CNIL – CJEU Judgment (France, 2019)

Four applicants wanted to exercise their right to de-referencing concerning various links to third-party websites which contained sensitive data pertaining to them. As the requests were rejected by Google, the applicants brought complaints before the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority. the CNIL refused, however, to serve formal notice on Google to carry out the de-referencing requested. Thereupon, the applicants turned to the Council of State (Counsel d’État), which ordered a stay of the proceedings and referred to the Court four questions relating to the applicability of the prohibition of the processing of sensitive data in the context of search engines and to the de-referencing of such data. The Court recalled that an activity of a search engine, which consists in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and making it available to internet users according to a particular order of preference, must be classified as "processing of personal data" and that the operator of the search engine therefore needs to be considered a 'controller' within the means of article 4(7) GDPR. In its preliminary ruling the court judged that: * Information relating to legal proceedings brought against an individual and information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Article 10 GDPR); * The operator of a search engine is in principle required to accede to requests for de-referencing links to web pages containing sensitive personal data, unless an exemption is applicable; * A search engine operator does not need to automatically delete links to specific sites following an erasure request made by the data subject. Instead, in order to determine whether to remove links to pages that contain sensitive personal data, the search eng