Google LLC v CNIL

ECLI:EU:C:2019:772; Grand Chamber, European Union
Decided on 24th September, 2019
Introduction:
This right to privacy case between Commission nationale de l’informatique et des libertés (CNIL), the Plaintiff, and Google LLC., the Defendant deals with the personal data of a natural person and the protection of such individuals with regard to the processing of personal data in the European Union (EU).
However, the conflict of the case was whether search engine operators were required to de-reference links to personal information globally instead of geo-blocking or domain extension blocking.
Facts of the case:
The President of CNIL served a formal notice to Google which required Google to completely remove personal information from all domain extensions of the search engine when granting a request for de-referencing links of a natural person.
Google refused to comply with the formal notice and confined itself to removing links from the results displayed on the domain versions for the Member States. Further, Google proposed a geo-blocking strategy which was unacceptable to CNIL.
CNIL imposed a penalty on Google for not complying with the notice, an amount of EUR 100,000 (Hundred Thousand) which was publicly announced.
Legal Issues:
How must the “right to de-referencing” be interpreted? And what is the appropriate remedy that is to be granted?
Rule of Law:
A search engine operator cannot be required to carry out a de-referencing on all the versions of its search engine.
Analysis and Reasoning:
Issue:
The Court discussed the different possibilities of interpreting the “right to de-referencing” on the basis of the provisions of [Article 12(b) and subparagraph (a) of the first paragraph of Article 14] of EU Directive [95/46]. There were three possible solutions to the issue in hand.
1.Must “right to de-referencing” be interpreted as meaning that a search engine operator is required to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search is initiated. Which meant that the “right to de-referencing” was to be read with a wide scope of protection and the search engine operator would have to remove all links from all its domains irrespective of where the plaintiff is located.
2.Must the “right to de-referencing” be interpreted as meaning that a search engine operator is required only to remove the links at issue from the results displayed following a search conducted on the basis of the requester’s name on the domain name corresponding to the state in which the request is deemed to have been made or more generally on the domain names distinguished by the national extensions used by that search engine for all of the Member States. Which meant that the “right to de-referencing” was to be read with restrictions and that the search engine operator need not remove the links from all its domain. The argument that brought about this version of interpretation was Google stating that it was an automatic action for its website to open/redirect its .com domain to the territorial domain version, for this case that would be .uk, which in turn shows that the need for global removal was unnecessary.
3.Must the “right to de-referencing” be interpreted as meaning that a search engine operator is required when granting a request for de-referencing to remove the results at issue, by using the geo-blocking technique from search conducted on the basis of the requester’s name from an IP address deemed to be located in the State of residence of the person benefiting from the right to de-referencing or even more generally from an Internet Protocol (IP) address deemed to be located in one of the Member States, regardless of the domain name used by the internet user conducting the search. Which meant that the domain name would not be the mode of removal but instead the IP address would.
It was held by the Grand Chamber that with the proper construction of Directive 95/46/EC of the European Parliament on the protection of individuals with regard to the processing of personal data and on the free movement of such data, when a search engine operator granted a request for de-referencing after receiving a request that was pursuant to the appropriate provisions, that operator is not required to carry out that de-referencing on all versions of its search engine (global injunction), but only on the versions of that search engine corresponding to all the Member States (geo-blocking) while using measures which met the legal requirements and effectively prevent or seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.
Which made clear that a search engine operator did not need to restrict the restricted personal data globally but territorially within the territory of EU.
Conclusion:
The Court held that even though EU law does not currently require the search engine to de-reference links in all regions or across all regions, it does not however prohibit its alternate, that is geo-blocking or domain extension blocking on all of the search engine. The decision to be made must be compliant to national standards of protection of fundamental rights and the power to make such decision lays in the hands of the concerned judicial authority of an EU Member State.
The full judgement is available here.
Authored and compiled by Snehaja Rana (Associate, BananaIP Counsels)
This case brief is brought to you by the Consulting/Strategy Division of BananaIP Counsels, a Top IP Firm in India. If you have any questions, or need any clarifications, please write to [email protected]  with the subject: Case brief.
You may write to [email protected]  for corrections and take down.