Feeds

If Google remembers whom it has forgotten, has it complied with the ECJ judgment?

Riddle me this, Batman

Top 5 reasons to deploy VMware with Tegile

Comment Google has received all kinds of plaudits for quickly introducing its “right to be forgotten” procedure. However, from what I have read in the press, its procedure for the removal of URLs is not fit for purpose.

Google’s procedure appears to be defective. For the sake of argument, let’s assume that you want to have a URL removed for whatever reason. As I've explained previously, this will engage a balance between freedom of expression and privacy; it is not an automatic removal of links as is still commonly asserted.

Google’s “right to be forgotten” form (which is actually a right to object form) is fairly straightforward (see here). It asks for your photo identity (to make sure the data subject is completing the form); contact email address (eg, to tell you of the outcome of your request); the country where you live (to identify which country’s Data Protection Act applies); the URL(s) to which you object; and an explanation of why you find each “URL in search results is irrelevant, outdated, or otherwise inappropriate”.

As an aside, an inference from the above is the possibility that Google might not be offering its URL removal procedure to US citizens who apply for URL links to be removed by European Google companies.

As readers know, the definition of "data subject" depends on whether the applicant is alive and not on his or her nationality (ie, European data protection law is not limited to European data subjects). Google should be asked, for example, the extent to which the procedure is open to US citizens.

Google says on the form that before making a decision, it will balance your interests in having an URL removed (ie, your privacy) versus the right of the public to know the information (ie, keep a URL).

When do you call the Commish?

As a data controller, Google will come to a decision about the URL you want removed. If that decision goes against you, you will have to ask the Information Commissioner for an assessment under Section 42 of the Data Protection Act. However, if Google UK accepts your request, your URL will be removed from all Google companies in any EEA state. However, this means that the URL will be accessible from Google.com which is based in the USA.

I have been unable to find any indication of whether or not Google intends to retain a record of any removed URL against the data subject’s name (eg, stored in the US at Google.com); someone should seek clarification from Google as to the position here.

However, Google’s form goes further: it says that “we may inform webmaster(s) whose content is removed from our search results as a result of your complaint”. In other words, Google’s implementation of your right to be forgotten includes the functionality of Google remembering that that you exercised the right to be forgotten.

Indeed a Google spokesperson told “Search Engine Land”* that:

To be very clear about this: if someone asks for a URL to be removed from the listings for their name, and that’s approved, the URL will go away — but anyone who looks at the bottom of the result will know that they must have asked for something to be removed.

It’s also likely that Google will provide a link to ChillingEffects.org, as it does with many other types of censorship requests, where people can learn more about what is removed. Names wouldn’t be revealed, though those can be deducted from the search. The URLs taken-down probably wouldn’t be revealed. But it’s possible there would be some general explanation about what was removed or maybe why something was removed.

To get an idea of what this means, please open another tab and Google “Frozen movie”. In the UK, you will see Google provides a comment on several pages (from page 2) that “In response to a complaint we received under the US Digital Millennium Copyright Act (DMCA), we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint that caused the removal(s) at ChillingEffects.org”.

In other words, if someone searched for an individual in the UK, Google’s search results under its procedure to comply with the ECJ ruling could include a statement that is something like: “In response to a complaint, we have removed some links”. This is a message to the searcher to go to Google.com site in the USA, and repeat the search on the data subject to obtain the links that have removed from Google’s European companies.

Clearly, therefore, a data subject who wants to be forgotten is not even half-forgotten. Indeed, if there exists a flag that says the data subject wanted to be forgotten then this might be more damaging (eg, to the data subject’s employment prospects) than a URL that the data subject wants removed. After all, some employers will argue there is no smoke without fire and won’t take an employment risk.

This may be the case even if the data subject who requested the URL removal shares his name with other individuals. In this way, individuals with the same name as the data subject who used Google's procedure could be impacted.

So back to a question that should be asked of Google, namely: “Is the above kind of avoidance procedure Google’s deliberate intent?”.

If the procedure is intentional, Google has not complied with the spirit of the judgment (the message radiating from all the press plaudits); instead it has given the proverbial two fingers to Europe’s highest Court and arranged procedures to evade its judgment. So much for the rule of law, eh?

Google has been in the forefront of complaints about the NSA in light of the Snowden revelations and the need for a communications data retention law in the USA that applies to the rest of the world. It would undermine its stance completely if Google were now to argue that one law for retention of URLs applies in Europe and another in the rest of the world.

References:

Google’s right to object form

*Detailed write-up of Google’s procedure

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Big Content outs piracy hotbeds: São Paulo, Beijing ... TORONTO?
MPAA calls Canadians a bunch of bootlegging movie thieves
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.