|In Case C-136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL), the CJEU determined that the prohibition on processing certain categories of sensitive personal data applies also to operators of search engines and that in the context of a request for de-referencing, a balance must be struck between the fundamental rights of the person requesting the de-referencing and those of internet users potentially interested in that information. In this specific case, the French Council of State requested clarification from the CJEU “to establish whether, having regard to the specific responsibilities, powers and capabilities of the operator of a search engine, the prohibition imposed on other controllers on processing data falling within certain special categories (such as political opinions, religious or philosophical beliefs and sex life) applies also to the operator of a search engine.” |
The CJEU determined that, “in so far as the activity of a search engine is liable to affect significantly, and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data, the operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of his responsibilities, powers and capabilities, that the activity meets the requirements of EU law in order that the guarantees laid down by EU law may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.” And that “It is by reason of that referencing and thus via a verification, under the supervision of the competent national authorities, on the basis of a request by the data subject, that the prohibition or restrictions can apply to the operator of a search engine.”
The Court therefore concluded that, “where the operator of a search engine receives a request for de-referencing relating to a link to a web page on which sensitive data are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data, ascertain whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search.”
However, the CJEU noted that search engine operators are not responsible for the fact that personal data are published on third party websites, but “because of the referencing of that page and in particular the display of the link to that web page in the list of results presented to internet users following a search.”
In this Decision, the CJEU confirmed that search engines are to be considered data controllers becasue in displaying links to users following a search, the prohibition or restrictions provided for in the GDPR (such as restrictions on processing special categories of data) apply to the operator of a search engine. It is noteworthy that coherently, also with the relevant liability regime, the operator of a search engine is not responsible for what appears on the web page published by a third party.