPR, and there is no reason to suppose that the answer he proposes would be substantially different under the GDPR regime.

What is the practical effect?
If the court follows the guidance of the Advocate General, it will mean that the wide discretion formerly exercised by Google and other search operators in relation to sensitive personal data (under the GDPR, special category data) will be severely constrained by the default position of systematic granting of dereferencing requests. It will not, however, be removed, as Article 9 of the Data Protection Directive will still give scope to refuse such requests. It does, however, represent a significant rebalancing in favour of data protection rights.

What is Google v CNIL about?
De-referencing is never wholly effective. A particular issue is that the de-referencing is generally applied only to EU domains. Therefore, in principle, a search conducted on, for example, Google.co.uk or Google.fr will not return the links, but the links will still be there on non-EU domains, such as Google.com. This is ‘in principle’ because in fact when conducting a search on, for example, Google.com from within the EU, the search engine is able to detect from the IP address of the computer the location from which the search is being conducted and automatically redirects to the domain relating to that place (eg Google.co.uk). This is not the same as geoblocking, which makes it impossible to conduct a search on any other domain than the one from which the search is being conducted.

Plainly, this means that it is relatively easy to circumvent the de-referencing of a link. The only way in which such de-referencing could ever be wholly effective would be if the de-referencing were global.

This is the view taken by CNIL who sought to compel Google to apply such a global ban. The case is now on a preliminary reference to the Court of Justice.

What is the legal context?
As in GC, the applicable law is the Data Protection Directive and the relevant French implementing legislation, rather than the GDPR.

What are the questions?

There are three questions:

• Whether the de-referencing should be applied to all search engine domain names used by the search engine operator (in effect, whether the de-referencing should be global)
• If not, whether the de-referencing should be only in the state where the request was made or apply for all EU member states
• Whether geo-blocking should be required

Why do the answers to these questions matter?
This matters because the issues are not so much questions raising the interpretation of the Data Protection Directive—though of course that does arise—as they are questions of high principle. Plainly, a global requirement would render the de-referencing right as fully effective as it could be, but it would also involve extra-territorial reach by the EU, and would, in effect, export EU data protection rights throughout the world.

There is a legal question as to whether the treaties permit such an attempt at extra-territoriality, but also
wider geopolitical issues, including:

• Questions of comity, where observance of EU data protection law might compel a search engine operator to infringe laws of other jurisdictions, such as laws protecting free speech
• Whether, what in effect would be EU censorship of the global internet might encourage censorship by less benign polities who do not permit a free press and who might seek to impose similar global censorship in respect of, say, journalism

In effect, would such a move by the EU lead to a ‘race to the bottom’ for the global internet?

Has the Court given us an answer yet?
No. But the Advocate General has published his opinion.

What does the Advocate General say?
He reaches the view that the Treaty on the Functioning of the European Union (TFEU) applies among the Member States and within their territory. Such exceptions to that principle as presently exist he treats as being truly exceptional and not a basis for extra-territoriality in Google v CNIL . He gives considerable weight to the geopolitical concerns referred to above, and he decides that there should not be a requirement for such global de-referencing. That said (and perhaps not surprisingly) he decides that de-referencing should be effective throughout all domains in the EU.

However, though the ban should not be global, the Advocate General does express the view that there is an obligation on search engine operators to take all necessary technical measures to ensure effectiveness of de-referencing and that they should therefore employ geoblocking.

What about the GDPR?
Given that his reasoning relates to the interpretation of the Treaties and to broad policy issues, there is no reason to suppose that the answer the Advocate General proposes would be substantially different under the GDPR regime.

What is the practical effect?
In effect, apart from the mandatory imposition of geoblocking, matters will remain much as they are. In particular, although geoblocking will make searches in respect of de-referenced material more difficult, it will not prevent it, as it will remain possible to circumvent the dereferencing by technical means such as the use of VPNs or ‘steam-driven’ means, such as telephoning a friend or colleague outside the EU and asking him to conduct the search. It is, however, a welcome recognition of the realisation that EU privacy rights have to be exercised sensibly in a global space.

Case details
Name: G.C. and Others v CNIL Case C-136/17
Court: Court of Justice
Advocate General: Szpunar
Date of Opinion: 10 January 2019

• Share