Information Overlord: Google and Your Right to be Forgotten

The right to be forgotten is defined under Article 17 of the GDPR (General Data Protection Regulation). There are clearly defined criteria when a request for data erasure can be made to the company holding the information. The Court of Justice of the European Union (CJEU) has, it seems, undermined the regulation by finding in Google’s favour. Many industry watchers have called this ruling the end anonymity and clear the way for more censorship.

One of the main ramifications after the ruling is that this component of GRPR, can’t be applied globally. GDPR was, however, always enacted as a European directive. Companies like Google have a global reach. It was, perhaps, only a matter of time before the disconnect between EU law and the worldwide operations of the companies targeted by the regulation, would become fractious. There is, after all, no global court that could enforce GDPR.

In January of this year, the CJEU made a preliminary ruling. CJEU Advocate General Maciej Szpunar said: “The search engine operator is not required, when acceding to a request for de-referencing, to carry out that de-referencing on all the domain names of its search engine”, but only to “ensure full and effective de-referencing within the EU.”

The current ruling by the CJEU states: “Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine. However, EU law requires a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States,” it added.

Again, the referencing of territories within the EU is telling. The CJEU clearly believes it has little influence on companies like Google outside of their European operations. What’s more, the geo-blocking techniques Google did introduce to appease the Court have had little impact. Google arguing that blocking this information could be used by parties wanting to hide their activities, which could include human rights abuses.

Our right to privacy and our right to have inaccurate information removed from the many databases it can reside upon would clearly be supported by many. It’s the practical application of this idea that is often difficult to accomplish. There is a delicate balance to be struck between censorship, avoiding the support of criminals and, the right to privacy. Add to this the proponents of total information access across the global internet – Google’s win supports freedom of expression organisations.

Thomas Hughes, executive director of Article 19, said: “Courts or data regulators in the UK, France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see … It is not right that one country’s data protection authorities can impose their interpretation on Internet users around the world.”

Global jurisdiction

How we all protect, our online personal information is in constant debate. The right to be forgotten component of GDPR was the latest attempt to give users of online services, a level of effective control over what personal information others can see.

Says Camilla Winlo, Head of Consultancy Services at DQM GRC that offer consultancy services to support organisations’ data protection and governance capabilities: “The ‘right to be forgotten’ is perhaps the most controversial right. It comes from the same principle that allows convictions to be ’spent’ over time, so they no longer need to be declared. It will enable people to turn their lives around.

“The ruling is a victory in the sense that it allows different countries to place differentiating levels of importance on the rights to say, privacy and free speech. However, from Google’s perspective, implementing the technical requirements of this ruling are significantly more complex than just delinking.”Do we need to redefine what we mean by privacy? “There’s a distinct difference between a right to be forgotten and a right to privacy,” commented Paul Bischoff, privacy advocate with Comparitech.com. “Information filed under the former was never private in the first place. The right to be forgotten is about making public information private retroactively. With that in mind, I don’t think it makes a huge difference in the broader privacy landscape, though it certainly has implications within its own purview.”

With Craig Vachon a leading venture capital investor, managing partner of Chowdahead Growth Fund and author of new tech thriller The Knucklehead of Silicon Valley stating: “This is a question of definitions. Academically, I believe that public data should always be made available to the public. Private data must always be in control of the individual. Delineating between the two is an evolving and complex issue that requires thoughtful and ongoing debate. But asking large tech companies to be involved in the determination, will always result in their advocating for their particular path of least effort. These tech companies should never be the arbiters.”

The idea that all information should be freely accessible has been used since the inception of the internet. Issues arise when we have to consider instances where publicly available data can be damaging to the individual concerned. Revenge porn is a good example here. Or the need to uphold a free press and protect people from libel.

The right to privacy

Who should police our personal data? The obvious response is to take control ourselves. Regulators have attempted to give individuals the power to request information is removed or at least challenging to discover if they have a legitimate claim to do so. The issue is when these regulations attempt to apply themselves on a global scale.

DQM GRC’s Camilla Winlo, concluded: “The ruling shows that there is still a need for considerable debate around privacy. It is the role of a data protection regulator to champion privacy practices. The purpose of the courts is to decide when a regulator has gone too far when balancing the privacy rights against other rights. CJEU has not gone as far as to say that public interest should always outweigh privacy rights. It has said that care should be taken to strike the right balance – and that the balancing point will differ from country to country.

The CJEU opens the debate about privacy, free speech, the public interest and data security. Can all these components ever be fully reconciled with regulation that is effective?

It seems unlikely in the fragmented and complex legal environments we all live in no matter our location. Currently, is it better to live in the EU where GDPR is in force if you have something to hide? Probably, but don’t expect Google to protect your data on a global scale.

There is a need for individual countries to legislate. Some form of localised amnesia is perhaps needed to protect sensitive information becoming widely available. Controls to ensure these powers are not used nefariously must be in place.