Language of document : ECLI:EU:C:2019:772

Case C507/17

Google LLC

v

Commission nationale de l’informatique et des libertés (CNIL),

(Request for a preliminary ruling from the Conseil d’État (France))

 Judgment of the Court (Grand Chamber), 24 September 2019

(Reference for a preliminary ruling — Personal data — Protection of individuals with regard to the processing of such data — Directive 95/46/EC — Regulation (EU) 2016/679 — Internet search engines — Processing of data on web pages — Territorial scope of the right to de-referencing)

1.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46, Articles 12 and 14 — Right of the data subject to access personal data and right to object to the processing of such data — Right to request that links to web pages be removed from the list of results — Conditions

(European Parliament and Council Directive 95/46, Arts 12(b) and 14, first para., (a))

(see paragraph 44)

2.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46, Articles 12 and 14 — Right of the data subject to access personal data and right to object to the processing of such data — Search conducted using a search engine on the basis of a person’s name — Display of a list of results — Right to request that that information no longer be made available to the general public

(Charter of Fundamental Rights of the European Union, Arts 7 and 8; European Parliament and Council Directive 95/46, Arts 6(1)(c) to (e), 12(b) and 14, first para., (a))

(see paragraph 45)

3.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46, Article 4 — National law applicable — Processing of personal data in the context of the activities of the establishment of a search engine operator situated on the territory of a Member State — Scope — Promotion and sale of advertising space oriented towards the inhabitants of that Member State offered by that search engine via that establishment — Included

(European Parliament and Council Directive 95/46, Art. 4(1)(a); European Parliament and Council Regulation 2016/679, Art. 3(1))

(see paragraphs 49-51)

4.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Rights to rectification and erasure of data — Right to de-referencing — Territorial scope — Obligation for a search engine operator to carry out the de-referencing only on the versions of its search engine corresponding to all the Member States — Obligation for that operator to take effective measures to prevent or discourage internet users from gaining access to the links that are the subject of the de-referencing — Verification by the national court

(European Parliament and Council Directive 95/46, Arts 12(b) and 14, first para., (a)); European Parliament and Council Regulation 2016/679, Art. 17(1))

(see paragraphs 60-73, operative part)

Résumé

The operator of a search engine is not required to carry out a de-referencing on all versions of its search engine

By judgment of 24 September 2019, Google (Territorial scope of de-referencing) (C‑507/17), the Court, sitting as the Grand Chamber, held that the operator of a search engine is, in principle, required to carry out a de-referencing only on the versions of its search engine corresponding to all the Member States.

The Commission nationale de l’informatique et des libertés (French Data Protection Authority, France) (‘the CNIL’) served formal notice on Google that, where that company grants a request for de-referencing, it must remove from the list of results displayed on all its search engine’s domain name extensions following a search conducted on the basis of the name of the data subject links to web pages containing personal data concerning that data subject. Following Google’s refusal to comply with that formal notice, the CNIL imposed a penalty of EUR 100 000 on that company. The Conseil d’État (Council of State, France), in the proceedings initiated before it by Google, asked the Court to specify the territorial scope of the obligation for a search engine operator to give effect to the right to de-referencing under Directive 95/46. (1)

First of all, the Court recalled the possibility, under EU law, for natural persons to assert their right to de-referencing against a search engine operator who has one or more establishments in the territory of the Union, regardless of whether the processing of personal data (in the present case, the referencing of links to web pages containing personal data concerning the person availing himself of that right) takes place in the Union or not. (2)

As regards the scope of the right to de-referencing, the Court considered that the operator of a search engine is required to carry out the de-referencing not on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States. It noted in that regard that, while a universal de-referencing would, in view of the characteristics of the internet and search engines, meet the EU legislature’s objective of guaranteeing a high level of protection of personal data throughout the European Union in full, it is in no way apparent from EU law (3) that, for the purposes of achieving such an objective, the legislature would have chosen to confer a scope on the right to de-referencing which would go beyond the territory of the Member States. In particular, while EU law establishes cooperation mechanisms between the supervisory authorities of the Member States in order that they may come to a joint decision based on weighing the right to privacy and the protection of personal data, on the one hand, against the interest of the public in various Member States in having access to information, on the other, no provision is currently made for such mechanisms as regards the scope of a de-referencing outside the Union.

As EU law currently stands, it is for the operator of a search engine to carry out the requested de-referencing not only on the version of the search engine corresponding to the Member State of residence of the person benefiting from that de-referencing but on the versions of the search engine corresponding to the Member States, in order, in particular, to ensure a consistent and high level of protection throughout the European Union. Moreover, it is for such an operator to take, if necessary, sufficiently effective measures to prevent or, at the very least, seriously discourage EU internet users from gaining access, as the case may be from a version of the search engine corresponding to a third State, to the links concerned by the de-referencing, and it is for the national court to ascertain whether the measures adopted by the operator meet that requirement.

Lastly, the Court emphasised that, although EU law does not require the operator of a search engine to carry out a de-referencing on all the versions of its search engine, it also does not prohibit such a practice. Accordingly, a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights, a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.


1      Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). That directive was repealed, with effect from 25 May 2018, by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).


2      Article 4(1)(a) of Directive 95/46, and Article 3(1) of Regulation 2016/679.


3      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, and Article 17(1) of Regulation 2016/679.