France - CNIL issues €100,000 fine against Google Inc. over the 'right to be forgotten'
Published 19 April 2016
The CJEU decision dated 13 May 2014 (the Google Spain case), required that upon a data subject’s valid request, operators of search engines should erase any data that appeared to be inadequate, irrelevant or excessive in relation to the purposes for which they have been processed. Following this decision, the French Data Protection Authority (the “CNIL”) issued a formal notice on 21 May 2015 requiring that Google Inc. proceeds with delisting on all of the search engine's domain names and not just the European ones.
On 10 March 2016 the CNIL issued Google Inc. with a fine of €100,000 (the "Fine"). The Fine was based on Articles 38 and 40 of the Law n° 78-17 of January 6th 1978 on Information Technology, Data Files and Civil Liberties (the “French Data Protection Act”) which provides data subjects with the rights to erasure and objection to the processing of their personal data (the "Decision").
The main points of the Decision, relate to the following:
1. CNIL’s territorial jurisdiction
Google Inc. argued that the CNIL does not have jurisdiction over search engines that are accessible through domain names that are not French (e.g. google.com) and which cannot be, as such, directly linked to its subsidiary Google France.
However, the CNIL considered that Google Search in its entirety constitutes a single data processing operation, regardless of the fact that the search results could be reached through various domain names. Therefore, considering that through its subsidiary Google France, which promotes and sells advertising space, Google Inc. participates in the data processing by virtue of its role as data controller, the CNIL found itself to have jurisdiction over this single data processing operation that concerns the personal data of French residents.
2. Efficiency of the delisting, freedom of expression and information
The CNIL stated that the right to privacy of French data subjects would not be efficiently protected if, despite the request to delist their data from the search results, they could still be easily accessed through the use of Google Search of any of its non-European domain names.
On 21 January 2016, Google suggested extending its delisting policy and restricting access to the delisted URL to all of its domain names with respect to searches carried out from the country where the delisting request was made, i.e. France. The CNIL considered such a solution to be insufficient and one which would be unable to provide adequate safeguards to the privacy rights of the French data subjects, as the results would still be accessible in other countries and access to the delisted contents could be possible by using tools such as VPN.
Finally, Google Inc.’s argument that a global delisting would disproportionally impede the freedom of expression and the right to information did not convince the CNIL who highlighted that delisting requirements were subject to a proportionality test.
It is also noted that the Decision is part of CNIL’s increasing activity with regards to its control activities and the application of sanctions; recently Optical Center was issued a fine of € 50,000 and Facebook has been served with a formal notice. The French Digital Republic Bill recently discussed, before the French Parliament, increasing CNIL’s powers and, in line with the GDPR, increasing the amounts of applicable sanctions.
To view the Decision, please click here.
Submitted by Thierry Dor (Partner) and Dane Rimsevica (Associate) of the IP/TMT department of Gide Loyrette Nouel - Paris, France