Clarification of search engine obligations under European data protection laws

The Court of Justice of the EU (CJEU) has declaredhowever, that search engines must take steps to enforce the removal in all EU countries and seek to prevent users in those countries from circumventing such geo-blocking measures.

“When a search engine operator grants a request for delisting [under EU data protection law]this operator is not required to carry out this delisting on all the versions of its search engine, but on the versions of this search engine corresponding to all the Member States, using, where appropriate, measures which, while by meeting legal requirements, effectively preventing or, at the very least, seriously discouraging an Internet user carrying out a search from one of the Member States on the basis of the name of a data subject from accessing, via the list of results displayed on following this search, to the links that are the subject of this request,” the CJEU said.

In a previous ruling, the CJEU clarified that under EU data protection laws, a search engine has a qualified obligation to remove a web page, or URL, from its search results when an individual asks him to do so if the web page in question contains information about that person and the information in question is “inadequate, irrelevant, no longer relevant or excessive”.

However, not all of these so-called “right to be forgotten” requests must be respected, as the search engine is forced to carry out a balancing exercise to determine whether other rights, such as those related to freedom of expression, outweigh the privacy rights at issue and justify the continued availability of the information in question.

However, there has been some debate about the territorial scope of the delisting that search engines should implement when accepting right to be forgotten requests. The French Council of State has asked the CJEU to clarify the responsibilities of search engines in the matter after Google challenged an order issued by the Commission Nationale de l’Informatique et des Libertés (CNIL) to implement the delisting globally, not just in relation to search results displayed in the EU.

The court applied its findings to the provisions of the General Data Protection Regulation (GDPR) which came into effect in 2018.

In a separate decision Also released on Tuesday morning, the CJEU provided guidance on how search engines should assess “right to be forgotten” requests that seek the removal of results relating to web pages containing sensitive personal data.

This second case arises from the interpretation of the provisions contained in the European Data Protection Directive. This directive was repealed in 2018 when the GDPR came into force. Recognizing this, the decision refers throughout to equivalent provisions in the GDPR, and can therefore be seen as providing guidance to search engines in relation to the current legal framework as well.

In its judgment, the CJEU said that search engines were subject to rules prohibiting or restricting the processing of sensitive personal data under the old directive, and that in principle they are obliged to respond to delisting requests. concerning sensitive personal data, with some exceptions. listed in the directive applied.

The CJEU said the directive gives search engines the ability to “refuse a request to delist” sensitive personal data in certain limited circumstances.

However, although the judgment is framed in terms of “exceptions”, perhaps the most important of these is that a search engine will have the right to refuse to remove results from the list in circumstances where the Continued availability of these results is in “substantial public interest”.

This means that for requests relating to sensitive personal data, search engines must carry out a competing rights assessment in the same way as they do for a request relating to ordinary personal data – they must carry out a of balancing. When the data in question are sensitive personal data, the balance will consist in establishing whether it is “strictly necessary” that the results remain available for the purpose of protecting “the freedom of information of Internet users potentially interested in the access to this web page by means of such a search,” the court said.

The assessment will involve balancing the claimant’s rights to privacy and protection of personal data against those rights to freedom of information, the CJEU said. All of these rights are qualified rights enshrined in the Charter of Fundamental Rights of the EU.

Other considerations will also apply, for example, where “the processing relates to data which is manifestly made public by the data subject”, this may be invoked by the search engine.