Search engine duties under EU data protection laws clarified

Out-Law News | 25 Sep 2019 | 9:41 am | 3 min. read

Under EU data protection law data subjects can ask search engines to de-reference, or delist, results relating to them in certain circumstances. When agreeing to such a request, however, search engines are not required to delist results from results displayed to all their users across the world, the EU's highest court has ruled.

The Court of Justice of the EU (CJEU) said, though, that search engines must take steps to apply the de-listing across all EU countries and to seek to prevent users in those countries circumventing those geo-blocking measures.

"Where a search engine operator grants a request for de-referencing [under EU data protection law], that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the member states, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the member states on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request," the CJEU said.

In a previous ruling, the CJEU had clarified that, under EU data protection laws, a search engine has a qualified duty to de-list a webpage, or URL, from its search results when requested to do so by an individual if the webpage in question contains information about that individual and the information in question is "inadequate, irrelevant, no longer relevant or excessive".

Not all of these so-called 'right to be forgotten' requests have to complied with, however, as the search engine is obliged to carry out a balancing exercise to determine whether other rights, such as in relation to freedom of expression, trump the privacy rights at issue and justify the continued availability of the information in question.

However, there has been a debate over the territorial scope of delisting that search engines must implement when accepting right to be forgotten requests. France's Council of State asked the CJEU to clarify the responsibilities of search engines in relation to the matter after Google had challenged an order issued by the Commission Nationale de l’Informatique et des Libertiés (CNIL) to implement delisting on globally, and not just in relation to search results displayed in the EU.

The court applied its findings to provisions of the General Data Protection Regulation (GDPR) which came into effect in 2018.

In a separate ruling also issued on Tuesday morning, the CJEU provided guidance in relation how search engines should assess 'right to be forgotten' requests that seek the removal of results relating to webpages which contain sensitive personal data.

This second case arose out of interpretation of provisions contained in the EU's Data Protection Directive. That Directive was repealed in 2018 when the GDPR took effect. Acknowledging this, the ruling refers throughout to equivalent provisions in the GDPR, and so can be seen to provide guidance to search engines in relation to the current legal framework too.

In its ruling, the CJEU said that search engines were subject to rules prohibiting or restricting the processing of sensitive personal data under the old Directive, and that, in principle, they are required to meet de-referencing requests concerning sensitive personal data unless an exception listed under the Directive applied.

The CJEU said that the Directive provides scope for search engines to "refuse to accede to a request for de-referencing" sensitive personal data in certain limited circumstances.

However, although the judgment is framed in terms of "exceptions", perhaps the most important of these is that a search engine will be entitled to refuse to de-list results in circumstances where the continued availability of those results is in the "substantial public interest".

This means that for requests relating to sensitive personal data search engines must undertake an assessment of competing rights in the same way as they must in relation to a request relating to ordinary personal data – they must undertake a balancing exercise. Where the data in question is sensitive personal data the balancing exercise will involve establishing whether it is "strictly necessary" that the results remain available for the purpose of protecting "the freedom of information of internet users potentially interested in accessing that web page by means of such a search", the court said.

The assessment will involve weighing the requester's rights to privacy and the protection of personal data against those rights to freedom of information, the CJEU said. All those rights are qualified rights enshrined in the Charter of Fundamental Rights of the EU.

Other considerations will also apply, for example, where "the processing relates to data which are manifestly made public by the data subject" this can be relied upon by the search engine.