On 24 September 2019, the CJEU handed down a major new judgment concerning the application of the right to be forgotten in data protection law, considering how that right was to apply in the context of sensitive personal data (or, under the GDPR, special category data) returned by online search engine results: Case C-136/17 GC & others v CNIL (EU:C:2019:773).
The CJEU rejected suggestions of a strict interpretative approach to data protection law in relation to sensitive personal data, and where the operator of a search engine receives a request for de-referencing relating to a link to a web page on which sensitive data are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data, ascertain whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search. The CJEU emphasised that the search engine was responsible only for the referencing and display of search results, and not the substantive content of the third party webpages to which it provided access.
Christopher Knight acted, as sole counsel, for the United Kingdom, which had argued for the necessity of a balancing exercise to be carried out when considering sensitive personal data, in accordance with Article 29 Working Party guidelines. The judgment of the CJEU is available here.