EU Eyes Global 'Right to Be Forgotten'

Google, Microsoft Meet with Regulators in Brussels
EU Eyes Global 'Right to Be Forgotten'

Google and Microsoft met with European regulators in Brussels July 24 to discuss their compliance with the "right to be forgotten" ruling, and whether it should apply to all of their search engine sites - and not just those in Europe.

See Also: Secrets to a Simpler Security Incident Response

Europe's highest court - the Court of Justice of the European Union - ruled in May that Google must eliminate "inadequate, irrelevant or no longer relevant" search engine results when members of the public request that it do so. At the time, Google said in a statement that it was "a disappointing ruling for search engines and online publishers in general." While Google dominates the European search market, Microsoft Bing and Yahoo each account for about 5 percent of the search market in some parts of Europe.

Now, some regulators will reportedly press Google and other search engine providers - and by extension, any other business that must comply with the right-to-be-forgotten ruling, which may include social media sites and Twitter - to remove links not just from their European sites, but from every one of their sites, including, reports The Financial Times, citing sources with knowledge of regulators' activities.

Eliminating Links

The so-called "right to be forgotten," contrary to some reports, can be used to eliminate links to "irrelevant" or outdated data, but cannot be used to eliminate the source information itself.

To comply with the ruling, Google posted a Remove Information From Google page for European users, and published detailed removal policies. By July 7, Google said it had received 70,000 such requests. In its search engine results - only in Europe - it flags when entries are missing due to a "right to be forgotten" request.

Praise for Ruling

The EU court's ruling that Europeans have a right to have some types of sensitive information about themselves removed from search engine results has been lauded by many European officials, including Udo Helmbrecht, the executive director of EU cybersecurity agency ENISA. "This is a positive step in the correct direction," he says. "You as a citizen should be able to delete your own old data or photos online, just as you do with printed paper."

Speaking to BBC Radio 5, Christopher Graham, the UK's information commissioner, likewise says people have a right to downplay elements of their past. "There will certainly be occasions when there ought to be less prominence given to things that are done and dusted, over and done with," he says. "The law would regard that as a spent conviction, but so far as Google is concerned there's no such thing as a spent conviction."

Furthermore, he characterizes this problem of search engines not allowing the past to fade as being one of Google's own making. "The polluter pays, the polluter should clear up," he says. "Google is a massive commercial organization making millions and millions out of processing people's personal information. They're going to have to do some tidying up."

Ruling Criticized

But numerous privacy and legal experts have slammed the ruling, on the grounds that it might stifle free expression.

"The recent extreme application of privacy rights in such a vague, shotgun manner threatens free expression on the Internet," writes Ann Cavoukian, the Information and Privacy Commissioner for the Province of Ontario, and attorney Christopher Wolf, founder and co-chair of the Future of Privacy Forum think tank. "We cannot allow the right to privacy to be converted into the right to censor." They also warned that European regulators, based on past behavior, might well try to enforce the right to be forgotten beyond Europe's borders.

The privacy experts also criticized the European high court for issuing a vague ruling, which EU countries' data protection agencies must now try to interpret. "The Court did not provide sufficient instruction on how the 'right to be forgotten' should be applied," Cavoukian and Wolf say. "When do truthful facts become 'outdated' such that they should be suppressed on the Internet? Do online actors other than search engines have a duty to 'scrub' the Internet of unflattering yet truthful facts? The court didn't say."

Many media outlets, which have had links to their stories removed, have also complained that they have no way to appeal the removals. Some removals have also resulted in stories being removed not because of their content, but because of comments posted to the stories.

Seeking Clarity

But representatives from Europe's data protection authorities - part of the so-called "Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data" - are trying to translate the EU high court's ruling into concrete guidelines and requirements.

The working party met July 15 to discuss search engines' response to the ruling, when eliminating links might not serve the public good, as well as what recourse consumers should have if their request for removal gets rejected. "The data protection authorities analyzed the different legal bases allowing individuals - regardless of their nationality, their residency and the harm suffered - to invoke the right to request search engines to remove them from indexing," the group says in a statement. On July 24, the working party met with representatives from search engines to detail their compliance, to date, with the requirements, and discuss future efforts.

Some members of the working party are also concerned that consumers might not understand why their right-to-be-forgotten request may be rejected, under EU law. "To effectively exercise this right, it is necessary for individuals to understand thoroughly the precise reasons a search engine, subject to European Union law, can legally refuse this right," it says.

The working party hopes to finalize related guidelines for implementing the right to be forgotten by this autumn. That guidance would include compliance requirements for smaller businesses.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network