Keywords

Right to be Forgotten, Processing of Personal Data, Right to De-Referencing, Search Engine Operators, Sensitive Data, Territorial Scope of Application.

Introduction

The Internet is characterised by access to available information from any location and any device connecting to it. Search engines undoubtedly play a crucial role in facilitating access to this information. Without them, finding the relevant information and outputting it appropriately and adequately to the requester would be challenging.

A search engine uses robots (also referred to as “spiders” or “crawlers”). The robots regularly scan websites to retrieve data and index it in one or more databases owned by the search engine operator (SEO) to make it accessible to users via keywords (Trudel, 2016). The process of obtaining information about an individual is as simple as entering their name in an internet search engine. In addition, search engines can establish complete and accurate profiles of individuals by searching and collecting their traces left on the web. These profiles are enriched regularly according to the activity of the internet user on the networks.

Search engines’ aggregation capabilities are often identified as a threat to privacy. This threat is all the more real considering the “eternal” availability of electronic memory, “which preserves bad memories, past errors, writings, photos and videos we would like to deny at a later stage” (De-Terwangne, 2012).

In this context, the “right to de-referencing” was introduced in the ruling of the CJEU on May 13, 2014, which is known as Google Spain. Based on the provisions of Directive 95/46, the CJEU considered the search engine as “Controller” because it indexes the data, stores them, and makes them available to users in order of preference.

Consequently, the individual whose data are processed by a SEO has the right to request the “de-referencing” of links leading to his/her data. This right prevails not only against the economic interest of the SEO, but also the interest of internet users potentially interested in having access to that information upon a search relating to the data subject’s name.

Recognition of the right to de-referencing by the CJEU prompted contrasting reactions. Many have criticised the decision as a call to censorship. Meanwhile, others contended that the decision was a victory over the web giants and minimised the risk of violations of the right to freedom of expression (Lee, 2015; Post, 2018).

Beyond these controversies between proponents and critics of the right to de-referencing, Google Spain faced many difficulties in its application and enforcement. This controversy was evidenced in two cases recently brought to the CJEU: the first case regarding the territorial scope of the right of de-referencing (Case C-507-17), and the second case regarding its modalities in the processing of sensitive categories of data.

The Google Spain Case

In Google Spain, the CJEU deduced from the provisions of Directive 95/46 a right to dereference personal data appearing in search engine results. Thus, it showed a daring that has failed the drafters of the general regulation on protecting personal data. They missed the opportunity to take a position on this case law, either to transpose it or to simply dismiss it, and end the controversies over recognizing the right to de-referencing.

Recognition of the Right to De-Referencing

In Google Spain, the CJEU dealt with a request for a preliminary ruling from the Audiencia Nacional (The Spanish High Court) relating to a dispute between Google Spain SL and Google Inc. on the one hand, and the Spanish Data Protection Agency (Agencia Española de Protección de Datos), and Mr. Costeja González, a Spanish citizen, in the other. Mr. González had been the subject of a property auction connected with attachment proceedings to recover social security debts. A Spanish newspaper had published two announcements related to this auction in two of its editions in 1998. Both were subsequently republished in an electronic version made available on the Internet. Mr. Gonzáles complained to the Spanish Data Protection Agency. He asked that the publisher of the journal be ordered to either delete or modify the publication or to use the tools provided by search engines to protect his personal data. Mr. González also requested that Google Spain or Google Inc. be ordered to delete or conceal its data to stop it from appearing in search engine results, including links to the Spanish newspaper.

On July 30, 2010, the Spanish Data Protection Agency rejected the complaint against the newspaper. However, it upheld the complaint against Google Spain and Google Inc., both of which appealed to the National High Court (Audiencia Nacional). The Court joined the proceedings and decided to stay them pending an order to refer certain questions to the CJEU about the interpretation of Directive 95/46/EC. In particular, was the directive applicable in the circumstances such as those at issue? Could the directive 95/46/EC require the SEO to remove from the list of results displayed following an Internet search, made based on a person’s name, links to web pages published by third parties and containing information relating to this person?

In a Grand Chamber formation, the Court decided first on the question of the material applicability of the Directive 95/46 to facts of case. It held that a SEO is a controller of the personal data contained on third-party websites that it indexes because “it ‘collects’ such data which it subsequently ‘retrieves,’ ‘records,’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results”. The fact that the search engine does not modify these data does not affect this qualification. Consequently, the provisions of the Directive are fully applicable.

The material applicability of the Directive was established; the Court then proceeded to examine its territorial applicability. The task was highly delicate because Google Inc. is a multinational company with its parent company based in California and many subsidiaries, including Google Spain LC, all over the world using countless servers scattered globally. The CJEU has been able to circumvent this difficulty by relying on the useful effect of Directive 95/46 to conclude that it applies to the facts of the case. According to the Court:

It cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive’s effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure”. 

Once the applicability of Directive 95/46 was established, the CJEU devoted the remainder of its ruling to examine the effects of this finding on the SEO and, in particular, whether a data subject can request that the SEO remove from the list of results displayed to internet users following a search, made based on his name, links to web pages published lawfully by third parties and containing accurate information relating to them. After a long argument, in which it adopted a very liberal interpretation of the provisions of the directive, the Court recognised that:

“The information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject.”

The Court added that this right overrides “not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name”. 

The GDPR: A Missed Opportunity to Clarify the Right to De-Referencing

The Google Spain case has created a significant upheaval in the Internet sphere, forcing giants like Google (but not only) to develop strategies and measures to adapt quickly to the requirements of the CJEU. The result was an ambiguous situation in which Google found itself both judge and jury regarding the relevance of requests for de-referencing (Cavoukian & Wolf, 2014; Kuczerawy & Ausloos, 2016). This situation raised serious concerns because, instead of curtailing Google, the CJEU chose to give it a leading role in implementing European data protection legislation (Cavoukian & Wolf, 2014).

In this context, it was expected that the European legislator would take the opportunity offered by the General Data Protection Regulation (GDPR) to completely re-evaluate the right to erasure, hitherto present in Article 12 of Directive 95/46. Further, the legislator should move toward a different approach to this right that considers the difficulties caused by implementing the right to de-referencing. However, these expectations were not met.

In addition to the erasure of data subject to unlawful processing previously provided for in Article 12(b) of the Directive 95/46, the scope of Article 17 of the Regulation, entitled “Right to erasure (right to be forgotten)” as it existed under Directive 95/46 has been broadened to include the following rights:

1. The right to erasure in which the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

2. The right to erasure as a consequence of withdrawal of consent.

3. The right to erasure following the exercise by the data subject of his right to object to the processing.

4. The right to erasure to comply with a legal obligation in Union or Member State law to which the controller is subject.

5. The right to the erasure of data collected in relation to the offer of information society services to a child.

Referring to the right to erasure without any reference to the right to de-referencing, the GDPR did not fail to arouse not only some disappointment but also raised some questions. Was the GDPR intended to take a step back from the solution adopted in the Google Spain judgment? Or Was the GDPR simply a deliberate choice by the European legislator to reserve the right to erasure as a general scope, encompassing the erasure of data as the de-referencing of data in the search engine results? The latter seems the most likely. The reference to the “right to be forgotten” in the title of Article 17 of the GDPR confirms this interpretation (Valle, 2020; Gstrein, 2020 ).

The entry into force of the GDPR did not resolve the uncertainties surrounding the right to de-referencing. Therefore, it was not until the judgments of the CJEU of September 24, 2019, in Cases C-136/17 and C-507/17, that the existence of this right was confirmed. Although the questions referred to it in both cases concerned treatment before the entry into force of the GDPR, and therefore, were subject to Directive 95/46, the CJEU has chosen to examine these based on both Directive 95/46 and the GDPR “in order to ensure that its answers will be of use to the referring court in any event”. In this respect, the Court clarified, concerning the right to de-referencing, that:

“In the context of Regulation 2016/679, that right of a data subject to de-referencing is now based on Article 17 of that regulation, which specifically governs the ‘right to erasure,’ also referred to, in the heading of that article, as the ‘right to be forgotten’”.

Google v CNIL: The Geographical Scope of the Right to De-Referencing

The event that led to the decision began in 2015, when Google Inc., which the Commission Nationale de l'Informatique et des Libertés (CNIL) ordered to extend the dereference to all its search engine’s domain name extensions, refused to comply and limited removal only to the results displayed following Internet searches conducted from the domain names corresponding to the versions of its search engine in the Member States. Google Inc. introduced a “geo-blocking” system that would prevent internet users from accessing the results at issue from an Internet Protocol (IP) address deemed to be located in the European Union (EU). In response to Google Inc.’s attitude, the CNIL imposed a penalty on Google Inc. of EUR 100 000.

Against this decision, Google Inc. lodged an appeal for annulment with the Conceal data (Council of State, France). According to Google, the contested penalty was based on a misinterpretation of the provisions of the Law of January 6, 1978, which transpose Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46. Google Inc. argued that the right to de-referencing does not necessarily require that the links are to be removed, without geographical limitation, from all its search engine extensions. The Conseil d’État decided to stay the proceedings and put a preliminary question to the CJEU on the geographical scope of the right to de-referencing.

CJEU Options

In response to the preliminary question, the CJEU had three options at its disposal: 1) a European right to de-referencing, 2) a right to de-referencing carried out at a national level, or 3) a right to worldwide de-referencing (Van-Alsenoy & Koekkoek, 2015; Padova, 2019)

A European Right to De-Referencing

To comply with the requirements of the Google Spain case law, Google chose to limit the right to de-reference to European search engine extensions (e.g., fr, be, and es). In a letter to the G29 presidency, Google Global Privacy Counsel, justified Google’s choice as follows:

We do not read the decision by the Court of Justice of the European Union (CJEU) in the case C-131/12 (the Decision) as global in reach—it was an application of European law that applies to services offered to Europeans. We remove the identified links from search results in our European versions of our search services. Specifically, such links do not appear in search results for queries on the data subject’s name (alone or in combination with other query terms) in our search services targeted to EU and EFTA countries.

National versions of our search service are offered from the relevant ccTLD (country code top level domains) for each country, like google.fr for France and google.it for Italy. We have developed different versions of our search service to meet local user preferences in almost every country. We actively redirect European users from google.com to the appropriate ccTLD, and European users overwhelmingly use those services. Fewer than 5% of European users use google.com, and we think travellers are a significant portion of those.

To help set a course of action in implementing its new obligation, Google established an advisory committee of ten international experts. On February 6, 2015, the committee issued a report including, among other things, recommendations on the geographic scope of the right to de-referencing. Regarding geographic scope, the committee recommended that only links referring to the contested content on the domain name extension corresponding to the country of the request should be delisted:

“Given concerns of proportionality and practical effectiveness, it concludes that removal from nationally directed versions of Google’s search services within the EU is the appropriate means to implement the Ruling at this stage”.

Different arguments have been made in this regard:

“There is a competing interest on the part of users outside of Europe to access information via a name-based search in accordance with the laws of their country, which may be in conflict with the delisting afforded by the Ruling. There is also a competing interest on the part of users within Europe to access versions of search other than their own. It is also unclear whether such measures [technical measures to prevent Internet users in Europe from accessing search results that have been delisted under European law] would be meaningfully more effective than Google’s existing model, given the widespread availability of tools to circumvent such blocks.”

This interpretation of the right to de-referencing was consistent with that of Advocate General (AG) Maciej Szpunar in his opinion in Case C-507/17 Google LLC v CNIL. In response to the question of whether the de-referencing should occur beyond the borders of the EU, he was categorical in his answer: Search requests made outside the territory of the European Union should not be subject to de-referencing of the search results.

In other words, the AG argued that a right to de-referencing should be limited to the territory of the EU. The right to de-referencing must be weighed against other fundamental rights, notably the public’s legitimate interest in accessing the information sought. However, the idea of de-referencing beyond the EU territory could jeopardize this aim. Thus, “if worldwide de-referencing were admitted, the EU authorities would not be in a position to define and determine a right to receive information, still less to strike a balance between that right and the other fundamental rights to data protection and to private life, a fortiori because such a public interest in having access to information will necessarily vary, depending on its geographic location, from one third State to another.”

Furthermore, there would then be a danger that the European Union would prevent individuals in third countries from having access to information. If an authority within the European Union could order de-referencing on a worldwide scale, an inevitable signal would be sent to third countries, which could also order de-referencing under their own laws.

However, the SEO “is required to take all steps available to him to ensure effective and complete de-referencing.” In particular, the SEO must use the “geo-blocking” technique from an IP address located in one of the EU states and the domain name chosen by the internet user conducting the search.

A Right to De-Referencing Limited to the Territory of the Member State

This type of de-referencing is possible using a “geo-blocking” technique whereby the search engine filters search results according to the origin of the request for de-referencing. At the European level, the preliminary injunction issued by the Paris Tribunal de Grande Instance (TGI) in the case of M. and Mrs. X and Mr. Y v. Google France provides an illustration. The facts of this case were similar to those of the CJEU’s Google Spain decision. The Court expressed that:

“It is in vain that Google France asks in infinite subsidiary that the injunction be limited to the links with Google.fr only, while it does not establish the impossibility of connecting from the French territory using the other terminations of the Google search engine”.

In other words, according to the TGI, limiting de-referencing to the extension google.fr is not sufficient. Google should ensure that access to the links concerned by the de-referencing is not feasible from the French territory.

A Worldwide Right to De-Referencing

A worldwide de-referencing means removing links to personal data from research results on all extensions of a search engine, regardless of the geographical origin of the request. The CNIL strongly advocated this approach. In its deliberation no. 2016-054 of March 10, 2016, the CNIL’s restricted committee considered that Google’s vision of the right to de-referencing is based “on the assumption that there are as many “Google Search” processing systems as local search engine extensions, whereas in reality, it is a single processing system with multiple technical paths.” Therefore, “only delisting across the entire search engine would enable effective protection of the rights of individuals.”

In so reasoning, the CNIL aligned with the opinion adopted by the WP29 in its guidelines on the implementation of the Google Spain case law. According to the WP29, “delisting decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented.” Therefore, de-referencing should not be limited to EU domain name extensions. It “should also be effective on all relevant domains, including.com”.

The Decision of the Court: A European Right to De-Referencing

In response to the question about the geographic scope of the right to de-referencing under the relevant data protection provisions of the EU, the CJEU employed a step-by-step reasoning process to reach its conclusion that the SEO is not required to carry out de-referencing on all versions of its search engine but is required to conduct de-referencing on the versions of the search engine corresponding to the EU territory.

The Court began by emphasizing the importance of the right to de-referencing related to the main objective of Directive 95/46 and the GDPR to guarantee a high level of protection of personal data throughout the EU. In this regard, it acknowledges that “a de-referencing carried out on all the versions of a search engine would meet that objective in full”. Furthermore, the Court considers that in a globalised world, Internet users’ access - including those outside the territory of the EU - to the referencing of a link referring to personal data of a person whose centre of interests is located in the Union “is thus likely to have immediate and substantial effects on that person within the Union itself”. Consequently, the competence on the part of the EU legislator to enact a global right of de-referencing is justified.

However, “the right to the protection of personal data is not an absolute right”. It must be considered “in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.

On the other hand, balancing the protection of personal data and privacy with the fundamental right to information is likely to vary significantly worldwide. This is all the more evident as “numerous third States do not recognise the right to de-referencing or have a different approach to that right”. That being said, the CJEU concluded that the thesis of a worldwide de-referencing, defended by the CNIL, is not tenable. Thus, the CJEU held that:

“Where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States”.

However, the Court adjusted its position, expressing that, while EU law does not currently impose a worldwide de-referencing, it also does not prohibit it. Worldwide dereferencing is possible through a balancing process of the subject’s right to privacy and data protection against the right to information carried out by a supervisory or judicial authority of a Member State “in the light of national standards of protection of fundamental rights”. The Court thus draws on its case law under the Åkerberg Fransson and Melloni cases for its interpretation of Articles 51 and 53 of the Charter of Fundamental Rights, which give national authorities and courts the right to apply their national standards of protection of fundamental rights “provided that the level of protection provided for by the Charter, as interpreted by the Court, and the primacy, unity and effectiveness of EU law are not thereby compromised”.

By relying on the concept of national standards for the protection of fundamental rights, the Court refers to the levels of protection of personal data that differ among Member States, and thus, allows the national supervisory authorities to decide whether to impose a de-referencing on all search engine extensions, including outside the EU. As noted by Jean-Luc Sauron: Case C- 507/17 shows that the CJEU is aware of two legal spheres (or markets) in which it is called upon to intervene. In the market of the law of globalization, it must affirm the operational effectiveness of the reasoning methods of EU law, a statement which must counter the attempts of other legal systems to dominate the international law of regulation to their advantage. [...] Within the framework of the internal market, it must find the narrow path, reinforcing the growing convergence of the rights of the Member States under its leadership and full respect for national constitutional traditions in the field of fundamental rights (Sauron, 2019) (Our translation).

Overall, the CJEU has provided essential clarifications on the geographical scope of the right to de-referencing. It offered a pragmatic solution, thus avoiding serious risks that a right to global de-referencing could generate. Worldwide de-referencing is likely to result in “a risk of a fragmentation of the digital world” (; Celeste & Fabbrini, 2021; Criscione, 2020.) This risk could create an atmosphere in which data sovereignty is prioritised and distrust of others is the norm. Moreover, the threat of proliferation of internet censorship is considerable.

GC and Others v CNIL (Case C-136/17)

In GC and Others v CNIL, the CJEU provided guidance on the obligation of an SEO to de-reference web pages displaying personal data falling within the special categories of personal data. Four claimants requested Google to de-reference various links to third-party web pages containing personal information related to them, which Google refused. As a result of this refusal, the claimants brought complaints before the CNIL, asking that Google be directed to dereference the links involved. The CNIL rejected their requests and decided to close the complaints. This decision was challenged in the Conseil d’État (Council of State, France).

Having found that the demands raised several serious difficulties in interpreting Directive 95/46, the Conseil d’État decided to stay the proceedings and refer to the CJEU preliminary questions concerning the extent of the right of de-referencing in the presence of sensitive data, as provided in Article 8 of Directive 95/46. Notably, the Conseil d’État wished to know whether the prohibition on processing sensitive categories of data referred to in Article 8, paragraphs 1 and 5 of Directive 95/46 applied to the SEOs. In the case of an affirmative response, are the SEOs required to accede systematically to all requests for de-referencing, even if the processing of sensitive data is conducted under Article 8 (2) and Article 9 of Directive 95/46? Further, if the processing is not prohibited, what requirements should the SEOs meet to deal with links to a website comprising sensitive data?

Operator of a Search Engine is a Data Controller Similar to Others

In Google Spain, the CJEU had the opportunity to decide whether the SEO can be regarded as a controller under EU data protection regulations. The Court ruled, against the opinion of AG Jääskinen, that the SEO must be considered the controller of the data contained on the websites that it indexes, within the meaning of Article 2 (d) of Directive 95/46. This statement has been a major step in determining the obligations and responsibilities of SEOs. However, its scope was limited to “normal” personal data of which the processing is unlawful, thus leaving unanswered the question of the SEO’s responsibilities in the case of the processing of sensitive data within the meaning of Article 8 of Directive 95/46.

In GC and Others v CNIL, the CJEU addressed this subject. Several approaches were considered. The first approach was to follow the argument expressed by Google and concludes that Google Spain did not relate to sensitive data referred to in Article 8(1) of Directive 95/46 that SEOs should be exempt from compliance with this provision. Another approach was to consider the SEO subject to the prohibitions and restrictions relating to the processing of sensitive data as though it had caused the data to appear on the Internet pages. In this case, the SEO would be obliged to check, ex-ante and systematically, that a list of results displayed following a search made based on a person’s name does not contain any link to Internet pages containing sensitive data relating to this person.

The CJEU chose a different approach. Following the reasoning of its AG, the CJEU ruled that the provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted in such a way as to consider “the responsibilities, powers and capabilities of the operator of a search engine as the controller of the processing carried out in connection with the activity of the search engine”. Thus, the SEO does not make sensitive data appear in the referenced web pages. Its activity only occurs later by referencing this data and displaying the links to these web pages in the list of results presented to internet users following a search based on an individual’s name. Consequently, the prohibitions and restrictions of Article 8 (1) and (5) of Directive 95/46 as well as in Article 9 (1) and Article 10 of the GDPR apply to the search engine “only by reason of that referencing” using an ex post facto verification, under the supervision of the competent national authorities, based on a request by the data subject.

A Necessary Balance with Freedom of Information

The second question referred for the CJEU was to determine the conduct to be taken by the SEO in the event of a request for de-referencing of a link leading to web pages containing personal data falling within the special categories referred to in Article 8(1) and (5) of Directive 95/46. The main question was whether the SEO should systematically grant requests for dereferencing and to what extent they can raise the specific exceptions provided for in Article 8 (2) (a) and (e) of Directive 95/46?

Recalling its case law in Google Spain, the Court held that the rights of data subject requesting the de-referencing “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name”. However, the Court added, the right to freedom of expression and information is one of the exceptions to the right to erasure mentioned in Article 17.3 of the GDPR and should, thus, “be balanced against other fundamental rights, in accordance with the principle of proportionality”. Consequently, in the case of a request for de-referencing relating to a link to a web page on which sensitive data are published, the SEO should assess, on a case-by-case basis, which of the fundamental rights, the right to the protection of personal data or the public’s right to information, must prevail.

This assessment must be carried out “on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data,” by verifying whether the inclusion of the link at issue “is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search”.

Since the balancing requirements for implementing the right to de-referencing were recalled, the Court considered the exceptions to the principle of the prohibition of the processing of sensitive data. Notable was one hypothesis under which the data subject gave his consent to the processing and the second in which the data were manifestly made public by the data subject.

Regarding the first hypothesis, the Court confirmed that the consent must be specific, that is, it must be relate to the processing carried out within the framework of the search engine. Nevertheless, the Court recognised that, in practice, it is scarcely conceivable that the SEO seek the express consent of the data subjects before referencing their personal data. In any event, the Court added, “the mere fact that a person makes a request for de-referencing means, in principle, at least at the time of making the request that he or she no longer consents to the processing carried out by the operator of the search engine”.

Regarding the hypothesis in which the data was made public by the data subject, the CJEU ruled that the SEO may refuse to accede to a request for de-referencing. However, all other conditions of lawfulness must be met unless the data subject objected to the processing on grounds relating to their particular situation.

De-Referencing Relating to Criminal Proceedings

In the last preliminary question, the CJEU was asked to rule on two points connected with the processing of personal data relating to legal proceedings in criminal matters. The first point was to know whether the information pertaining to legal proceedings brought against an individual and, as the case may be, information regarding to a subsequent conviction are data relating to “offences” and “criminal convictions” within the meaning of Directive 95/46 and the GDPR. Regarding the second point, the court was asked to decide whether the SEO is required to accede to a de-referencing request, where the data subject establishes that the personal data relating to an earlier stage in judicial proceedings has become incomplete, inaccurate or obsolete.

On the first point, the Court, consistent with the AG’s opinion, replied in the affirmative. It considered that including in the list of results the links to web pages on which information concerning legal proceedings brought against an individual are published qualifies as processing under Article 8(5) of Directive 95/46 and Article 10 of the GDPR and is subject to special restrictions.

Regarding the second point, the Court held that the initially lawful processing of accurate data might become unlawful under European law “where those data are no longer necessary in the light of the purposes for which they were collected or processed”. Therefore, the SEO is required to grant the request for de-referencing of links leading to data concerning an earlier stage of the proceedings that no longer correspond to the current situation, unless the SEO demonstrates that the maintenance of these links is necessary for protecting the freedom of public information. To do so, the SEO must strike a fair balance between the right to respect privacy and the public’s freedom of access to information, considering “the nature and seriousness of the offence in question, the progress and the outcome of the proceedings, the time elapsed, the part played by the data subject in public life and his past conduct, the public’s interest at the time of the request, the content and form of the publication and the consequences of publication for the data subject".

Finally, the CJEU added that, even if the referencing deemed necessary for reconciling the data subject’s right to privacy with the freedom of information of internet users, the SEO is “in any event required to adjust the list of results in such a way that the overall picture it gives the internet user reflects the current legal position, which means in particular that links to web pages containing information on that point must appear in first place on the list". SEOs thus must permanently adjust the list of results displayed following a search based on a person’s name leading to web pages containing data on criminal offenses and convictions. This means that any further development of the legal position must result in a readjustment of the results. This obligation of adjustment/readjustment “further transforms the activity of the SEO. It constrains it to edit the list of results by a differentiated intervention of automatic indexing that nuances its secondary role. The powers, responsibilities and possibilities of the SEO are thus modified so that Articles 8(5) of the Directive and 10 of the Regulation could retrospectively apply ex-ante and prohibit such referencing unless justified by freedom of expression and information”.

Conclusion

This article presented an overview of the recent CJEU case law relating to the right of dereferencing. As noted in the first section of this article, in Google Spain, the CJEU took a bold step in recognizing the explicit right to de-referencing on search engines. However, the implementation of the decision has been shown to be particularly difficult. As the entry into force of the GDPR did not fully relieve the uncertainties, the CJEU continued to outline further the contours of the right to de-referencing. In Google v CNIL (case C-507/17), the Court settled the debate over the territorial scope of the right and opted for an EU-wide de-referencing, while in GC and others vs Google, it has provided guidance on the implementation of the right of dereferencing in the case of sensitive data processing.

Questions about the right to de-referencing still remain. On September 24, 2020, the Bundesgerichtshof (Federal Court of Justice, Germany) raised two questions in a preliminary ruling before the CJEU. The first question relates to whether a SEO is bound, following a request for de-referencing, to remove a link leading to content that includes factual claims and value judgements based on factual claims, the truth of which is denied by the data subject. The second question is related to the de-referencing of search results displayed as preview images (thumbnails): should the context of the original third-party publication be conclusively taken into account, even if the third-party website is linked by the search engine when the preview image is displayed but is not specifically named and the resulting context is not shown with it by the Internet search engine?

References

Cavoukian, A., & Wolf, C. (2014). Sorry, but there's no online right to be forgotten. National post.

Celeste, E., & Fabbrini, F. (2021). EU data protection law between extraterritoriality and sovereignty. In E. Celeste, F. Fabbrini, & P. Quinn, (Eds.), Data Protection beyond Borders. Transatlantic Perspectives on Extraterritoriality and Sovereignty. Hart Publishing, Oxford.

Criscione, H. (2020). Forgetting the Right to be Forgotten: The Everlasting Negative Implications of a Right to be De-referenced on Global Freedom in the Wake of Google v. CNIL. Pace International Law Review , 32(2), 315.

De-Terwangne, C. (2012). Internet privacy and the right to be forgotten/right to oblivion. Revista de Internet, Derecho y Politica, 13(2), 109–121.

Frosio, G. (2017). Right to be forgotten: Much ado about nothing. Colorado Technology Law Journal, 15(2), 307-315.

Gstrein, O. J. (2020). Right to be forgotten: European data imperialism, national privilege, or universal human right? Review of European Administrative Law, 13(2), 125-152.

Kuczerawy, A., & Ausloos, J. (2016). From notice-and-takedown to notice-and-delist: Implementing Google Spain. Colorado Technology Law Journal, 14(2), 219-258.

Lee, E. (2015). The right to be forgotten v. free speech. Journal of Law and Policy for the Information Society, 85(2), 1-9.

Padova, Y. (2019). Is the right to be forgotten a universal, regional, or glocal right?. International Data Privacy Law, 9(1), 15–29.

Post, R. C. (2018). Data privacy and dignitary privacy: Google Spain, the right to be forgotten, and the Construction of the public sphere. Duke Law Journal, 67(2), 981-1072.

Sauron, J.L. (2019). Personal data: Scope of the right to de-listing. Dalloz collection.

Trudel, P. (2016). Search engines, delisting, forgetting and privacy in Quebec law. Lex electronica, 21(2), 89-129.

Valle, D.A.I. (2020). The right to be forgotten taken less seriously in light of the Google / CNIL ruling of the Court of Justice of the European Union. Rivista AIC.

Van-Alsenoy, B., & Koekkoek, M. (2015). Internet and jurisdiction after Google Spain: The extraterritorial reach of the right to be delisted. International Data Privacy Law, 5(2), 105–120.