In News

On September 24th the CJEU delivered two new rulings (C-136/17 and C-507/17) on search engine operators’ liability for processing special categories of personal data.

In the first case, the CJEU declared that the prohibition on processing certain categories of sensitive personal data applies also to operators of search engines. The court concluded that an operator is responsible not for the personal data published on a referred webpage, but for the reference made by producing links and displaying them in a list of results following an internet user’s search relating to his or her name. Upon request from a user the operator must therefore de-reference the relevant links, provided that the operator’s processing is not covered by any valid exception.

The court stated that even though the data subject’s fundamental rights to privacy and protection of data as a general rule should override the freedom of information, this could not always be the case. The operator must, upon a request for de-referencing, consider the relevant factors of the particular case and determine whether the relevant reference to the third-party webpage is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing the relevant webpage.

In case the request for de-referencing concerns personal data relating to earlier stages of criminal proceedings, and the operator finds that the data subject’s rights in the particular case cannot outweigh the freedom of information, the operator is nevertheless obliged to adjust the list of results in such a way that the overall picture reflects the current legal position, meaning that if a person has been acquitted of charges, links mediating that sort of information should be placed on top of the list.

The full ruling can be found here.

Although in some cases there is an obligation for search engine operators to accede to requests for de-referencing, such an obligation does not include a requirement for the de-referencing to be made on all versions of the particular search engine. This was judged by the CJEU in the second case, where the court stated that an obligation for operators to de-reference shall be carried out in all EU member states, but that the EU law in its current form cannot obligate the de-referencing of links in lists of results following searches made on search engine versions based outside the EU. However, the operators may be requested to put measures in place to discourage internet users in the EU from using such search engine versions in order to access the de-referenced results.

The full ruling can be found here.

Time Advokatbyrå continuously provides advice within the field of data protection. If you would like to know more about this ruling or need assistance with data protection legislation, please reach out to Alexander Berger, head of Data Privacy.