By its judgment of 13 May 2014 in the Google Spain and Google case the Court set out that, under the EU data protection directive, an internet search engine operator is responsible for the processing that it carries out on personal data which appear on web pages published by third parties. Thus, if, following a search made on the basis of a person’s name, the list of results displays a link to a web page which contains information on the person in question, that data subject may approach the operator directly and, where the operator does not grant his request, bring the matter before the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results.By two judgments of 24 September 2019 in two French cases over Google, the Court added new elements to its case-law on the internet search engine operator’s responsibility for protecting personal data. On the one hand, the Court ruled that the personal scope of the prohibition, which, under EU law on the protection of personal data, applies as a general rule to processing certain categories of sensitive personal data, also encompasses the operators of search engines. Moreover, the Court pointed out that, in the context of a request for de-referencing regarding sensitive data, a balance must be struck between the fundamental rights of the person requesting the de-referencing and those of internet users potentially interested in that information.On the other hand, as to the territorial scope of the internet search engine operator’s responsibility at issue, the Court set out that the operator is not required to carry out a de-referencing on all versions of its search engine. It is, however, required to carry out that de-referencing on the versions which specifically target the general public of any of the EU member states, and to discourage internet users from gaining access, from one of the member states, to de-referenced links appearing on versions of that search engine outside the EU.
Read full abstract