On 10 January 2019, Advocate General Szpunar (the "AG") issued his opinions in Cases C-507/17 and C-136/17 on the scope of the right to be forgotten with respect to the obligations of search engine operators.

At the outset, it should be pointed out that both cases do not concern the interpretation of the General Data Protection Regulation 2016/679 ("GDPR") but rather Data Protection Directive 95/46, which was repealed on 25 May 2018.

Google v. CNIL: European Territorial Scope of Right to Be Forgotten

On 10 January 2019, the AG issued his opinion in Case C-507/17, Google v. CNIL, on the territorial scope of the 'right to be forgotten'.

The dispute in question stemmed from a disagreement between Google and the French Commission for Information Technology and Civil Liberties ("CNIL"). Google had been served a formal notice by CNIL requesting the worldwide removal of links to webpages generated by searching a person's name.

Google refused to comply fully and only did so for the domain names corresponding to the versions of its search engine in the Member States of the EU, while also proposing to 'geoblock' access from IP addresses deemed to be located in the state of residence of the person concerned. CNIL regarded this proposal as insufficient and imposed a fine of EUR 100,000.

Google sought to have the CNIL decision annulled before the "Conseil d'Etat" which decided to seek clarification from the Court of Justice of the European Union ("ECJ") on several questions.

In its first question, the "Conseil d'État" asked whether the geographical scope of the right to de-referencing under EU law is 'national, European or worldwide'. In other words, does the operator of a search engine, when granting a request for de-referencing, have to perform this de-referencing on all the domain names of its engine so that the disputed links no longer appear irrespective of the place from which the name search was launched?

The AG first clarifies that Google Spain and Google (Case C‑131/12) does not expressly govern the issue of the territorial scope of de-referencing. However, pursuant to Article 52 of the Treaty on European Union, the Treaties apply to the territory of the 28 Member States. Outside this territory, Union law cannot apply or create rights and obligations, without running the risk of violating international law.

The AG acknowledges that even if extraterritorial effects are possible in specific cases affecting the internal market, such as competition and trade mark law, such effects should not be afforded to the territorial scope of the right to be forgotten, since the internet is by its very nature accessible worldwide. Even if he admits that a global right of de-referencing appeals for its "clarity, simplicity and efficiency," he does not favour giving the provisions of EU law such a broad interpretation.

He explains further that the fundamental 'right to be forgotten' is not absolute, but must be balanced against other fundamental rights, such as the right to data protection and the right to privacy, as well as the legitimate public interest in accessing the information sought. Furthermore, if de-referencing had worldwide territorial scope, the EU authorities would not be in a position to define and determine a right to receive information. There would also be a risk that third countries would be prevented from accessing information, and vice versa.

The AG ultimately concludes that the Court should hold that the search engine operator is not required, when acceding to a request for de-referencing, to carry out that de-referencing irrespective of the location from which the search on the basis of the requesting party's name is performed. Therefore, it is not required to carry out the de-referencing on all the domain names of its search engine in such a way that the links in question no longer appear for searches outside the EU.

Although not justified by the facts of the case at hand, the AG underlines that he does not rule out entirely the possibility, under different circumstances, that a search engine operator may be required to take de-referencing actions at the global level.

Furthermore, once a right to de-referencing within the EU has been established, the search engine operator is under the obligation to take every measure available to ensure full and effective de-referencing within the EU. To achieve this, the search engine operator is free to make use of the 'geo-blocking' technique with respect to an IP address deemed to be located in one of the Member States, irrespective of the domain name used by the internet user who performs the search.

GC & Others v. CNIL: De-referencing of Sensitive Personal Data

Also on 10 January 2019, the AG issued his second opinion concerning the de-referencing obligation of sensitive personal data on search engine operators.

Four different individuals sought the de-referencing of various links which contained a satirical photomontage of a female politician posted under a pseudonym, an article referring to one of the individuals concerned as the public relations officer of the Church of Scientology, the investigation of a male politician and the conviction of another individual for sexual assaults against minors. All four of these de-referencing requests had been turned down by both CNIL and Google.

When the refusal decisions were challenged, the "Conseil d'Etat" again considered that a number of serious difficulties of interpretation of Directive 95/46 were at stake and referred several questions for a preliminary ruling to the ECJ.

The two main questions sought to learn whether, having regard to the responsibilities, powers and specific capabilities of the operator of a search engine, the prohibition imposed on other data controllers on processing sensitive data also applied to such an operator. The questions also probed for the extent to which a journalistic exemption could apply if the links concerned contained journalistic material.

The AG is of the opinion that Directive 95/46 should be interpreted to take account of the responsibilities, powers and capabilities of a search engine. The AG first clarifies that the task of an operator of a search engine is, as its title indicates, to search, find, pick up and make available, using an algorithm that can find the information in the most efficient way.  In this sense, the prohibitions in Directive 95/46 cannot apply to the operator of a search engine as if it has itself placed sensitive data on the internet. Logically, the activity of a search engine only intervenes after the posting of (sensitive) data and has a secondary character. As a consequence, the prohibitions can only apply to a search engine by reason of that referencing, and through subsequent verification, when a de-referencing request is made, since ex ante and ex officio control is neither possible nor desirable.

The AG continues that once a search engine operator establishes that a processing of sensitive data takes place, it is appropriate to grant a request for de-referencing, subject to the exceptions provided for by Directive 95/46, even if some of the exceptions appear to be more theoretical than practical as regards their application to a search engine.

Regarding the question of the derogations authorised under freedom of expression, the operator of a search engine should conduct a balancing exercise between the right to respect for a private life/the right to protection of data and the right of the public to access information and the right to freedom of expression.

The same balancing exercise must be carried out with respect to de-referencing requests for personal data which is deemed to have become incomplete, inaccurate or obsolete.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.