Feeds

If Google remembers whom it has forgotten, has it complied with the ECJ judgment?

Riddle me this, Batman

Security for virtualized datacentres

Comment Google has received all kinds of plaudits for quickly introducing its “right to be forgotten” procedure. However, from what I have read in the press, its procedure for the removal of URLs is not fit for purpose.

Google’s procedure appears to be defective. For the sake of argument, let’s assume that you want to have a URL removed for whatever reason. As I've explained previously, this will engage a balance between freedom of expression and privacy; it is not an automatic removal of links as is still commonly asserted.

Google’s “right to be forgotten” form (which is actually a right to object form) is fairly straightforward (see here). It asks for your photo identity (to make sure the data subject is completing the form); contact email address (eg, to tell you of the outcome of your request); the country where you live (to identify which country’s Data Protection Act applies); the URL(s) to which you object; and an explanation of why you find each “URL in search results is irrelevant, outdated, or otherwise inappropriate”.

As an aside, an inference from the above is the possibility that Google might not be offering its URL removal procedure to US citizens who apply for URL links to be removed by European Google companies.

As readers know, the definition of "data subject" depends on whether the applicant is alive and not on his or her nationality (ie, European data protection law is not limited to European data subjects). Google should be asked, for example, the extent to which the procedure is open to US citizens.

Google says on the form that before making a decision, it will balance your interests in having an URL removed (ie, your privacy) versus the right of the public to know the information (ie, keep a URL).

When do you call the Commish?

As a data controller, Google will come to a decision about the URL you want removed. If that decision goes against you, you will have to ask the Information Commissioner for an assessment under Section 42 of the Data Protection Act. However, if Google UK accepts your request, your URL will be removed from all Google companies in any EEA state. However, this means that the URL will be accessible from Google.com which is based in the USA.

I have been unable to find any indication of whether or not Google intends to retain a record of any removed URL against the data subject’s name (eg, stored in the US at Google.com); someone should seek clarification from Google as to the position here.

However, Google’s form goes further: it says that “we may inform webmaster(s) whose content is removed from our search results as a result of your complaint”. In other words, Google’s implementation of your right to be forgotten includes the functionality of Google remembering that that you exercised the right to be forgotten.

Indeed a Google spokesperson told “Search Engine Land”* that:

To be very clear about this: if someone asks for a URL to be removed from the listings for their name, and that’s approved, the URL will go away — but anyone who looks at the bottom of the result will know that they must have asked for something to be removed.

It’s also likely that Google will provide a link to ChillingEffects.org, as it does with many other types of censorship requests, where people can learn more about what is removed. Names wouldn’t be revealed, though those can be deducted from the search. The URLs taken-down probably wouldn’t be revealed. But it’s possible there would be some general explanation about what was removed or maybe why something was removed.

To get an idea of what this means, please open another tab and Google “Frozen movie”. In the UK, you will see Google provides a comment on several pages (from page 2) that “In response to a complaint we received under the US Digital Millennium Copyright Act (DMCA), we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint that caused the removal(s) at ChillingEffects.org”.

In other words, if someone searched for an individual in the UK, Google’s search results under its procedure to comply with the ECJ ruling could include a statement that is something like: “In response to a complaint, we have removed some links”. This is a message to the searcher to go to Google.com site in the USA, and repeat the search on the data subject to obtain the links that have removed from Google’s European companies.

Clearly, therefore, a data subject who wants to be forgotten is not even half-forgotten. Indeed, if there exists a flag that says the data subject wanted to be forgotten then this might be more damaging (eg, to the data subject’s employment prospects) than a URL that the data subject wants removed. After all, some employers will argue there is no smoke without fire and won’t take an employment risk.

This may be the case even if the data subject who requested the URL removal shares his name with other individuals. In this way, individuals with the same name as the data subject who used Google's procedure could be impacted.

So back to a question that should be asked of Google, namely: “Is the above kind of avoidance procedure Google’s deliberate intent?”.

If the procedure is intentional, Google has not complied with the spirit of the judgment (the message radiating from all the press plaudits); instead it has given the proverbial two fingers to Europe’s highest Court and arranged procedures to evade its judgment. So much for the rule of law, eh?

Google has been in the forefront of complaints about the NSA in light of the Snowden revelations and the need for a communications data retention law in the USA that applies to the rest of the world. It would undermine its stance completely if Google were now to argue that one law for retention of URLs applies in Europe and another in the rest of the world.

References:

Google’s right to object form

*Detailed write-up of Google’s procedure

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

New hybrid storage solutions

More from The Register

next story
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
Former Bitcoin Foundation chair pleads guilty to money-laundering charge
Charlie Shrem plea deal could still get him five YEARS in chokey
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.