Google Changes Right to Be Forgotten Policy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

March 7 — Google Inc.'s changing position on the implementation of the “right to be forgotten” highlights how companies might act when faced with erasure requests in line with the EU's General Data Protection Regulation, privacy professionals told Bloomberg BNA March 7.

In May 2014, the European Court of Justice ruled that the compilation of Google search result link were considered data processing. Because of this designation, search engines should remove search links at the request of data subjects unless there are legitimate public interests to keep the links .

Google initially responded to the ruling by removing search result links through their EU domains, such as google.fr and google.de.

However, in a March 4 blog post, Google said it would instead remove links from searches that originated from devices with European Union Internet protocol (IP) addresses.

Right to Erasure

James Mullock, a partner with Bird & Bird LLP in London, told Bloomberg BNA that the EU General Data Protection Regulation (GDPR) would have “very far-reaching jurisdiction provisions.” The GDPR “also enshrines a form of the right to be forgotten, rebranded as the right to erasure.”

“The challenge that Google has faced in policing and enacting what the court required in its 2014 judgment is, to some extent, something that a wider set of organizations are going to have to grapple with,” Mullock said.

Under Article 17 of the GDPR, data subjects will have the right to request data controllers to erase their data “without undue delay,” and data controllers should “take reasonable steps” to other controllers that link to or replicate the data .

Negotiators Dec. 15 concluded nearly four years of talks on the final text of the GDPR, which is now going through ratification . The regulation should go into effect in 2018.

Tougher Data Protection Authorities?

The GDPR will cover EU data subjects in the location of the data processing.

Jonathan Armstrong, a partner with Cordery in London, said that EU data protection authorities would need to work out how to enforce rights granted by the regulation, such as the right to erasure.

“Regulators are getting tougher,” he said. “Under the data protection regulation, violating rights like that could lead to a substantial penalty.”

For violations of data subjects' rights, including the right to erasure, the regulation stipulates fines of up to 20 million euros ($22 million), or 4 percent of a company's worldwide revenues.

Carlo Piltz of JBB Lawyers in Berlin said that “the data protection authorities would still like to see a blocking of access in all cases and for all URLs” in right to be forgotten requests.

“It's difficult to assess whether the DPAs will be satisfied,” with Google's change of policy to apply delisting of links on the basis of IP addresses, Piltz said.

“If one looks at their prior statements, perhaps not. On the other hand, this solution might now be considered as the best compromise,” he added.

EU data protection authorities have pressured Google pressure to delist search results across all Internet domains. In June 2015, France's DPA, the CNIL, threatened sanctions unless delisting was done across all Google domains .

The CNIL, which currently chairs the Article 29 Working Party of EU member state data protection commissioners, didn't respond to a March 7 request for comment on the Google change of policy.

Finding the Right Balance

In implementing the right to be forgotten, companies will also have to balance data subject requests with the public interest in information remaining available.

Joe McNamee, executive director of advocacy group European Digital Rights, said that by making the March 4 policy change, Google was “trying to hit a level of meaningfulness that any future court case will say is adequate.”

However, on deciding on the content of right to be forgotten requests, Google's position was “not entirely coherent,” he said.

Google has resisted the worldwide application of delisting of search results links, but does delist some harmful content such as explicit images of people posted online without consent for the purpose of humiliating them, McNamee said.

In such cases, the global application of EU right to erasure requests under the GDPR would be unlikely resisted, but there was also a “grey area” that would need “a lot more thought” on the conditions under which requests should be granted, McNamee said.

When the EU regulation comes into force, it will be a “question of learning by doing,” he said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Daniel R. Stoller at dstoller@bna.com

For More Information

Google's blog post is available at http://src.bna.com/c4Y.