Since last year's European Court of Justice ruling that Google must delete links to personal information when an individual requests it, debates have ensued globally in courts of public opinion on whether a search engine should control what should be searchable public information and what shouldn't. And while those with fractured pasts have likely celebrated that it may not be so easy to be haunted by past deeds, the ruling meant some big changes for Google.
But at last week's Global Privacy Summit in Washington, DC, William Malcolm, Google's senior privacy counsel and a member of the IAPP European Advisory Board, said the company didn't flinch once the decision came down.
'There's no doubt this ruling is a landmark ruling, and right from the start, Google made it clear that although we disagreed, we respected it," he said. "So we immediately went to work in terms of how to practically comply with it."
As of March 3, the company had manually evaluated—meaning a human being had made a decision on each individual case—817,000 individual URLs, representing somewhere between 226,000 individual requests. Overall, Google made the decision to remove the link in 40 percent of the cases and to not remove it in 60 percent.
"That's quite a lot of work," Malcolm said. "I'm extremely proud of the effort our teams have put in to make this a practical reality. The response has been quick, thorough and carefully considered."
Aiming to be transparent on its decision-making to remove or not to remove, Google has published a report explaining cases where it may have chosen not to delete based on, for example, a clear public interest in the information remaining searchable.
Some of the more complicated trends Google's seeing in requests for link removals involve defamation cases, Malcolm said, where's it's not necessarily clear whether a particular statement is true. Another tricky spot has been recency, meaning that the ECJ decision exempts search engines from removing information that is of the public interest. But over time, public interest on particular issues change. So a topic that might have been crucial at one point may have become obsolete over time.
Google's recently established advisory board is helping a team of about a dozen Google employees—both lawyers and not—with some of those more nuanced decisions, Malcom said, adding the search engine is taking its decisions seriously and each case is reviewed carefully.
"We want to make sure we're listening to users and DPAs as we seek to get the balance right in the months and years ahead," he said.
José Luis Rodríguez Álvarez, director of the Spanish Data Protection Agency, said he and European citizens in general are pleased with Google's implementation of the RTBF. Remember that the impetus for a Right To Be Forgotten stemmed from a Spanish case in which businessman Mario Costeja Gonzalez wanted links reporting news of his past financial woes to be deleted from search engines.
"We have some differences, some points that are necessary to fix," the Spanish regulator said. "But in general, the implementation is working good, and it's proof that it was possible. It is technically possible and Google is demonstrating that this can work."
Though much attention has been focused on concerns that the RTBF will in effect censor the public's right to knowledge, freedom of speech or access to information, Álvarez said none of that is at risk.
"The information isn't deleted, it remains," he said. "The content of the information can be found with search engines using all the terms different from individuals' names. Accessibility is only reduced based on the name of the individual. That's a very relevant point. This right to be forgotten does not affect the right to know. If anything, it might affect the right to gossip."
Comparing cultural ideas of the right to be forgotten, Mexican attorney Rosa Maria Franco Velázquez, CIPP/US, said that while Mexico's constitution doesn't expressly provide for a right to be forgotten, a "cancellation right" in the country's data protection law gives data subjects the possibility of filing a complaint with a data controller when the subject feels the controller isn't complying with the principles enshrined in Mexican laws and regulations.
Compared with Google's high number of take-down requests, Velázquez said there were only 313 data protection proceedings from 2012 to 2015. Of those, only 125 dealt with cancellation rights and only 25 percent ended up in a resolution by the DPA.
"We cannot understand the right to be forgotten as it has been understood by the ECJ because of cultural divides," Velázquez said.
However, that may be changing. On January 27, the Mexican data protection authority (IFAI) initiated proceedings that could impose sanctions on Google for an alleged breach of the nation's data protection law after Google Mexico didn't agree to a take-down request from a Mexican citizen wishing to have personal data removed. Mexican law allows for a fine of up to $1.53 million for an organization in breach of national data protection law.
Despite these changes in citizens' rights, Morrison & Foerster's Miriam Wugmeister, who moderated the panel, asked why it should be that a private company--any search engine--is in control of such decisions as what should be searchable information and what should not? Why shouldn't DPAs be charged with this?
But Álvarez said this is the very kind of work DPAs do every day, the difference is the volume. And besides, he said, "big business must be related with a big responsibility."
It's a responsibility Google is living with, for now.
"We believe the approach we're taking is right," Malcom said. "We continue to discuss these issues with the data protection authorities and others and will continue to work with them constructively to evolve processes as time moves on."
If you want to comment on this post, you need to login.