Europe preaches from data privacy bully pulpit over right to be forgotten

Profile picture for user slauchlan By Stuart Lauchlan July 28, 2014
Summary:
The European Commission's data commissars are on a mission to get answers from search engine firms about how they'll adhere to the bad law about the right to be forgotten.

Witch Trial
On Thursday this week, Google, Microsoft and Yahoo! have to hand in their homework to the European Commission.

That homework is made up of 20 questions that privacy officials from the 28 European Union countries demanded answers to in relation to how the three search engine firms plan to meet the demands of the European Court of Justice’s (ECJ) right to be forgotten’ ruling.

The ECJ ruled back in May that citizens of the EU are entitled to ask Google et al to remove links to information about them or events relating to them that were deemed now to be irrelevant.

In reality this immediately became a charter for ne’er-do-wells, criminals and public figures, including politicians, with dirty laundry that they wanted tucked away and forgotten about.

Since May, Google has received 91,000 delisting requests regarding 328,000 links to Web addresses. Of those, it’s granted over half of the requests, rejected just over 30% and asked for more information on 15%.

The ECJ ruling was based on a case brought against Google by a Spanish postman, so it’s perhaps inevitable that Google has become the firm most closely identified with the ruling in the public consciousness. Certainly Microsoft and Yahoo! report having received far, far fewer request so far.

But having put in place the ruling, the ECJ’s work is done. It’s now down to Google and others to work out how the instruction is supposed to work in practice  - and the trouble is, that's very much open to interpretation.

Google's quiet rebellion

That was the reason for the European Commission’s Article 29 Working Party (A29WP) which looks after data protection and privacy policies, summoning the three firms in front of it last week to fire off a total of 26 questions, 6 of which they had to come up with responses to on the spot.

The grilling was driven by CNIL, the French data protection authority, which has taken a particularly hard line on interpreting the ruling and how it needs to be enforced.

For its part Google has been complying with the ruling, but appears to have been quietly undermining it as far as it possibly can as well. For example, it insists on only removing links from searches through its EU domains, not Google.com.

For the more zealous Eurocrats, this is not good enough as the entire ECJ ruling’s impact can be negated just by using the US web site to perform the search.

As such there are now ludicrous demands being vocalised that the US site needs to fall in line with a controversial ruling from a European court with no jurisdiction over US legislation.

But zealotry knows no borders when it comes to a European official demanding the US puts its digital house in order.


RELATED STORIES: 


Equally unpopular among the privacy commissars of Europe is Google’s practice of telling media when it removes links to some stories. With the ruling incredibly unpopular among the media for obvious reasons, this has resulted in the link removal becoming a story in its own right, thus throwing a spotlight onto something that was intended to be shoved into expedient darkness. There’s even a website, hiddenbygoogle, that lists all such examples.

This is completely legal and not forbidden by the terms of the ECJ ruling, but it’s sending the data commissars into paroxysms of self-righteous indignation. Billy Hawkes, Data Protection Commissioner in Ireland, which usually takes a pragmatic, soft touch on such matters, complained last week:

The more they do so, it means the media organization republishes the information and so much for the right to be forgotten.There is an issue there.

That’s the kind of comment that you’d more likely expect to hear from Germany, where data privacy paranoia is hardwired into the national psyche. Johannes Caspar, the data regulator for the German state of Hamburg, has been vocal about his disapproval of what Google’s been doing:

The current implementation process partly undermines the right to be forgotten.

Given that the UK government has already committed itself to getting the ruling over-turned, it’s hugely disappointing to see that that UK Information Commissioner’s Office, is taking a disappointingly bureaucratic line on all this.

Information Commissioner Christopher Graham told the BBC:

The polluter pays, the polluter should clear up.

Google is a massive commercial organisation making millions and millions out of processing people's personal information. They're going to have to do some tidying up. They won't do all the tidying up that some people might like, because if you embarrass yourself there's not much you can do about it. A good policy is not to embarrass yourself in the first place.

All this talk about rewriting history and airbrushing embarrassing bits from your past - this is nonsense, that's not going to happen.

Gesture politics

Little of real consequence emerged from last week’s meeting other than some posturing on the international stage and the chance to give some US tech firms a dressing down. To that extent, this was something of a show trial with questions fired from the European Commission’s bully pulpit.

Isabelle Falque-Pierrotin, head of France’s data-protection authority, and chairman of A29WP, insisted it was all just an information gathering exercise, although given that the questions posed in the main require written responses, the need for everyone to be in a room together is unclear:

We didn’t tell the search engines to do anything. We were gathering information. The goal was to help inform our decision on the guidelines.


 WHAT EUROPE WANTS TO KNOW

ORAL QUESTIONS FROM A29WP

  • What information do you request from a data subject prior to considering a delisting request e.g. URLs, justification? Do you ask further motivation from the data subjects to substantiate their request?
  • Do you filter out some requests based on the location, nationality, or place of residence of the data subject? If so, what is the legal basis for excluding such requests?
  • Do you delist results displayed following a search nly on EU / EEA domains; on all domains pages accessible from the EU / EEA or by EU/EEA residents?; on all domains on a global basis?
  • What criteria do you use to balance your economic interest and/or the interest of the general public in having access to that information versus the right of the data subject to have search results delisted?
  • What explanations / grounds do you provide to data subjects to justify a refusal to delist certain URLs?
  • Do you notify website publishers of delisting? In that case, which legal basis do you have to notify website publishers?

QUESTIONS DEMANDING WRITTEN RESPONSE BY 7/31/2014

  • Do you provide proper information about the delisting process on an easily accessible webpage? Have you developed a help center explaining how to submit a delisting claim?
  • Can data subjects request delisting only using the electronic form that you provide, or can other means be used?
  • Can data subjects request delisting in their own language?
  • If you filter out some requests based on the location, nationality, or place of residence, what kind of information must be provided by the data subject in order to prove his nationality and / or place of residence?
  • Do you ask for a proof of identify or some other form of authentication and if yes, what kind? For what reason? What safeguards do you put in place to protect any personal data that you process for the purpose of processing delisting requests?
  • Do you accept general claims for delisting (e.g. delist all search results linking to a news report)?
  • When you decide to accept a delisting request, what information do you actually delist? Do you ever permanently delist hyperlinks in response to a removal request, as opposed to delisting?
  • Do you delist search results based only on the name of the data subject or also in combination of the name with another search term (i.e. Costeja and La Vanguardia)
  • How do you treat removal requests with regard to hyperlinks to pages that do not (no longer) contain the name of the data subject? [Examples: hyperlink to anonymised ruling, hyperlink to page where name of data subject was removed]. Do you immediately recrawl the sites after a removal request?
  • Does your company refuse requests when the data subject was the author of the information he/she posted himself/herself on the web? If so, what is the basis for refusing such requests?
  • Do you have any automated process defining if a request is accepted or refused?
  • What technical solution do you use to ensure that links to material to which a removal agreement applies are not shown in the search results?
  • Which of your services do you consider delisting requests to be relevant to?
  • Do you notify users through the search results’ page information that some results have been removed according to EU law? In that case, which is the legal basis for this? What is the exact policy? In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by data subjects. Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?
  • Have you considered sharing delisted search results with other search engines providers?
  • What is the average time to process the requests?
  •  What statistics can you share at this stage (percentage of requests accepted / partially accepted / refused)? How many have you answered in total? How many per day?
  • Will you create a database of all removal requests or removal agreements?
  • What particular problems have you faced when implementing the Court’s ruling? Are there particular categories of requests that pose specific problems?
  • Could you please provide us with contact details in case we need to exchange on a specific case?

The answers to those questions will be put into the melting point and we can expect to see some pan-European guidelines coming out from A29WP in late September/early October. Whether these contain a futile attempt to extend the ruling’s remit to US web sites remains to be seen, but it’s entirely possible that with the change of European Commission commissioners due in September, that some gesture politics along those lines might well happen.

Jimmy-Wales
Jimmy Wales

Meanwhile Wikipedia founder Jimmy Wales has once again weighed in against the right to be forgotten, describing it as:

a very dangerous path to go down, and if we want to go down a path where we are going to be censoring history, there is no way we should leave a private company like Google in charge of making those decisions.

There is a sense that one of the big philosophical problems with the approach that has been taken is that the idea of personal data is so broad under European law, almost anything about a person is considered to be personal data - including that the Prime Minister is married; that is personal data about the Prime Minister.

What we need to do when we talk about protection of consumers... we talk about companies having information and needing to handle it in an appropriate way - we are talking there about private information, your health records, your financial information. That's a completely different category.

Wales’s common sense approach may find its way into the UK government’s position on the ECJ ruling, but unfortunately it’s unlikely to find favour in other parts of the EU where taking a tough line on Google is seen as politically advantageous.

Hence why Google has been given 18 months by the Italian data regulator to change how it handles and stores user data after Google consolidated 60 of its privacy policies into one all-encompassing policy, covering everything from YouTube through Gmail to Google Search. Users were not given the ability to opt out of the consolidation.

Under the Italian requirements, users would have to grant permission before the firm creates a profile on them, and Google has to respect requests to delete data within two months (with an additional six months to remove the content from backups). Google will also have to inform users that the profiles it creates on them are for commercial purposes.

My take

Ridiculous posturing by the European Commission built on the shaky platform of a bad judgement by the ECJ - a recipe for disaster all round.

Please listen to Jimmy Wales! (A plea almost as futile as the inevitable demands to the US government to force Google.com to adhere to European law will be!)