Google Right to Forget Amendment Plan Faces Skepticism

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell

Feb. 25 — Google Inc.'s offer to expand the reach of its European Union right to be forgotten compliance program to “worldwide” search result removal requests, so long as the searches are from EU Internet protocol addresses, is being met with skepticism by some privacy regulators and practitioners.

(Click image to enlarge.)

EU flag 2

Google hasn't released the proposal publicly and didn't respond to requests for comment, but data protection authorities in the U.K., France, Italy and Spain told Bloomberg BNA they have seen the proposal and are considering it.

The Dutch DPA said it plans to address the proposal at the European Union level.

The European Court of Justice held May 13, 2014 that EU data subjects have the right to compel Google and other Internet search engines to remove results linking to websites containing personal information about them if their fundamental right to individual privacy outweighs the public's right to know .

A year later, the French data protection authority (CNIL) ordered Google to extend the RTBF to all of the company's search engine websites worldwide, including .com based in the U.S., and not just those with EU domain names, such as .fr, .de or .uk .

Google and others have questioned whether CNIL was acting within its authority but in late September 2015, CNIL rejected Google's administrative appeal in the case, and the company could face sanctions .

Compromise: Delisting Based on IP Address

The Article 29 Working Party of EU data protection authorities, headed by CNIL President Isabelle Falque-Pierrotin, has said search engines that receive valid requests for delisting based on the ECJ ruling must apply them worldwide.

According to Google's transparency site, as of Feb. 23 it had received 392,218 delisting requests for nearly 1.4 million urls. Google said it has removed 42.5 percent of such requests.

Under Google's compromise plan, when an EU citizen makes a valid delisting request, Google would apply the delisting to all its domain names worldwide, not just to its EU-domains search engines, such as google.de and google.fr but to all of its engines, including google.com. However, that filter would only apply to searches made from the same EU-based IP addresses as the person making the delisting request. Therefore, searches from non-EU IP addresses would still produce the link in question.

CNIL told Bloomberg BNA that “these new elements put forward by Google illustrate well that the problem of territorial scope requires reflection. The CNIL is currently doing an investigation of these elements.”

DPAs' Reactions

A spokesman for the U.K. Information Commissioner's Office said that “the ICO is aware that Google has proposed changing the way it carries out the delisting of search results. This revised approach would appear to address the concerns previously set out by the ICO on the scope of the requirement to delist.”

For the Spanish DPA, Google's proposal “is exactly what the agency is asking search engines to do in its final decisions. That is, to block the contested results in all EU domains and, in addition, to block them also in any other domain whenever a search is performed from Spain.”

The main objective for the Spanish agency is to effectively ensure the rights of EU citizens. However, it said it will deal separately with other types of cases in which the impact reaches beyond the country of the data subject. “As it seems that the application of this Google measure will be based on the identification of the IP address of the user who is performing the search, this might be the case, for instance, of a citizen of any European country that seeks information about a citizen of another European country using the IP address that corresponds to his or her country of residence and having access to domains outside the EU,” it said.

The Italian DPA, the Garante, told Bloomberg BNA its stance on the right to be forgotten is in line with that of other EU DPAs of the Art. 29 Party—that the ECJ's judgment “entails full-fledged recognition of data subjects' rights.”

The Garante added “that the measures announced by Google recently do show innovative features compared to the initial response.” Accordingly, it said, “the new policy proposed by Google will be carefully assessed by the Italian DPA.”

The Dutch DPA declined to comment, pending discussion about Google's proposal with the Art. 29 Party. Germany's federal DPA is based in Berlin, but under Germany's federal system, the DPA in Hamburg is responsible for regulating Google and the RTBF. The Hamburg office didn't respond to requests for comment.

Dual Regime

Former CNIL Secretary-General Yann Padova said Google's IP-based proposal would likely satisfy CNIL's request to extend the scope of delisting, and would also indirectly limit the extraterritorial scope decried by Google. However, it would likely “only partly solve Google's problem with the CNIL,” he said.

For example, CNIL would likely see it as a positive outcome if a European data subject with a European IP could get Google to withdraw links related to his/her personal data based the new plan, making the content and links inaccessible for any European.

However, Padova said such a “geoblocking” measure could still be circumvented, through a use of a proxy. In any case, he added, users outside Europe could access the content without a proxy. He was skeptical such a “dual” legal regime, with different treatment for searches from IP outside Europe and within Europe, would fully satisfy CNIL.

Interim Compromise Possible

In May 2015, the CNIL told Google that it considered the search service as unified data processing, regardless of the means used to access it—meaning regardless of the fact that the user uses a .com, a .eu or a .fr version of the search engine.

Therefore, Padova said, “it seems unlikely that the CNIL considers that the enforcement of a fundamental right may differ or vary depending on the modalities that the processing is accessed or the location of the user,” he said.

DLA Piper attorneys Carol Umhoefer n New York, Jeanne Bossi Malafosse in Paris and Caroline Chancé in Paris said CNIL and other EU DPAs might accept the IP-based approach, “but only as an interim step to a compliant, long-term solution.”

Filtering may be an acceptable, or possibly interim, compromise if applied to the entire EU, as opposed to limiting it to the country where the request was made. “People in other EU countries presumably have a lesser interest in finding information regarding the person who made the delisting request,” the DLA Piper attorneys said.

If results are completely delisted in the country where the request was made, complete delisting in the EU shouldn't be a problem, either technically or legally, they said. As for the rest of the world, RTBF could conflict with other jurisdictions' laws, the DLA Piper attorneys noted.

Possibility of Sanctions

The EU authorities might insist that Google completely delist links for anyone making a request, no matter where they were located in the world, as CNIL first requested in its formal notice. “This puts search engines in the situation where they are clearly exposed to financial sanctions,” the DLA Piper attorneys said.

If CNIL decided that the Google proposal doesn't satisfy the requirements in the May notice, it will continue its procedure and likely issue a fine, Padova said, and that may happen soon.

CNIL's maximum possible fine under the country's 1978 Law on Information Technology and Liberties is 150,000 euros ($165,425)—the fine it set against Google's unified privacy policy early this year . CNIL's maximum fine can go up to 300,000 euros ($331,000) for repeat offenses.

Padova and others have noted that CNIL's order to Google cited France's criminal code, in addition to the 1978 law, implying that it could use its legal prerogative to refer the case to a criminal prosecutor. In that case, a criminal court could levy a fine as high as 1.5 million euros ($1.65 million), but then the process would be in the hands of a prosecutor, not CNIL's.

Once CNIL levies a fine, Google would have two months to appeal to the Conseil d'Etat, France's highest administrative court. Such an appeal could take about two years to resolve.

Violating French data protection law could get much more costly in the future. The DLA Piper attorneys noted that the French National Assembly recently voted for a measure that would increase CNIL's sanctioning power to up to 20 million euros or, for legal entities, up to 4 percent of the annual worldwide revenue during the financial year preceding the violation, whichever is higher. The EU General Data Protection Regulation provides for similar levels of sanctions .

If Parliament passes the law, CNIL could have its amplified fining power before the GDPR is expected to take effect in the first half of 2018, they said.

No Official Art. 29 Assessment

Padova said that the Art. 29 Party has adopted a common approach on the right to be forgotten, but it hasn't officially assessed Google's new plan. That doesn't prevent national regulators from enforcing their national data protection laws, and levying a fine, he added.

He said only some EU DPAs have started sanction procedures against Google based on right to forget cases, similar to what they did regarding Google's controversial unified privacy policy, in which just five European DPAs started sanctions procedures against the company .

“The same thing is currently happening with Facebook,” Padova said.

To contact the reporter on this story: Rick Mitchell in Paris at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com