Google’s digital policy pantomime on the theme of Europe’s so-called
‘Right To Be Forgotten’ (rtbf) ruling has delivered its
final conclusions, with the publication of a report by the Google-appointed and Google-styled “Advisory Council”, following a series of Google-arranged public debates last year.
The Google-led report had been expected last month, so it has not been delivered without any humps. There was disagreement among some Council members on what conclusions they should draw — so even Google’s chosen few did not entirely align with Google’s view. But in the end the group went with a majority view to resolve its sticking points.
Quick catch up here: the rtbf refers to a right, under European privacy and data protection law, for private individuals to request that particular search engine results are delisted when a name-search is performed, and when the information they wish to be delisted is old, outdated or irrelevant. The ruling requires that search engines also weigh up any public interest in finding the information. Where there is a public interest, a delisting request should be denied. NB: the source content itself is not removed from the Internet — this is purely about delisting search engine links that are associated with a search for a private individual’s name. Europe’s top court, the European Court of Justice (ECJ), handed down the judgement that search engines are data controllers in May last year.
The Council’s report includes a series of (entirely non-binding, non-legal) recommendations for how the group of (mostly) non-Google staff, who have expertise in areas such as data protection, media law, philosophy and ethics, believe Google should be proceeding in implementing the ECJ ruling at this point. A full list of the Council members can be found here.
It’s unclear how much input Google itself has had into the contents of the report — the group claims the document as its own. However the public evidence sessions held by the Council last year were organized by Google, and included participation from high-profile Google executives such as Eric Schmidt and its chief legal officer David Drummond — and they are listed by the report as “convenors”. So it seems unlikely there has been no back-and-forth between the Google-appointed group and the company which conjured it into being. In any case, the theatrical gesture of convening an “Advisory Council” was entirely manufactured by Google to try to shape the debate around a European legal ruling that it does not like.
The report also reiterates what the rtbf actually is and isn’t — noting for instance that it does not in fact, despite its colloquial moniker, confer a general ‘right to be forgotten’. A final portion of the document summarizes some alternative ideas and technical proposals for adjudicating and assisting the rtbf implementation that were put forward by individuals asked to submit views to the Council last year as part of the process of it formulating its advice.
The Council’s “key” five procedural suggestions are:
Google has continued to only delist on European sub-domains, not on Google.com — despite specific guidelines issued by European privacy regulators in November specifying that it should delist from Google.com too in order to prevent a trivial bypass of the law. So the Council is aligning with Google’s position here, setting itself against the European data protection regulators’ view — although it does also note that implementing the ruling on Google.com would comprise a more “absolute protection” of individuals’ privacy rights.
However the Council view here is only a “majority” conclusion. One clear dissenting voice is German MP, Sabine Leutheusser-Schnarrenberger, who sets out her disagreements within the report in a section reserved for individual Council members’ comments.
She writes:
Mountain View is no stranger to regulatory fights in Europe so may well seek to drag its heels on rtbf extraterritoriality to see how much appetite individual E.U. Member States’ data protection authorities have for another fight on an issue that is complex and can be spun as legally overreaching — as Europe trying to impose its laws on the rest of the world.
A spokeswoman for the European Commission confirmed to TechCrunch it will be up to Member States to ensure Google complies with the law. “It goes without saying that the Court of Justice ruling will have to be respected. The Article 29 working group’s guidelines from last November are designed to guarantee the uniform implementation of the ruling across Europe. It remains under the responsibility of Member States through their national data protection authorities to ensure the proper application of data protection rules,” she said.
A Google spokesperson provided TechCrunch with the following bland statement on global removals, with no change evident in its implementation position as yet: “We’ve been working hard to strike the right balance in implementing the European court’s ruling. We think it’s important to be transparent about removals, whilst also protecting individual privacy, and we’re applying the ruling across the whole of Europe.”
France’s CNIL, for one, is sharpening its claws for a fight with Google. Gwendal Le Grand, director of technology and innovation at the French data protection authority, told TechCrunch: “EU law cannot be circumvented”, and went on to reiterate the guidelines published by the Article 29 working party last November. “This is where we stand as data protection authorities. And we hope that the search engines are going to comply with this,” he said.
“We can give injunctions and sanctions,” he added. “What is clear in the court ruling is that the delisting has to be effective for all these extensions [i.e. dot-com and the European sub-domains]. This is what we said at the Article 29 level. In the case of Google, since they have a worldwide processing of personal data through the search engine, and that a search engine can be accessed through different paths, if you want, using these different extensions, it means that we will request worldwide delisting in the case of the French data protection authority.
“The enforcement is at national level so as far as the French data protection authority is concerned, this is what we will request from Google… Google is free to have its own interpretation but at the end of the day the court has recognized that the authorities have a controlling power over the decisions made by the search engines and if they don’t comply with the court ruling we can request them to comply with the ruling, and we have powers at a national level for that — including penalties.”
The U.K.’s ICO is more circumspect at this point. It told TechCrunch the extraterritoriality question is a complex issue and said it is still weighing up its position.
“This is a complicated issue, both legally and technically,” said an ICO spokesman. “Clearly it is important that any search result that is delisted is done so effectively, but the demand on a search engine to do this is placed under European law, which brings some limitations. We’ve been working on getting greater clarity on this since the Article 29 guidance was published, and it is likely to be a topic for further discussion with our European counterparts and the search engines. We have not confirmed our final position at this stage.”
Asked about media outlets’ publication of rtbf takedown notices — which has had the effect, as noted above, of drawing more attention to the information at the moment when an individual is trying to exercise their privacy rights — CNIL’s Le Grand suggested that data protection authorities will be taking action on that too, and added there is “no legal basis” for Google to be routinely informing publishers of delisting requests (as it is doing now).
“It’s a way to circumvent your action,” he noted. “Once again the basis for this, the fact that we explain there should be no circumvention of the decision, and there is no legal basis for routine communication [by Google] to websites’ editors under EU data protection law. So this makes it pretty clear. If I publish the list of requests that I received and the rationale for the requests and things like this it’s not in line with the [ECJ] decision.”
Update 2: Google has now provided the following statement from its chief legal officer, David Drummond, via email: “It’s been valuable to hear a wide range of viewpoints in recent months across Europe and we’ll carefully consider this report. We’re also looking closely at the guidance given by Europe’s data protection authorities as we continue to work on our compliance with the CJEU ruling.”
The Google-led report had been expected last month, so it has not been delivered without any humps. There was disagreement among some Council members on what conclusions they should draw — so even Google’s chosen few did not entirely align with Google’s view. But in the end the group went with a majority view to resolve its sticking points.
Quick catch up here: the rtbf refers to a right, under European privacy and data protection law, for private individuals to request that particular search engine results are delisted when a name-search is performed, and when the information they wish to be delisted is old, outdated or irrelevant. The ruling requires that search engines also weigh up any public interest in finding the information. Where there is a public interest, a delisting request should be denied. NB: the source content itself is not removed from the Internet — this is purely about delisting search engine links that are associated with a search for a private individual’s name. Europe’s top court, the European Court of Justice (ECJ), handed down the judgement that search engines are data controllers in May last year.
The Council’s report includes a series of (entirely non-binding, non-legal) recommendations for how the group of (mostly) non-Google staff, who have expertise in areas such as data protection, media law, philosophy and ethics, believe Google should be proceeding in implementing the ECJ ruling at this point. A full list of the Council members can be found here.
It’s unclear how much input Google itself has had into the contents of the report — the group claims the document as its own. However the public evidence sessions held by the Council last year were organized by Google, and included participation from high-profile Google executives such as Eric Schmidt and its chief legal officer David Drummond — and they are listed by the report as “convenors”. So it seems unlikely there has been no back-and-forth between the Google-appointed group and the company which conjured it into being. In any case, the theatrical gesture of convening an “Advisory Council” was entirely manufactured by Google to try to shape the debate around a European legal ruling that it does not like.
Google-led report toes Google’s line
The report itself is relatively brief, and highlights five “key” procedural elements, as the group sees it, with advice/recommendations for how Google should proceed on each of these points. Its full five suggestions are summarized by me (below). The Council also lists criteria it believes Google should use to weigh delisting requests such as any public role a requester has, and the types of information the group thinks should bias towards privacy (such as the information being false; pertaining to a person’s sex life; being personal contact information such as their address and phone number; or the data subject being a minor), and towards public interest (such as the information being true; or relating to political or religious discourse; or to public or consumer health; or relating to criminal activity; or being what they term “integral to the historical record”, or to scientific inquiry or artistic expression).The report also reiterates what the rtbf actually is and isn’t — noting for instance that it does not in fact, despite its colloquial moniker, confer a general ‘right to be forgotten’. A final portion of the document summarizes some alternative ideas and technical proposals for adjudicating and assisting the rtbf implementation that were put forward by individuals asked to submit views to the Council last year as part of the process of it formulating its advice.
The Council’s “key” five procedural suggestions are:
- Improve the structure of the delisting form — the Council says the structure of Google’s online form where Europeans can make delisting requests should be improved in order to ensure enough information is being provided by individuals for their requests to be balanced against any public interest considerations, and they detail the specific pieces of information they believes the form should ask for
- Notify content publishers about delisting requests where lawful to do so – the Council comes down in support of Google notifying webmasters of delisting requests that affect their content “to the extent allowed by the law”. (This is something of a fudge position on the part of the Council, given that where media outlets have been republishing details of content affected by delisting requests they are effectively reversing the sought for obscurity by generating increased publicity — thereby undoing the impact of the law.) The Council also suggests that in complex cases it may be appropriate for Google to liaise with content publishers prior to making a delisting decision, in order to help it come to a decision
- Allow publishers to challenge delisting decisions — the Council notes that individuals have a legal right to challenge Google if it denies their delisting request (via appeal to court or local data protection authority), and suggests that publishers should also have the means to challenge “improper delistings” before a data protection authority or similar public body because “delisting affects the rights and interests of publishers”
- Continue implementing delisting only on European subdomains — as noted in more detail below, the majority view of the Council sides with Google’s position on the extraterritoriality question, arguing that there are “competing interests that outweigh the additional protection afforded to the data subject” — such as on the part of web users outside Europe and outside the scope of European law in accessing the delisted information. The group also expresses concern as to setting a precedent that it suggests could be appropriated by repressive regimes to justify online censorship — covering similar ground to arguments previously made by Wikimedia’s Jimmy Wales, who is also one of the Council members
- Ensure individual delisting requests cannot be trivially discerned via search result notices, while also increasing public transparency around search engines’ decision making processes for delisting — in a section on transparency, the report does not take a firm stance for or against search engines generally notifying users that a name-search result might lack ‘completeness’ (as Google does now by displaying notifications at the bottom of search results for real names), except to specify that such notifications should not enable individual requests to be identified. The Council does call for more transparency generally when it comes to delisting data, processes and the criteria used by search engines to evaluate decisions — again specifying this should be achieved without referring to any individual decisions. It recommends Google makes public its own guidelines on the types of requests “likely to be honored”, along with anonymized statistics about decisions “so that data subjects can weigh the benefits of submitting the request”.
The Google.com workaround
The most high-profile issue the Council has chosen to focus on is the question of extraterritoriality. Aka whether delistings should take place on Google.com, as well as on Google’s European sub-domains. Google’s Schmidt commented on this in public last October, at one of the Council’s public meetings, and the report regurgitates much of what he said.Google has continued to only delist on European sub-domains, not on Google.com — despite specific guidelines issued by European privacy regulators in November specifying that it should delist from Google.com too in order to prevent a trivial bypass of the law. So the Council is aligning with Google’s position here, setting itself against the European data protection regulators’ view — although it does also note that implementing the ruling on Google.com would comprise a more “absolute protection” of individuals’ privacy rights.
However the Council view here is only a “majority” conclusion. One clear dissenting voice is German MP, Sabine Leutheusser-Schnarrenberger, who sets out her disagreements within the report in a section reserved for individual Council members’ comments.
She writes:
According to my opinion the removal request comprises all domains, and must not be limited to EU-domains. This is the only way to implement the Court`s ruling, which implies a complete and effective protection of data subjects` rights. The internet is global, the protection of the user`s rights must also be global. Any circumvention of these rights must be prevented. Since EU – residents are able to research globally the EU is authorized to decide that the search engine has to delete all the links globally. So far I share the guidelines published by Article 29 Data Protection Working Party.The full report — including Leutheusser-Schnarrenberger’s other objections — can be read here.
What European law requires
Regardless of the report’s majority recommendations that Google thumb its nose at European law, it remains to be seen whether the company will do so (we’ve asked Google whether it intends to extent search delisting decisions to Google.com and will update this story with any response. Update: see statements below). The Advisory Council has no special powers here, beyond the ability (Google hopes) to anoint Google’s position with a little self-selected outsider expertise — and thus apply pressure to regulatory bodies which will be the ones tasked with reining Google in.Mountain View is no stranger to regulatory fights in Europe so may well seek to drag its heels on rtbf extraterritoriality to see how much appetite individual E.U. Member States’ data protection authorities have for another fight on an issue that is complex and can be spun as legally overreaching — as Europe trying to impose its laws on the rest of the world.
A spokeswoman for the European Commission confirmed to TechCrunch it will be up to Member States to ensure Google complies with the law. “It goes without saying that the Court of Justice ruling will have to be respected. The Article 29 working group’s guidelines from last November are designed to guarantee the uniform implementation of the ruling across Europe. It remains under the responsibility of Member States through their national data protection authorities to ensure the proper application of data protection rules,” she said.
A Google spokesperson provided TechCrunch with the following bland statement on global removals, with no change evident in its implementation position as yet: “We’ve been working hard to strike the right balance in implementing the European court’s ruling. We think it’s important to be transparent about removals, whilst also protecting individual privacy, and we’re applying the ruling across the whole of Europe.”
France’s CNIL, for one, is sharpening its claws for a fight with Google. Gwendal Le Grand, director of technology and innovation at the French data protection authority, told TechCrunch: “EU law cannot be circumvented”, and went on to reiterate the guidelines published by the Article 29 working party last November. “This is where we stand as data protection authorities. And we hope that the search engines are going to comply with this,” he said.
“We will request worldwide delisting”
“In France for sure we will request delisting on all the relevant domains including the dot-com. And we have a certain number of powers in the French law to request this from Google so we will use those powers if Google does not comply with this guidance.”“We can give injunctions and sanctions,” he added. “What is clear in the court ruling is that the delisting has to be effective for all these extensions [i.e. dot-com and the European sub-domains]. This is what we said at the Article 29 level. In the case of Google, since they have a worldwide processing of personal data through the search engine, and that a search engine can be accessed through different paths, if you want, using these different extensions, it means that we will request worldwide delisting in the case of the French data protection authority.
“The enforcement is at national level so as far as the French data protection authority is concerned, this is what we will request from Google… Google is free to have its own interpretation but at the end of the day the court has recognized that the authorities have a controlling power over the decisions made by the search engines and if they don’t comply with the court ruling we can request them to comply with the ruling, and we have powers at a national level for that — including penalties.”
The U.K.’s ICO is more circumspect at this point. It told TechCrunch the extraterritoriality question is a complex issue and said it is still weighing up its position.
“This is a complicated issue, both legally and technically,” said an ICO spokesman. “Clearly it is important that any search result that is delisted is done so effectively, but the demand on a search engine to do this is placed under European law, which brings some limitations. We’ve been working on getting greater clarity on this since the Article 29 guidance was published, and it is likely to be a topic for further discussion with our European counterparts and the search engines. We have not confirmed our final position at this stage.”
Asked about media outlets’ publication of rtbf takedown notices — which has had the effect, as noted above, of drawing more attention to the information at the moment when an individual is trying to exercise their privacy rights — CNIL’s Le Grand suggested that data protection authorities will be taking action on that too, and added there is “no legal basis” for Google to be routinely informing publishers of delisting requests (as it is doing now).
“It’s a way to circumvent your action,” he noted. “Once again the basis for this, the fact that we explain there should be no circumvention of the decision, and there is no legal basis for routine communication [by Google] to websites’ editors under EU data protection law. So this makes it pretty clear. If I publish the list of requests that I received and the rationale for the requests and things like this it’s not in line with the [ECJ] decision.”
Update 2: Google has now provided the following statement from its chief legal officer, David Drummond, via email: “It’s been valuable to hear a wide range of viewpoints in recent months across Europe and we’ll carefully consider this report. We’re also looking closely at the guidance given by Europe’s data protection authorities as we continue to work on our compliance with the CJEU ruling.”