The Judgment in Case C-136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL, the French Data Protection Authority) has determined that operators of search engines can also be subject to the prohibition of processing of certain categories of sensitive personal data.

The judgement handed down today, attempts to strike a balance with respect to de-referencing “between the fundamental rights of the person requesting the de-referencing and those of internet users potentially interested in that information”.

A case was brought by a number of individuals before the French Council of State against the French Data Protection Authority (CNIL) concerning four decisions made by the CNIL where it refused to require Google to de-reference links that appeared when searching the names of the individuals.

The French Council of State requested clarification from the CJEU on the interpretation of EU data protection law including to establish whether, “having regard to the specific responsibilities, powers and capabilities of the operator of a search engine, the prohibition imposed on other controllers on processing data falling within certain special categories (such as political opinions, religious or philosophical beliefs and sex life) applies also to the operator of a search engine.”

The CJEU noted that as a search engine’s behaviour may significantly affect the fundamental rights to the protection of personal data and privacy, they must ensure that their activity (in determining the means and purposes of their activities) adheres to European law “in order that the guarantees laid down by EU law may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.”

The Court also affirmed that the processing of sensitive personal data (data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation) shall be prohibited save specific exemptions and derogations. Furthermore, data related to criminal offences, convictions and security measures “may be carried out only under the control of official authority, and a complete register of criminal convictions may be kept only under the control of official authority” and are subject to derogations.

“…the operator of a search engine is responsible not because personal data referred to in those provisions appear on a web page published by a third party but because of the referencing of that page and in particular the display of the link to that web page in the list of results presented to internet users following a search. It is by reason of that referencing and thus via a verification, under the supervision of the competent national authorities, on the basis of a request by the data subject, that the prohibition or restrictions can apply to the operator of a search engine.”

When search engines receive de-referencing requests to a link continuing sensitive personal data, the operator is required to examine the specific case and its impact on the individual’s right to privacy and to “ascertain whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search.”

The operator of a search engine is thus required to examine specific cases involving criminal proceedings, for example, in order to determine if the fundamental rights of the data subject overrule the rights of individuals to such information and the freedom of information.

To read more specifics, see the complete press release here.