ITsecurity
twitter facebook rss

European privacy regulators clarify right to be forgotten

Posted by on November 28, 2014.

The European Article 29 working party of national data protection regulators has issued guidelines on the European Court’s so-called right to be forgotten ruling, effectively closing some of the loopholes. Perhaps the most important of the opinions is that the ruling applies to all domains available in the EU and not just European domains.

googleThus, for example, if a UK citizen succeeds in getting Google to remove certain links from the search engine, Google will be expected to remove those links from Google.com as well as google.co.uk. This is both more contentious and more difficult, and will provoke US freedom of expression sensitivities. In order to satisfy both US and European customers, Google would need to remove the links from Google.com where the searcher is located in Europe, but allow them where the searcher is located in the US.

Even if this could be achieved, the use of US proxies from within Europe will still bypass the ruling.

Although such Article 29 guidelines are not binding in law and can be challenged in court, they traditionally provide guidance on how national regulators should interpret the law. This is still likely to differ in different countries: the UK’s ICO, for example, tends to be lenient with Google while France’s CNIL is very strict.

I doubt that Google will feel able to comply with these instructions and will, in the first instance, simply ignore them. This will eventually be tested in court.

A second guideline shuts down a contributing factor to the Streisand effect. Currently, when Google removes links it notifies the website concerned that it has done so (this is in accordance with Google’s transparency principles). The right to be forgotten applies only to the links in the search engine — the ‘offending’ article is not removed from the website. So when a news site learns from Google that links have been removed, that website will usually comment in some detail — reawakening the original issue that Google has been told to forget.

Search engines should not as a general practice inform the webmasters of the pages affected by removals of the fact that some web pages cannot be acceded from the search engine in response to a specific name-based query. There is no legal basis for such routine communication under EU data protection law. [original emphasis]

There is, however, one small relief for Google and the other US search engines. Under EU law, everyone (not just EU citizens) is entitled to data protection. Strictly speaking, then, US citizens could apply to Google to have links removed under European law. While recognising this reality, the guidelines suggest

In practice, DPAs will focus on claims where there is a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State.

This has not been a good week for Google in Europe. In another non-binding ruling, the European Parliament voted by 384-174 for the Commission to consider โ€œunbundling search engines from other commercial services.โ€ In other words, the European Parliament wants to break up Google — and although Google is not mentioned by name, with more than a 90% search market share, it is clearly Google in the cross-hairs.

It won’t happen.


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_legal, News_politics, News_privacy | Tags: , , ,