On 24 September 2019, the CJEU handed down a major new
judgment concerning the application of the right to be forgotten in data
protection law, considering how that right was to apply in the context of sensitive
personal data (or, under the GDPR, special category data) returned by online
search engine results: Case C-136/17 GC & others v CNIL
(EU:C:2019:773).
The CJEU rejected suggestions of a strict interpretative
approach to data protection law in relation to sensitive personal data, and
where the operator of a search engine receives a request for de-referencing
relating to a link to a web page on which sensitive data are published, the
operator must, on the basis of all the relevant factors of the particular case
and taking into account the seriousness of the interference with the data
subject’s fundamental rights to privacy and protection of personal data,
ascertain whether the inclusion of that link in the list of results displayed
following a search on the basis of the data subject’s name is strictly
necessary for protecting the freedom of information of internet users
potentially interested in accessing that web page by means of such a search.
The CJEU emphasised that the search engine was responsible only for the
referencing and display of search results, and not the substantive content of
the third party webpages to which it provided access.
Christopher Knight acted, as sole counsel, for the United Kingdom, which had argued for the necessity of a balancing exercise to be carried out when considering sensitive personal data, in accordance with Article 29 Working Party guidelines. The judgment of the CJEU is available here.







