Feeds

If Google remembers whom it has forgotten, has it complied with the ECJ judgment?

Riddle me this, Batman

Build a business case: developing custom apps

Comment Google has received all kinds of plaudits for quickly introducing its “right to be forgotten” procedure. However, from what I have read in the press, its procedure for the removal of URLs is not fit for purpose.

Google’s procedure appears to be defective. For the sake of argument, let’s assume that you want to have a URL removed for whatever reason. As I've explained previously, this will engage a balance between freedom of expression and privacy; it is not an automatic removal of links as is still commonly asserted.

Google’s “right to be forgotten” form (which is actually a right to object form) is fairly straightforward (see here). It asks for your photo identity (to make sure the data subject is completing the form); contact email address (eg, to tell you of the outcome of your request); the country where you live (to identify which country’s Data Protection Act applies); the URL(s) to which you object; and an explanation of why you find each “URL in search results is irrelevant, outdated, or otherwise inappropriate”.

As an aside, an inference from the above is the possibility that Google might not be offering its URL removal procedure to US citizens who apply for URL links to be removed by European Google companies.

As readers know, the definition of "data subject" depends on whether the applicant is alive and not on his or her nationality (ie, European data protection law is not limited to European data subjects). Google should be asked, for example, the extent to which the procedure is open to US citizens.

Google says on the form that before making a decision, it will balance your interests in having an URL removed (ie, your privacy) versus the right of the public to know the information (ie, keep a URL).

When do you call the Commish?

As a data controller, Google will come to a decision about the URL you want removed. If that decision goes against you, you will have to ask the Information Commissioner for an assessment under Section 42 of the Data Protection Act. However, if Google UK accepts your request, your URL will be removed from all Google companies in any EEA state. However, this means that the URL will be accessible from Google.com which is based in the USA.

I have been unable to find any indication of whether or not Google intends to retain a record of any removed URL against the data subject’s name (eg, stored in the US at Google.com); someone should seek clarification from Google as to the position here.

However, Google’s form goes further: it says that “we may inform webmaster(s) whose content is removed from our search results as a result of your complaint”. In other words, Google’s implementation of your right to be forgotten includes the functionality of Google remembering that that you exercised the right to be forgotten.

Indeed a Google spokesperson told “Search Engine Land”* that:

To be very clear about this: if someone asks for a URL to be removed from the listings for their name, and that’s approved, the URL will go away — but anyone who looks at the bottom of the result will know that they must have asked for something to be removed.

It’s also likely that Google will provide a link to ChillingEffects.org, as it does with many other types of censorship requests, where people can learn more about what is removed. Names wouldn’t be revealed, though those can be deducted from the search. The URLs taken-down probably wouldn’t be revealed. But it’s possible there would be some general explanation about what was removed or maybe why something was removed.

To get an idea of what this means, please open another tab and Google “Frozen movie”. In the UK, you will see Google provides a comment on several pages (from page 2) that “In response to a complaint we received under the US Digital Millennium Copyright Act (DMCA), we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint that caused the removal(s) at ChillingEffects.org”.

In other words, if someone searched for an individual in the UK, Google’s search results under its procedure to comply with the ECJ ruling could include a statement that is something like: “In response to a complaint, we have removed some links”. This is a message to the searcher to go to Google.com site in the USA, and repeat the search on the data subject to obtain the links that have removed from Google’s European companies.

Clearly, therefore, a data subject who wants to be forgotten is not even half-forgotten. Indeed, if there exists a flag that says the data subject wanted to be forgotten then this might be more damaging (eg, to the data subject’s employment prospects) than a URL that the data subject wants removed. After all, some employers will argue there is no smoke without fire and won’t take an employment risk.

This may be the case even if the data subject who requested the URL removal shares his name with other individuals. In this way, individuals with the same name as the data subject who used Google's procedure could be impacted.

So back to a question that should be asked of Google, namely: “Is the above kind of avoidance procedure Google’s deliberate intent?”.

If the procedure is intentional, Google has not complied with the spirit of the judgment (the message radiating from all the press plaudits); instead it has given the proverbial two fingers to Europe’s highest Court and arranged procedures to evade its judgment. So much for the rule of law, eh?

Google has been in the forefront of complaints about the NSA in light of the Snowden revelations and the need for a communications data retention law in the USA that applies to the rest of the world. It would undermine its stance completely if Google were now to argue that one law for retention of URLs applies in Europe and another in the rest of the world.

References:

Google’s right to object form

*Detailed write-up of Google’s procedure

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Build a business case: developing custom apps

More from The Register

next story
Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
'Greenhouse effect is real, but as for the rest of it ...'
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.