24 September 2019 (*1)

(Reference for a preliminary ruling — Personal data — Protection of individuals with regard to the processing of such data — Directive 95/46/EC — Regulation (EU) 2016/679 — Internet search engines — Processing of data on web pages — Territorial scope of the right to de-referencing)

In Case C‑507/17,

REQUEST for a preliminary ruling under Article 267 TFEU from the Conseil d’État (Council of State, France), made by decision of 19 July 2017, received at the Court on 21 August 2017, in the proceedings

Commission nationale de l’informatique et des libertés (CNIL),

in the presence of:

Wikimedia Foundation Inc.,

Fondation pour la liberté de la presse,

Microsoft Corp.,

Reporters Committee for Freedom of the Press and Others,

Article 19 and Others,

Internet Freedom Foundation and Others,

Défenseur des droits,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Arabadjiev, E. Regan, T. von Danwitz, C. Toader and F. Biltgen, Presidents of Chambers, M. Ilešič (Rapporteur), L. Bay Larsen, M. Safjan, D. Šváby, C.G. Fernlund, C. Vajda and S. Rodin, judges,

Advocate General: M. Szpunar,

Registrar: V. Giacobbo-Peyronnel, Administrator,

having regard to the written procedure and further to the hearing on 11 September 2018,

after considering the observations submitted on behalf of:

–Google LLC, by P. Spinosi, Y. Pelosi and W. Maxwell, avocats,

–the Commission nationale de l’informatique et des libertés (CNIL), by I. Falque‑Pierrotin, J. Lessi and G. Le Grand, acting as Agents,

–Wikimedia Foundation Inc., by C. Rameix‑Seguin, avocate,

–the Fondation pour la liberté de la presse, by T. Haas, avocat,

–Microsoft Corp., by E. Piwnica, avocat,

–the Reporters Committee for Freedom of the Press and Others, by F. Louis, avocat, and by H.-G. Kamann, C. Schwedler and M. Braun, Rechtsanwälte,

–Article 19 and Others, by G. Tapie, avocat, G. Facenna QC, and E. Metcalfe, Barrister,

–Internet Freedom Foundation and Others, by T. Haas, avocat,

–the Défenseur des droits, by J. Toubon, acting as Agent,

–the French Government, by D. Colas, R. Coesme, E. de Moustier and S. Ghiandoni, acting as Agents,

–Ireland, by M. Browne, G. Hodge, J. Quaney and A. Joyce, acting as Agents, and by M. Gray, Barrister-at-Law,

–the Greek Government, by E.-M. Mamouna, G. Papadaki, E. Zisi and S. Papaioannou, acting as Agents,

–the Italian Government, by G. Palmieri, acting as Agent, and by R. Guizzi, avvocato dello Stato,

–the Austrian Government, by G. Eberhard and G. Kunnert, acting as Agents,

–the Polish Government, by B. Majczyna, M. Pawlicka and J. Sawicka, acting as Agents,

–the European Commission, by A. Buchet, H. Kranenborg and D. Nardi, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 10 January 2019,

gives the following

1This request for a preliminary ruling concerns the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

2The request has been made in proceedings between Google LLC, successor in law to Google Inc., and the Commission nationale de l’informatique et des libertés (French Data Protection Authority, France) (‘the CNIL’) concerning a penalty of EUR 100000 imposed by the CNIL on Google because of that company’s refusal, when granting a de-referencing request, to apply it to all its search engine’s domain name extensions.

Legal context

European Union law

3According to Article 1(1) thereof, the purpose of Directive 95/46 is to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data, and to remove obstacles to the free movement of such data.

Recitals 2, 7, 10, 18, 20 and 37 of Directive 95/46 state:

‘(2) Where as data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to … the well-being of individuals;

…

(7) Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level …

…

(10)Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms[, signed in Rome on 4 November 1950,] and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;

…

(18)Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; …

…

(20)Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;

…

Whereas the processing of personal data for purposes of journalism or for purposes of literary [or] artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information, as guaranteed in particular in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; whereas Member States should therefore lay down exemptions and derogations necessary for the purpose of balance between fundamental rights as regards general measures on the legitimacy of data processing …’

Article 2 of that directive provides:

‘For the purposes of this Directive:

(a)“personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); …

(b)“processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

…

(d)“controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; …

…’

Article 4 of that directive, entitled ‘National law applicable’, provides:

(a)the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b)the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c)the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

Article 9 of Directive 95/46, entitled ‘Processing of personal data and freedom of expression’, states:

‘Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.’

Article 12 of that directive, entitled ‘Right of access’, provides:

‘Member States shall guarantee every data subject the right to obtain from the controller:

…

(b)as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

…’

Article 14 of that directive, entitled ‘The data subject’s right to object’, provides:

‘Member States shall grant the data subject the right:

(a)at least in the cases referred to in Article 7(e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;

…’

Article 24 of Directive 95/46, entitled ‘Sanctions’, provides:

‘The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.’

Article 28 of that directive, entitled ‘Supervisory authority’, is worded as follows:

…

3. Each authority shall in particular be endowed with:

–investigative powers, such as powers of access to data forming the subject matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

–effective powers of intervention, such as, for example, that of … ordering the blocking, erasure or destruction of data, [or] of imposing a temporary or definitive ban on processing …

…

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

…

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

…’

Article 2 of that directive provides:

‘For the purposes of this Directive:

(a)“personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); …

(b)“processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

…

(d)“controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; …

…’

Article 4 of that directive, entitled ‘National law applicable’, provides:

(a)the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b)the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c)the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

Article 9 of Directive 95/46, entitled ‘Processing of personal data and freedom of expression’, states:

‘Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.’

Article 12 of that directive, entitled ‘Right of access’, provides:

‘Member States shall guarantee every data subject the right to obtain from the controller:

…

(b)as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

…’

Article 14 of that directive, entitled ‘The data subject’s right to object’, provides:

‘Member States shall grant the data subject the right:

(a)at least in the cases referred to in Article 7(e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;

…’

Article 24 of Directive 95/46, entitled ‘Sanctions’, provides:

‘The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.’

Article 28 of that directive, entitled ‘Supervisory authority’, is worded as follows:

…

3. Each authority shall in particular be endowed with:

–investigative powers, such as powers of access to data forming the subject matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

–effective powers of intervention, such as, for example, that of … ordering the blocking, erasure or destruction of data, [or] of imposing a temporary or definitive ban on processing …

…

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

…

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

…’

Article 2 of that directive provides:

‘For the purposes of this Directive:

(a)“personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); …

(b)“processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

…

(d)“controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; …

…’

Article 4 of that directive, entitled ‘National law applicable’, provides:

(a)the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b)the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c)the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

Article 9 of Directive 95/46, entitled ‘Processing of personal data and freedom of expression’, states:

‘Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.’

Article 12 of that directive, entitled ‘Right of access’, provides:

‘Member States shall guarantee every data subject the right to obtain from the controller:

…

(b)as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

…’

Article 14 of that directive, entitled ‘The data subject’s right to object’, provides:

‘Member States shall grant the data subject the right:

(a)at least in the cases referred to in Article 7(e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;

…’

Article 24 of Directive 95/46, entitled ‘Sanctions’, provides:

‘The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.’

Article 28 of that directive, entitled ‘Supervisory authority’, is worded as follows:

…

3. Each authority shall in particular be endowed with:

–investigative powers, such as powers of access to data forming the subject matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

–effective powers of intervention, such as, for example, that of … ordering the blocking, erasure or destruction of data, [or] of imposing a temporary or definitive ban on processing …

…

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

…

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

…’

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and Corrigendum OJ 2018 L 127, p. 2), which is based on Article 16 TFEU, is applicable, pursuant to Article 99(2) thereof, from 25 May 2018. Article 94(1) of that regulation provides that Directive 95/46 is repealed with effect from that date.

Recitals 1, 4, 9 to 11, 13, 22 to 25 and 65 of that regulation state:

‘(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (“the Charter”) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

…

(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, … the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information [and] freedom to conduct a business …

…

(9) … Directive 95/46 … has not prevented fragmentation in the implementation of data protection across the Union … Differences in the level of protection … in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union …

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. …

(11) Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

…

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, … and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. …

…

(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. …

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. …

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(25) Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.

…

(65) A data subject should have … a “right to be forgotten” where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject … However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information …’

Article 3 of Regulation 2016/679, entitled ‘Territorial scope’, is worded as follows:

‘1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.’

Article 4(23) of that regulation defines the concept of ‘cross-border processing’ as follows:

‘(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State’.

Article 17 of that regulation, entitled ‘Right to erasure (“right to be forgotten”)’, is worded as follows:

‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d)the personal data have been unlawfully processed;

(e)the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f)the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

…

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a)for exercising the right of freedom of expression and information;

…’

Article 21 of that regulation, entitled ‘Right to object’, provides, in paragraph 1 thereof:

‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’

Article 55 of Regulation 2016/679, entitled ‘Competence’, which forms part of Chapter VI of that regulation, itself entitled ‘Independent supervisory authorities’, provides, in paragraph 1 thereof:

‘Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.’

Article 56 of that regulation, entitled ‘Competence of the lead supervisory authority’, states:

‘1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

Article 58 of that regulation, entitled ‘Powers’, provides, in paragraph 2 thereof:

‘Each supervisory authority shall have all of the following corrective powers:

…

(g)to order the … erasure of personal data … pursuant to … [Article] … 17 …;

…

(i)to impose an administrative fine … in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case.’

Under Chapter VII of Regulation 2016/679, entitled ‘Cooperation and consistency’, Section I, entitled ‘Cooperation’, includes Articles 60 to 62 of that regulation. Article 60, entitled ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides:

‘1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

Article 61 of that regulation, entitled ‘Mutual assistance’, states, in paragraph 1 thereof:

‘Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.’

Article 62 of that regulation, entitled ‘Joint operations of supervisory authorities’, provides:

‘1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

Section 2, entitled ‘Consistency’, of Chapter VII of Regulation 2016/679 includes Articles 63 to 67 of that regulation. Article 63, entitled ‘Consistency mechanism’, is worded as follows:

‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.’

Article 65 of that regulation, entitled ‘Dispute resolution by the Board’, provides, in paragraph 1 thereof:

‘In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:

where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;

where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;

…’

Article 66 of that regulation, entitled ‘Urgency procedure’, provides, in paragraph 1 thereof:

‘In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.’

Article 85 of Regulation 2016/679, entitled ‘Processing and freedom of expression and information’, states:

‘1. Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.

…’

French law

Directive 95/46 is implemented in French law by loi n° 78-17, du 6 janvier 1978, relative à l’informatique, aux fichiers et aux libertés (Law No 78-17 of 6 January 1978 on information technology, data files and civil liberties), in the version applicable to the events in the main proceedings (‘the Law of 6 January 1978’).

Article 45 of that law specifies that where the controller fails to fulfil the obligations laid down in that law, the President of the CNIL may serve notice on him to bring the established infringement to an end within a period which the President is to determine. If the controller does not comply with the formal notice served on him, the Select Panel of the CNIL may, after hearing both parties, impose, inter alia, a financial penalty.

The dispute in the main proceedings and the questions referred for a preliminary ruling

By decision of 21 May 2015, the President of the CNIL served formal notice on Google that, when granting a request from a natural person for links to web pages to be removed from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions.

Google refused to comply with that formal notice, confining itself to removing the links in question from only the results displayed following searches conducted from the domain names corresponding to the versions of its search engine in the Member States.

The CNIL also regarded as insufficient Google’s further ‘geo-blocking’ proposal, made after expiry of the time limit laid down in the formal notice, whereby internet users would be prevented from accessing the results at issue from an IP (Internet Protocol) address deemed to be located in the State of residence of a data subject after conducting a search on the basis of that data subject’s name, no matter which version of the search engine they used.

By an adjudication of 10 March 2016, the CNIL, after finding that Google had failed to comply with that formal notice within the prescribed period, imposed a penalty on that company of EUR 100000, which was made public.

By application lodged with the Conseil d’État (Council of State, France), Google seeks annulment of that adjudication.

The Conseil d’État notes that the processing of personal data carried out by the search engine operated by Google falls within the scope of the Law of 6 January 1978, in view of the activities of promoting and selling advertising space carried on in France by its subsidiary Google France.

The Conseil d’État also notes that the search engine operated by Google is broken down into different domain names by geographical extensions, in order to tailor the results displayed to the specificities, particularly the linguistic specificities, of the various States in which that company carries on its activities. Where the search is conducted from ‘google.com’, Google, in principle, automatically redirects that search to the domain name corresponding to the State from which that search is deemed to have been made, as identified by the internet user’s IP address. However, regardless of his or her location, the internet user remains free to conduct his or her searches using the search engine’s other domain names. Moreover, although the results may differ depending on the domain name from which the search is conducted on the search engine, it is common ground that the links displayed in response to a search derive from common databases and common indexing.

The Conseil d’État considers that, having regard, first, to the fact that Google’s search engine domain names can all be accessed from French territory and, secondly, to the existence of gateways between those various domain names, as illustrated in particular by the automatic redirection mentioned above, as well as by the presence of cookies on extensions of that search engine other than the one on which they were initially deposited, that search engine, which, moreover, has been the subject of only one declaration to the CNIL, must be regarded as carrying out a single act of personal data processing for the purposes of applying the Law of 6 January 1978. As a result, the processing of personal data by the search engine operated by Google is carried out within the framework of one of its installations, Google France, established on French territory, and is therefore subject to the Law of 6 January 1978.

Before the Conseil d’État, Google maintains that the penalty at issue is based on a misinterpretation of the provisions of the Law of 6 January 1978, which transpose Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, on the basis of which the Court, in its judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317), recognised a ‘right to de-referencing’. Google argues that this right does not necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names. In addition, by adopting such an interpretation, the CNIL disregarded the principles of courtesy and non-interference recognised by public international law and disproportionately infringed the freedoms of expression, information, communication and the press guaranteed, in particular, by Article 11 of the Charter.

Having noted that this line of argument raises several serious difficulties regarding the interpretation of Directive 95/46, the Conseil d’État has decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

Must the “right to de-referencing”, as established by the [Court] in its judgment of 13 May 2014, [Google Spain and Google (C‑131/12, EU:C:2014:317),] on the basis of the provisions of [Article 12(b) and subparagraph (a) of the first paragraph of Article 14] of Directive [95/46], be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted, and even if it is conducted from a place outside the territorial scope of Directive [95/46]?

In the event that Question 1 is answered in the negative, must the “right to de-referencing”, as established by the [Court] in the judgment cited above, be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, only to remove the links at issue from the results displayed following a search conducted on the basis of the requester’s name on the domain name corresponding to the State in which the request is deemed to have been made or, more generally, on the domain names distinguished by the national extensions used by that search engine for all of the Member States …?

3.