16 Comments

Summary:

It’s nice to see privacy rights upheld and Google’s attempts to evade European law firmly squashed, but even well-meaning rulings could turn sour when long-term enforcement remains impractical.

Google – and anyone else providing links to personal information on the web – must delete stale and unwanted information about someone if asked to do so, Europe’s top court has decided. This is a landmark decision and not, by my reckoning, an entirely good one.

It’s not that I object to the principle of the so-called “right to be forgotten”, but rather that such a right is difficult to enforce in the context of an open internet. That said, in this particular case enforcement is not difficult. Confused? Read on.

The Spanish inquisition

The case in question dates back to 1998, when a Spanish chap named Mario Costeja González (there is an unfortunate Streisand effect at play here) was in financial trouble and his home was repossessed. A local newspaper called La Vanguardia published notices of the house’s auction, mentioning González by name. Fast forward to 2010 and González was keen to have that public record expunged, as it no longer mattered but came up whenever someone searched for his name.

Spain’s data protection agency, the AEPD, rejected González’s claim against the newspaper (which published the information lawfully) but upheld his claims against Google Spain and Google Inc., calling for the search engine to de-list references to the original articles. Google appealed and the Spanish courts asked the Court of Justice of the European Union (CJEU) to weigh in.

In its judgment on Tuesday, the CJEU confirmed that Google qualifies as a data “processor” and “controller” of its processing by virtue of its indexing activities, meaning the company has to abide by the provisions of the EU Data Protection Directive. The court also rejected Google’s rather spurious claim that, because it is headquartered outside the EU, it should somehow fall outside the directive’s scope.

Now here comes the kicker:

“… the Court holds that the operator is, in certain circumstances, obliged to remove links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name. The Court makes it clear that such an obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”

The ruling goes on to refer to striking the balance between the data subject’s rights and those of other internet users with legitimate interests in finding information, before noting that even data that was compatible with privacy rights when published can over time become incompatible.

So what’s the problem?

Firstly, there are some positive aspects to this ruling, chief among them the issue of territoriality. As European Commission privacy chief Paul Nemitz tweeted:

Ovum analyst Luca Schiovani also weighed in with a statement, saying that “involving search engines for something they are not directly responsible for is likely to entail a burdensome cost, especially if the amount of requests of erasure should escalate in the future.” A fair point, but not the biggest issue here – complying with local law comes with a cost, and if Google wants to operate in Europe it needs to suck it up. Generally speaking, privacy outweighs profits.

The major problem here is one of enforcement. González will now get what he wants, once the Spanish court acts on the CJEU’s ruling, but that’s only because Google has a monopoly on the European search market, with a share of more than 90 percent. Stop Google from linking to the repossession articles and they are as good as gone, but how would this work in a more competitive search market?

Would a data subject who wants information expunged need to go to each major search provider? What about the minor ones? What if a future search engine operates on a distributed basis, rather than in a centralized fashion as Google does today? What if there’s simply nobody to contact about a problem? And what is the point of muzzling the gatekeepers if the source material remains online?

For other problems with the “right to be forgotten” concept, it’s also worth looking back at a 2012 report by Europe’s cybersecurity agency ENISA, which pointed out that EU laws can’t be enforced against companies that hold the relevant data (or data derived from that data) but that don’t have a real EU presence. That report pretty accurately foresaw today’s ruling, noting: “A possible partial solution may be a legal mandate aimed at making it difficult to find expired personal data, for instance, by requiring search engines to exclude expired personal data from their search results.”

That’s only a partial solution, though – it won’t do the job the “right to be forgotten” sets out to do, and may cause more problems than it solves. What goes onto the internet can be copied and moved all over the place, and if you really want to be able to track down and delete data, you need to institute a metadata tracking system that would run completely counter to privacy rights. Then there are the potential implications for free expression, which the ruling mentioned but not with great weight:

Let’s not even talk about the fact that the right to be forgotten is only supposed to brought in by an as-yet-unfinalized revision of the Data Protection Directive — the CJEU appears to have decided that it logically follows on from what’s already there, which is… interesting.

In short, I find the CJEU’s ruling well-meaning but short-sighted, and am a bit nervous about how Europe’s national courts will decide to apply it.

You’re subscribed! If you like, you can update your settings

  1. Interesting perspectives David, I agree with many of your points. The one thing I question is the assertion that data can be copied and moved and that deleted data can still be found. In this case the data is not being deleted (the Spanish courts made a distinction between Google and the newspaper that published the original story) but merely prevented from appearing in search results.

    1. Indeed – but that’s specific to this case, whereas the principles established by the judgement may have different effects (or ineffectualness) elsewhere.

  2. Steve Jones Tuesday, May 13, 2014

    There’s also a very easy workaround. As this can’t be enforced in the US as it will run counter to the 1st amendment, all anybody needs to do is to access Google via a web proxy in the US. Should such editors

    Personally, I get extremely concerned by the very principle of censoring information that was lawfully published in the first place. It smacks rather too much of censoring history,.

    This is also, quite apart, from the simple logistical issues involved and just who is going to make the final decisions and whether such filtering rules will apply only to countries where the decisions are made or across the whole EU. After all, difference countries in the EU have different standards of what is or is not in the public interest as regards privacy information.

    1. oops unfinished sentence. “Should such editing become common, I expect journalists and others to use just such workarounds”

  3. the_internet_is_crumbling Tuesday, May 13, 2014

    David, nothing is ever 100% effective. Ask the RIAA. That’s a group that somehow has the right to remove search results. I think it’s more than a little disingenuous to say this is a bad ruling to give individuals the same power the RIAA/MPAA have had for years.

  4. Nothing like censoring the Internet! All hail to our new glorious overlords.

  5. Derrick Harris Tuesday, May 13, 2014

    In the US, I would think a defense of newsworthiness would prevail most of the time, but who knows how the various EU countries will define good cause. Horrible ruling, IMHO.

  6. So, let me see if i understand the logic here.

    A ruling that would enforce compulsory use of seat belts on cars would also be criticized because it would be difficult to enforce? It’s also difficult to enforce that people pay to use the subway and that doesn’t mean we think it should be completely free.

    I’m disappointed by GigaOm, a website i love being so clearly co opted by Google PR machine, i guess if you spend a lot of time talking to Google people, and you need access to them to keep providing content to your readers you get caught in some kind of cognitive capture and you start thinking that what’s bad for them is bad for society as a whole.

    I will always defend an individual’s right to not be marked for life over Google’s right to create money through clicks on ads.

    1. As would I. I think you are misunderstanding my argument, and if you read more of my writing on Google’s European adventures you will see that I hardly fall on their side in general.

      My point is this: the way in which data is handled on the internet makes it terrifically difficult to track, which is necessary if it is to be deleted. It’s not hard to get Google to adhere to what will follow this ruling because it has a clear presence in Europe, with offices and everything, and that’s fine. It will be effective. But as a principle, this can only be partially and patchily enforced — just because a search service is available in Europe doesn’t mean it has someone local around to haul into court. What happens to non-compliant search engines that ignore requests from Europe, such as those solely based in the U.S. and adhering to U.S. free speech laws? It’s not like, to use an analogy similar to yours, we in Europe can just apply an import ban as we could if we were dealing with an unsafe car.

      Even though the new “right to be forgotten” revision of the data protection directive is explicit about serving the public interest and retaining media freedom, actually doing “forgetting” properly in the context of the internet as it functions could very well lead to excessive censorship. There’s just not a way to do it right, given technical realities.

      1. >It’s not like, to use an analogy similar to yours, we in Europe can just apply an import ban as we could if we were dealing with an unsafe car.

        Sure you can. Turkey just blocked Twitter for posting what they saw as libelous tweets. The whole ‘internet will route around the damage’ thing only works if things are not centralized. This is no longer the case in the modern internet. It’s very easy to kill 90% of the traffic by hitting a few big players. This has been clearly demonstrated.

        Just look at your own argument. If Max Mosley wants his nazi orgy video removed from the internet, you and Google argue that it is not feasible. If the nazi orgy included girls under the age of 18, then suddenly, it’s very feasible. Google complies immediately lest they be branded a distributor of kiddy porn.

        Google is splitting hairs. Individuals are not property of Google. We have rights too.

        1. Burbuja Osorio guest Friday, May 16, 2014

          David, thanks for your reply.

          Unfortunately i’m not an expert on this topic so i’m not completely qualified to argue about the merits of your arguments but it seems to me they are a bit academic.

          The reality is that, as the next commenter said, there is huge concentration in the modern internet, so forcing Google to forget it’s probably enough. If there is a niche search engine in Nigeria that will not be enforceable, i guess i can live with that.

          The point about censorship is also a favorite of american corporations. If i had to choose between limits enforced by a democratic and elected government or the self-regulation criteria of a corporation in California, i would always choose the democratic governments.

          It’s time for Google and all the other tech titans to accept that the Internet is not some magical kingdom where normal rules don’t apply and that it can’t and shouldn’t be regulated. It can and it should.

  7. Hmmm, following up on the newsworthiness aspect mentioned above… Can you please elaborate a bit more on the right to be forgotten details? I consider it fair that an undirected search does not associate an individual with events that happened a long time ago. On the other hand, if I was writing a biography, for example, I would like to be able to search old records of information. As it is perfectly legal for the newspaper to keep its notice the data is just hidden and requires expert knowledge to dig up. Thus the Internet loses yet some more of its originally egalitarian properties.

    By the way, irrespective whether I agree with your conclusions or not I found your post pretty balanced:-)

  8. Does anyone have the citation for the Google right to be forgotten case?

  9. I think there is a general lack of distinction between historic fact and personal freedom. Say you had a legal and proper rehabilitation from serious debt. There are laws in the real world that require the deletion of these facts from say the records of credit bureaus after a certain period of time, as it cannot count against you anymore. In cyber space you will; however; never be rehabilitated again. Talk about vindictive!

    However; in cyber space this now an albatross around your neck because it is so difficult to track this data. Excuse me? Google is the master of Search Engine Optimization with spiders crawling the net to get your site listed high up in the search page. Spidey has simply to look for your name – and other detail. Then again, how about human integrity and dignity? Do you always have to be forced by law to do the right thing? Seems to me the law is used to dehumanize us.

    As long as we are technically correct we’re fine, and the devil take the hindmost.

Comments have been disabled for this post