Feeds

If Google remembers whom it has forgotten, has it complied with the ECJ judgment?

Riddle me this, Batman

Beginner's guide to SSL certificates

Comment Google has received all kinds of plaudits for quickly introducing its “right to be forgotten” procedure. However, from what I have read in the press, its procedure for the removal of URLs is not fit for purpose.

Google’s procedure appears to be defective. For the sake of argument, let’s assume that you want to have a URL removed for whatever reason. As I've explained previously, this will engage a balance between freedom of expression and privacy; it is not an automatic removal of links as is still commonly asserted.

Google’s “right to be forgotten” form (which is actually a right to object form) is fairly straightforward (see here). It asks for your photo identity (to make sure the data subject is completing the form); contact email address (eg, to tell you of the outcome of your request); the country where you live (to identify which country’s Data Protection Act applies); the URL(s) to which you object; and an explanation of why you find each “URL in search results is irrelevant, outdated, or otherwise inappropriate”.

As an aside, an inference from the above is the possibility that Google might not be offering its URL removal procedure to US citizens who apply for URL links to be removed by European Google companies.

As readers know, the definition of "data subject" depends on whether the applicant is alive and not on his or her nationality (ie, European data protection law is not limited to European data subjects). Google should be asked, for example, the extent to which the procedure is open to US citizens.

Google says on the form that before making a decision, it will balance your interests in having an URL removed (ie, your privacy) versus the right of the public to know the information (ie, keep a URL).

When do you call the Commish?

As a data controller, Google will come to a decision about the URL you want removed. If that decision goes against you, you will have to ask the Information Commissioner for an assessment under Section 42 of the Data Protection Act. However, if Google UK accepts your request, your URL will be removed from all Google companies in any EEA state. However, this means that the URL will be accessible from Google.com which is based in the USA.

I have been unable to find any indication of whether or not Google intends to retain a record of any removed URL against the data subject’s name (eg, stored in the US at Google.com); someone should seek clarification from Google as to the position here.

However, Google’s form goes further: it says that “we may inform webmaster(s) whose content is removed from our search results as a result of your complaint”. In other words, Google’s implementation of your right to be forgotten includes the functionality of Google remembering that that you exercised the right to be forgotten.

Indeed a Google spokesperson told “Search Engine Land”* that:

To be very clear about this: if someone asks for a URL to be removed from the listings for their name, and that’s approved, the URL will go away — but anyone who looks at the bottom of the result will know that they must have asked for something to be removed.

It’s also likely that Google will provide a link to ChillingEffects.org, as it does with many other types of censorship requests, where people can learn more about what is removed. Names wouldn’t be revealed, though those can be deducted from the search. The URLs taken-down probably wouldn’t be revealed. But it’s possible there would be some general explanation about what was removed or maybe why something was removed.

To get an idea of what this means, please open another tab and Google “Frozen movie”. In the UK, you will see Google provides a comment on several pages (from page 2) that “In response to a complaint we received under the US Digital Millennium Copyright Act (DMCA), we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint that caused the removal(s) at ChillingEffects.org”.

In other words, if someone searched for an individual in the UK, Google’s search results under its procedure to comply with the ECJ ruling could include a statement that is something like: “In response to a complaint, we have removed some links”. This is a message to the searcher to go to Google.com site in the USA, and repeat the search on the data subject to obtain the links that have removed from Google’s European companies.

Clearly, therefore, a data subject who wants to be forgotten is not even half-forgotten. Indeed, if there exists a flag that says the data subject wanted to be forgotten then this might be more damaging (eg, to the data subject’s employment prospects) than a URL that the data subject wants removed. After all, some employers will argue there is no smoke without fire and won’t take an employment risk.

This may be the case even if the data subject who requested the URL removal shares his name with other individuals. In this way, individuals with the same name as the data subject who used Google's procedure could be impacted.

So back to a question that should be asked of Google, namely: “Is the above kind of avoidance procedure Google’s deliberate intent?”.

If the procedure is intentional, Google has not complied with the spirit of the judgment (the message radiating from all the press plaudits); instead it has given the proverbial two fingers to Europe’s highest Court and arranged procedures to evade its judgment. So much for the rule of law, eh?

Google has been in the forefront of complaints about the NSA in light of the Snowden revelations and the need for a communications data retention law in the USA that applies to the rest of the world. It would undermine its stance completely if Google were now to argue that one law for retention of URLs applies in Europe and another in the rest of the world.

References:

Google’s right to object form

*Detailed write-up of Google’s procedure

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Beginner's guide to SSL certificates

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.