IP case law Court of Justice

Judgment of 24 Sep 2019, C-507/17 (Google)



JUDGMENT OF THE COURT (Grand Chamber)

24 September 2019 (*)

(Reference for a preliminary ruling — Personal data — Protection of individuals with regard to the processing of such data — Directive 95/46/EC — Regulation (EU) 2016/679 — Internet search engines — Processing of data on web pages — Territorial scope of the right to de-referencing)

In Case C-507/17,

REQUEST for a preliminary ruling under Article 267 TFEU from the Conseil d’État (Council of State, France), made by decision of 19 July 2017, received at the Court on 21 August 2017, in the proceedings

Google LLC, successor in law to Google Inc.,

v

Commission nationale de l’informatique et des libertés (CNIL),

in the presence of:

Wikimedia Foundation Inc.,

Fondation pour la liberté de la presse,

Microsoft Corp.,

Reporters Committee for Freedom of the Press and Others,

Article 19 and Others,

Internet Freedom Foundation and Others,

Défenseur des droits,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Arabadjiev, E. Regan, T. von Danwitz, C. Toader and F. Biltgen, Presidents of Chambers, M. Ilešič (Rapporteur), L. Bay Larsen, M. Safjan, D. Šváby, C.G. Fernlund, C. Vajda and S. Rodin, judges,

Advocate General: M. Szpunar,

Registrar: V. Giacobbo-Peyronnel, Administrator,

having regard to the written procedure and further to the hearing on 11 September 2018,

after considering the observations submitted on behalf of:

–        Google LLC, by P. Spinosi, Y. Pelosi and W. Maxwell, avocats,

–        the Commission nationale de l’informatique et des libertés (CNIL), by I. Falque-Pierrotin, J. Lessi and G. Le Grand, acting as Agents,

–        Wikimedia Foundation Inc., by C. Rameix-Seguin, avocate,

–        the Fondation pour la liberté de la presse, by T. Haas, avocat,

–        Microsoft Corp., by E. Piwnica, avocat,

–        the Reporters Committee for Freedom of the Press and Others, by F. Louis, avocat, and by H.-G. Kamann, C. Schwedler and M. Braun, Rechtsanwälte,

–        Article 19 and Others, by G. Tapie, avocat, G. Facenna QC, and E. Metcalfe, Barrister,

–        Internet Freedom Foundation and Others, by T. Haas, avocat,

–        the Défenseur des droits, by J. Toubon, acting as Agent,

–        the French Government, by D. Colas, R. Coesme, E. de Moustier and S. Ghiandoni, acting as Agents,

–        Ireland, by M. Browne, G. Hodge, J. Quaney and A. Joyce, acting as Agents, and by M. Gray, Barrister-at-Law,

–        the Greek Government, by E.-M. Mamouna, G. Papadaki, E. Zisi and S. Papaioannou, acting as Agents,

–        the Italian Government, by G. Palmieri, acting as Agent, and by R. Guizzi, avvocato dello Stato,

–        the Austrian Government, by G. Eberhard and G. Kunnert, acting as Agents,

–        the Polish Government, by B. Majczyna, M. Pawlicka and J. Sawicka, acting as Agents,

–        the European Commission, by A. Buchet, H. Kranenborg and D. Nardi, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 10 January 2019,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

2        The request has been made in proceedings between Google LLC, successor in law to Google Inc., and the Commission nationale de l’informatique et des libertés (French Data Protection Authority, France) (‘the CNIL’) concerning a penalty of EUR 100 000 imposed by the CNIL on Google because of that company’s refusal, when granting a de-referencing request, to apply it to all its search engine’s domain name extensions.

 Legal context

 European Union law

 Directive 95/46

3        According to Article 1(1) thereof, the purpose of Directive 95/46 is to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data, and to remove obstacles to the free movement of such data.

4        Recitals 2, 7, 10, 18, 20 and 37 of Directive 95/46 state:

‘(2)      Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to … the well-being of individuals;

(7)      Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level …

(10)      Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms[, signed in Rome on 4 November 1950,] and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;

(18)      Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; …

(20)      Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;

(37)      Whereas the processing of personal data for purposes of journalism or for purposes of literary [or] artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information, as guaranteed in particular in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; whereas Member States should therefore lay down exemptions and derogations necessary for the purpose of balance between fundamental rights as regards general measures on the legitimacy of data processing …’

5        Article 2 of that directive provides:

‘For the purposes of this Directive:

(a)      “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); …

(b)      “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(d)      “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; …

…’

6        Article 4 of that directive, entitled ‘National law applicable’, provides:

‘1.      Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a)      the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b)      the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c)      the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2.      In the circumstances referred to in paragraph 1(c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.’

7        Article 9 of Directive 95/46, entitled ‘Processing of personal data and freedom of expression’, states:

‘Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.’

8        Article 12 of that directive, entitled ‘Right of access’, provides:

‘Member States shall guarantee every data subject the right to obtain from the controller:

(b)      as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

…’

9        Article 14 of that directive, entitled ‘The data subject’s right to object’, provides:

‘Member States shall grant the data subject the right:

(a)      at least in the cases referred to in Article 7(e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;

…’

10      Article 24 of Directive 95/46, entitled ‘Sanctions’, provides:

‘The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.’

11      Article 28 of that directive, entitled ‘Supervisory authority’, is worded as follows:

‘1.      Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

3.      Each authority shall in particular be endowed with:

–        investigative powers, such as powers of access to data forming the subject matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

–        effective powers of intervention, such as, for example, that of … ordering the blocking, erasure or destruction of data, [or] of imposing a temporary or definitive ban on processing …

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4.      Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

6.      Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

…’

 Regulation (EU) 2016/679

12      Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and Corrigendum OJ 2018 L 127, p. 2), which is based on Article 16 TFEU, is applicable, pursuant to Article 99(2) thereof, from 25 May 2018. Article 94(1) of that regulation provides that Directive 95/46 is repealed with effect from that date.

13      Recitals 1, 4, 9 to 11, 13, 22 to 25 and 65 of that regulation state:

‘(1)      The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (“the Charter”) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

(4)      The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, … the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information [and] freedom to conduct a business …

(9)       … Directive 95/46 … has not prevented fragmentation in the implementation of data protection across the Union … Differences in the level of protection … in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union …

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. …

(11)      Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

(13)      In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, … and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. …

(22)      Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. …

(23)      In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. …

(24)      The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(25)      Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.

(65)      A data subject should have … a “right to be forgotten” where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject … However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information …’

14      Article 3 of Regulation 2016/679, entitled ‘Territorial scope’, is worded as follows:

‘1.      This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2.      This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a)      the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)      the monitoring of their behaviour as far as their behaviour takes place within the Union.

3.      This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.’

15      Article 4(23) of that regulation defines the concept of ‘cross-border processing’ as follows:

‘(a)      processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b)      processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State’.

16      Article 17 of that regulation, entitled ‘Right to erasure (“right to be forgotten”)’, is worded as follows:

‘1.      The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a)      the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)      the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c)      the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d)      the personal data have been unlawfully processed;

(e)      the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f)      the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

3.      Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a)      for exercising the right of freedom of expression and information;

…’

17      Article 21 of that regulation, entitled ‘Right to object’, provides, in paragraph 1 thereof:

‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’

18      Article 55 of Regulation 2016/679, entitled ‘Competence’, which forms part of Chapter VI of that regulation, itself entitled ‘Independent supervisory authorities’, provides, in paragraph 1 thereof:

‘Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.’

19      Article 56 of that regulation, entitled ‘Competence of the lead supervisory authority’, states:

‘1.      Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2.      By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3.      In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

4.      Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5.      Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.

6.      The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.’

20      Article 58 of that regulation, entitled ‘Powers’, provides, in paragraph 2 thereof:

‘Each supervisory authority shall have all of the following corrective powers:

(g)      to order the … erasure of personal data … pursuant to … [Article] … 17 …;

(i)      to impose an administrative fine … in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case’.

21      Under Chapter VII of Regulation 2016/679, entitled ‘Cooperation and consistency’, Section I, entitled ‘Cooperation’, includes Articles 60 to 62 of that regulation. Article 60, entitled ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides:

‘1.      The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

2.      The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3.      The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4.      Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5.      Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6.      Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7.      The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.

8.      By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

9.      Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. …

10.      After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.

11.      Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

…’

22      Article 61 of that regulation, entitled ‘Mutual assistance’, states, in paragraph 1 thereof:

‘Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.’

23      Article 62 of that regulation, entitled ‘Joint operations of supervisory authorities’, provides:

‘1.      The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2.      Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. …’

24      Section 2, entitled ‘Consistency’, of Chapter VII of Regulation 2016/679 includes Articles 63 to 67 of that regulation. Article 63, entitled ‘Consistency mechanism’, is worded as follows:

‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.’

25      Article 65 of that regulation, entitled ‘Dispute resolution by the Board’, provides, in paragraph 1 thereof:

‘In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:

(a)      where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;

(b)      where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;

…’

26      Article 66 of that regulation, entitled ‘Urgency procedure’, provides, in paragraph 1 thereof:

‘In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.’

27      Article 85 of Regulation 2016/679, entitled ‘Processing and freedom of expression and information’, states:

‘1.      Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.

2.      For processing carried out for journalistic purposes or the purpose of academic, artistic or literary expression, Member States shall provide for exemptions or derogations from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organisations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.

…’

 French law

28      Directive 95/46 is implemented in French law by loi n° 78-17, du 6 janvier 1978, relative à l’informatique, aux fichiers et aux libertés (Law No 78-17 of 6 January 1978 on information technology, data files and civil liberties), in the version applicable to the events in the main proceedings (‘the Law of 6 January 1978’).

29      Article 45 of that law specifies that where the controller fails to fulfil the obligations laid down in that law, the President of the CNIL may serve notice on him to bring the established infringement to an end within a period which the President is to determine. If the controller does not comply with the formal notice served on him, the Select Panel of the CNIL may, after hearing both parties, impose, inter alia, a financial penalty.

 The dispute in the main proceedings and the questions referred for a preliminary ruling

30      By decision of 21 May 2015, the President of the CNIL served formal notice on Google that, when granting a request from a natural person for links to web pages to be removed from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions.

31      Google refused to comply with that formal notice, confining itself to removing the links in question from only the results displayed following searches conducted from the domain names corresponding to the versions of its search engine in the Member States.

32      The CNIL also regarded as insufficient Google’s further ‘geo-blocking’ proposal, made after expiry of the time limit laid down in the formal notice, whereby internet users would be prevented from accessing the results at issue from an IP (Internet Protocol) address deemed to be located in the State of residence of a data subject after conducting a search on the basis of that data subject’s name, no matter which version of the search engine they used.

33      By an adjudication of 10 March 2016, the CNIL, after finding that Google had failed to comply with that formal notice within the prescribed period, imposed a penalty on that company of EUR 100 000, which was made public.

34      By application lodged with the Conseil d’État (Council of State, France), Google seeks annulment of that adjudication.

35      The Conseil d’État notes that the processing of personal data carried out by the search engine operated by Google falls within the scope of the Law of 6 January 1978, in view of the activities of promoting and selling advertising space carried on in France by its subsidiary Google France.

36      The Conseil d’État also notes that the search engine operated by Google is broken down into different domain names by geographical extensions, in order to tailor the results displayed to the specificities, particularly the linguistic specificities, of the various States in which that company carries on its activities. Where the search is conducted from ‘google.com’, Google, in principle, automatically redirects that search to the domain name corresponding to the State from which that search is deemed to have been made, as identified by the internet user’s IP address. However, regardless of his or her location, the internet user remains free to conduct his or her searches using the search engine’s other domain names. Moreover, although the results may differ depending on the domain name from which the search is conducted on the search engine, it is common ground that the links displayed in response to a search derive from common databases and common indexing.

37      The Conseil d’État considers that, having regard, first, to the fact that Google’s search engine domain names can all be accessed from French territory and, secondly, to the existence of gateways between those various domain names, as illustrated in particular by the automatic redirection mentioned above, as well as by the presence of cookies on extensions of that search engine other than the one on which they were initially deposited, that search engine, which, moreover, has been the subject of only one declaration to the CNIL, must be regarded as carrying out a single act of personal data processing for the purposes of applying the Law of 6 January 1978. As a result, the processing of personal data by the search engine operated by Google is carried out within the framework of one of its installations, Google France, established on French territory, and is therefore subject to the Law of 6 January 1978.

38      Before the Conseil d’État, Google maintains that the penalty at issue is based on a misinterpretation of the provisions of the Law of 6 January 1978, which transpose Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, on the basis of which the Court, in its judgment of 13 May 2014, Google Spain and Google (C-131/12, EU:C:2014:317), recognised a ‘right to de-referencing’. Google argues that this right does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names. In addition, by adopting such an interpretation, the CNIL disregarded the principles of courtesy and non-interference recognised by public international law and disproportionately infringed the freedoms of expression, information, communication and the press guaranteed, in particular, by Article 11 of the Charter.

39      Having noted that this line of argument raises several serious difficulties regarding the interpretation of Directive 95/46, the Conseil d’État has decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Must the “right to de-referencing”, as established by the [Court] in its judgment of 13 May 2014, [Google Spain and Google (C-131/12, EU:C:2014:317),] on the basis of the provisions of [Article 12(b) and subparagraph (a) of the first paragraph of Article 14] of Directive [95/46], be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted, and even if it is conducted from a place outside the territorial scope of Directive [95/46]?

(2)      In the event that Question 1 is answered in the negative, must the “right to de-referencing”, as established by the [Court] in the judgment cited above, be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, only to remove the links at issue from the results displayed following a search conducted on the basis of the requester’s name on the domain name corresponding to the State in which the request is deemed to have been made or, more generally, on the domain names distinguished by the national extensions used by that search engine for all of the Member States …?

3.      Moreover, in addition to the obligation mentioned in Question 2, must the “right to de-referencing” as established by the [Court] in its judgment cited above, be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to remove the results at issue, by using the “geo-blocking” technique, from searches conducted on the basis of the requester’s name from an IP address deemed to be located in the State of residence of the person benefiting from the “right to de-referencing”, or even, more generally, from an IP address deemed to be located in one of the Member States subject to Directive [95/46], regardless of the domain name used by the internet user conducting the search?’

 Consideration of the questions referred

40      The case in the main proceedings is the result of a dispute between Google and the CNIL as to how a search engine operator, where it establishes that a data subject is entitled to have one or more links to web pages containing personal data concerning him or her removed from the list of results which is displayed following a search conducted on the basis of his or her name, is to give effect to that right to de-referencing. Although Directive 95/46 was applicable on the date the request for a preliminary ruling was made, it was repealed with effect from 25 May 2018, from which date Regulation 2016/679 is applicable.

41      The Court will examine the questions referred in the light of both that directive and that regulation in order to ensure that its answers will be of use to the referring court in any event.

42      During the proceedings before the Court, Google explained that, following the bringing of the request for a preliminary ruling, it has implemented a new layout for the national versions of its search engine, in which the domain name entered by the internet user no longer determines the national version of the search engine accessed by that user. Thus, the internet user is now automatically directed to the national version of Google’s search engine that corresponds to the place from where he or she is presumed to be conducting the search, and the results of that search are displayed according to that place, which is determined by Google using a geo-location process.

43      In those circumstances, the questions referred, which must be dealt with together, should be understood as seeking to ascertain, in essence, whether Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 and Article 17(1) of Regulation 2016/679 are to be interpreted as meaning that, where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is required to carry out that de-referencing on all versions of its search engine, or whether, on the contrary, it is required to do so only on the versions of that search engine corresponding to all the Member States, or even only on the version corresponding to the Member State in which the request for de-referencing was made, using, where appropriate, the technique known as ‘geo-blocking’ in order to ensure that an internet user cannot, regardless of the national version of the search engine used, gain access to the links concerned by the de-referencing in the context of a search conducted from an IP address deemed to be located in the Member State of residence of the person benefiting from the right to de-referencing or, more broadly, in any Member State.

44      As a preliminary point, it should be borne in mind that the Court has held that Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful (judgment of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 88).

45      The Court has also stated that, when appraising the conditions for the application of those same provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him or her personally should, at that point in time, no longer be linked to his or her name by a list of results displayed following a search made on the basis of his or her name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his or her fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his or her fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question (judgment of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 99).

46      In the context of Regulation 2016/679, that right of a data subject to de-referencing is now based on Article 17 of that regulation, which specifically governs the ‘right to erasure’, also referred to, in the heading of that article, as the ‘right to be forgotten’.

47      Pursuant to Article 17(1) of Regulation 2016/679, a data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the grounds listed in that provision applies. Article 17(3) of that regulation specifies that Article 17(1) does not apply to the extent that processing is necessary for one of the reasons listed in the former provision. Those reasons include, in particular, under Article 17(3)(a) of that regulation, the exercise of the right of, inter alia, freedom of information of internet users.

48      It follows from Article 4(1)(a) of Directive 95/46 and Article 3(1) of Regulation 2016/679 that both that directive and that regulation permit data subjects to assert their right to de-referencing against a search engine operator who has one or more establishments in the territory of the Union in the context of activities involving the processing of personal data concerning those data subjects, regardless of whether that processing takes place in the Union or not.

49      In that regard, the Court has held that the processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that search engine and which orientates its activity towards the inhabitants of that Member State (judgment of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 60).

50      In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Union are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that search engine is, at the same time, the means enabling those activities to be performed, the display of the list of results being accompanied, on the same page, by the display of advertising linked to the search terms (see, to that effect, judgment of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraphs 56 and 57).

51      That being so, the fact that the search engine is operated by an undertaking that has its seat in a third State cannot result in the processing of personal data carried out for the purposes of the operation of that search engine in the context of the advertising and commercial activity of an establishment of the controller on the territory of a Member State escaping the obligations and guarantees laid down by Directive 95/46 and Regulation 2016/679 (see, to that effect, judgment of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 58).

52      In the present case, it is apparent from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of personal data processing. The referring court considers that, in those circumstances, that act of processing is carried out within the framework of Google’s establishment in French territory. It thus appears that such a situation falls within the territorial scope of Directive 95/46 and Regulation 2016/679.

53      By its questions, the referring court seeks to determine the territorial scope which must be conferred on a de-referencing in such a situation.

54      In that regard, it is apparent from recital 10 of Directive 95/46 and recitals 10, 11 and 13 of Regulation 2016/679, which was adopted on the basis of Article 16 TFEU, that the objective of that directive and that regulation is to guarantee a high level of protection of personal data throughout the European Union.

55      It is true that a de-referencing carried out on all the versions of a search engine would meet that objective in full.

56      The internet is a global network without borders and search engines render the information and links contained in a list of results displayed following a search conducted on the basis of an individual’s name ubiquitous (see, to that effect, judgments of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 80, and of 17 October 2017, Bolagsupplysningen and Ilsjan, C-194/16, EU:C:2017:766, paragraph 48).

57      In a globalised world, internet users’ access — including those outside the Union — to the referencing of a link referring to information regarding a person whose centre of interests is situated in the Union is thus likely to have immediate and substantial effects on that person within the Union itself.

58      Such considerations are such as to justify the existence of a competence on the part of the EU legislature to lay down the obligation, for a search engine operator, to carry out, when granting a request for de-referencing made by such a person, a de-referencing on all the versions of its search engine.

59      That being said, it should be emphasised that numerous third States do not recognise the right to de-referencing or have a different approach to that right.

60      Moreover, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality (see, to that effect, judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C-92/09 and C-93/09, EU:C:2010:662, paragraph 48, and Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, point 136). Furthermore, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.

61      While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679, struck a balance between that right and that freedom so far as the Union is concerned (see, to that effect, today’s judgment, GC and Others (De-referencing of sensitive data), C-136/17, paragraph 59), it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.

62      In particular, it is in no way apparent from the wording of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 or Article 17 of Regulation 2016/679 that the EU legislature would, for the purposes of ensuring that the objective referred to in paragraph 54 above is met, have chosen to confer a scope on the rights enshrined in those provisions which would go beyond the territory of the Member States and that it would have intended to impose on an operator which, like Google, falls within the scope of that directive or that regulation a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States.

63      Moreover, although Regulation 2016/679 provides the supervisory authorities of the Member States, in Articles 56 and 60 to 66 thereof, with the instruments and mechanisms enabling them, where appropriate, to cooperate in order to come to a joint decision based on weighing a data subject’s right to privacy and the protection of personal data concerning him or her against the interest of the public in various Member States in having access to information, it must be found that EU law does not currently provide for such cooperation instruments and mechanisms as regards the scope of a de-referencing outside the Union.

64      It follows that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

65      Having regard to all of the foregoing, a search engine operator cannot be required, under Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 and Article 17(1) of Regulation 2016/679, to carry out a de-referencing on all the versions of its search engine.

66      Regarding the question whether such a de-referencing is to be carried out on the versions of the search engine corresponding to the Member States or only on the version of that search engine corresponding to the Member State of residence of the person benefiting from the de-referencing, it follows from, inter alia, the fact that the EU legislature has now chosen to lay down the rules concerning data protection by way of a regulation, which is directly applicable in all the Member States, which has been done, as is emphasised by recital 10 of Regulation 2016/679, in order to ensure a consistent and high level of protection throughout the European Union and to remove the obstacles to flows of personal data within the Union, that the de-referencing in question is, in principle, supposed to be carried out in respect of all the Member States.

67      However, it should be pointed out that the interest of the public in accessing information may, even within the Union, vary from one Member State to another, meaning that the result of weighing up that interest, on the one hand, and a data subject’s rights to privacy and the protection of personal data, on the other, is not necessarily the same for all the Member States, especially since, under Article 9 of Directive 95/46 and Article 85 of Regulation 2016/679, it is for the Member States, in particular as regards processing undertaken solely for journalistic purposes or for the purpose of artistic or literary expression, to provide for the exemptions and derogations necessary to reconcile those rights with, inter alia, the freedom of information.

68      It follows from, inter alia, Articles 56 and 60 of Regulation 2016/679 that, for cross-border processing as defined in Article 4(23) of that regulation, and subject to Article 56(2) thereof, the various national supervisory authorities concerned must cooperate, in accordance with the procedure laid down in those provisions, in order to reach a consensus and a single decision which is binding on all those authorities and with which the controller must ensure compliance as regards processing activities in the context of all its establishments in the Union. Moreover, Article 61(1) of Regulation 2016/679 obliges the supervisory authorities, in particular, to provide each other with relevant information and mutual assistance in order to implement and to apply that regulation in a consistent manner throughout the Union, and Article 63 of that regulation specifies that it is for this purpose that provision has been made for the consistency mechanism set out in Articles 64 and 65 thereof. Lastly, the urgency procedure provided for in Article 66 of Regulation 2016/679 permits the immediate adoption, in exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, of provisional measures intended to produce legal effects on its own territory with a specified period of validity which is not to exceed three months.

69      That regulatory framework thus provides the national supervisory authorities with the instruments and mechanisms necessary to reconcile a data subject’s rights to privacy and the protection of personal data with the interest of the whole public throughout the Member States in accessing the information in question and, accordingly, to be able to adopt, where appropriate, a de-referencing decision which covers all searches conducted from the territory of the Union on the basis of that data subject’s name.

70      In addition, it is for the search engine operator to take, if necessary, sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. Those measures must themselves meet all the legal requirements and have the effect of preventing or, at the very least, seriously discouraging internet users in the Member States from gaining access to the links in question using a search conducted on the basis of that data subject’s name (see, by analogy, judgments of 27 March 2014, UPC Telekabel Wien, C-314/12, EU:C:2014:192, paragraph 62, and of 15 September 2016, McFadden, C-484/14, EU:C:2016:689, paragraph 96).

71      It is for the referring court to ascertain whether, also having regard to the recent changes made to its search engine as set out in paragraph 42 above, the measures adopted or proposed by Google meet those requirements.

72      Lastly, it should be emphasised that, while, as noted in paragraph 64 above, EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice. Accordingly, a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights (see, to that effect, judgments of 26 February 2013, Åkerberg Fransson, C-617/10, EU:C:2013:105, paragraph 29, and of 26 February 2013, Melloni, C-399/11, EU:C:2013:107, paragraph 60), a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine.

73      In the light of all of the foregoing, the answer to the questions referred is that, on a proper construction of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 and Article 17(1) of Regulation 2016/679, where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.

 Costs

74      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Grand Chamber) hereby rules:

On a proper construction of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and of Article 17(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 (General Data Protection Regulation), where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.

[Signatures]

*      Language of the case: French.



Disclaimer