Google to France: ‘Forget You’ – An Update on the Right to be Forgotten
Last week, Google announced it was appealing the French data authority’s decision to fine Google for refusing to delete links globally. With the right to be forgotten (RTBF) debate thus back in the news, this post takes the opportunity to map the lay of the land to date.
The Extraterritoriality Dispute
As a refresher, in 2014 the Court of Justice for the European Union (CJEU) ruled that Google must remove links to certain content upon request from EU residents. (The Harvard Law Review provides a helpful summary of the opinion.)
Following the CJEU’s initial decision, Google created forms for submitting removal requests and established procedures for evaluating and fulfilling these requests. Since it began implementing the CJEU’s ruling, Google has evaluated 1.5 million URLs for removal in 431,000 requests. It has removed 43% of the requested URLs from its search results. These numbers may seem large, but they pale in comparison with the number of copyright takedown requests Google receives: 88 million URLs requested to be removed in the last month. It may be easier, as the New York Times suggests, to identify copyrighted material than personal information not “in the public interest,” but the difference in scale is nonetheless noteworthy.
If a removal request was approved, Google’s original practice was to remove links from search results not only on the Google Search domain in the country from which the request originated, but from the results in all EU search domains as well. So, if Google approved a request from a person located in France, the offending link would not be displayed in search results from google.fr or from searches executed from any EU domain (e.g., google.de, google.uk, etc.).
Then, in February 2016, Google announced that it would “use geolocation signals (like IP addresses) to restrict access to the delisted URL on all Google Search domains, including google.com, when accessed from the country of the person requesting the removal.” In other words, anyone using google.com from a computer in France or anywhere else in the EU would not see the problematic link in his search results. However, the link would still appear if I conducted the same search from my home in the free-speech-loving/privacy-hating United States.
But this wasn’t accommodation enough for France. Data protection authorities there insisted that offending links be removed from all search results globally. The link that previously was still available to me in the US would have to disappear from my search results too.
Google refused to comply. It argued that it would follow the laws of countries in which it operated but that it was a “foundational principle of international law” that Google did not have any obligation to apply those laws to other countries. Applying a country’s laws extraterritorially—across the whole internet—would only lead to a global “race to the bottom,” where the most restrictive country’s laws became the global default setting. This threat was not hypothetical—Google reported that it regularly received requests to remove content globally that may otherwise be perfectly legal elsewhere. In short, Google was loathe to delegate to any one government the power to control what information the rest of the world could see.
Unmoved, France fined Google €100,000 (about $112,000). Compared to Google’s $74.5 billion in revenue in 2015, this fine was clearly not going to break the bank. Google’s decision to appeal to France’s highest administrative court, then, appears to be an effort to set up the question for ultimate resolution by the CJEU.
Otherwise, Some Success…
With the exception of this extraterritoriality debate, Google otherwise appears to have received fairly positive reviews on its implementation of the CJEU’s opinion. Individuals whose removal requests are denied have the opportunity to appeal Google’s decisions to their national data protection authorities. But early data (including from Ireland and Finland) indicate that less than 1% of Google’s decisions are appealed.
Moreover, the national data regulators appear to mostly uphold Google’s decisions. The deputy director at the French data authority stated that “[w]hen it comes to appeals, we agree with Google most of the time.” The director of the Spanish data protection agency echoed this praise: “We have some differences, some points that are necessary to fix. But in general, the implementation is working good, and it's proof that it was possible. It is technically possible and Google is demonstrating that this can work.”
Of course, some of this praise from national regulators may be self-serving. According to the New York Times, national agencies “lack the financial, technical and human resources to handle the substantial influx of ‘right to be forgotten’ requests” themselves, and thus may have some incentive to deem Google’s efforts “good enough.”
…But Also Some Complaints
Because we’re dealing with the Internet, the praise is not universal. Some complaints from news sites about Google’s removal decisions, particularly earlier on, ultimately resulted in certain links being restored. While some problematic decisions may have stemmed from inadequate or new policies, even a well-oiled system will encounter difficult removal questions. For example, as Google’s senior privacy counsel pointed out, Google frequently cannot determine the veracity of a statement when confronted with a request to remove links due to alleged defamation. Likewise, while the CJEU said it was not necessary to remove discussion of topics “in the public interest,” this nebulous term is open to interpretation — and subject to constant change as topics wax and wane in the public eye.
Critics also bemoan Google’s lack of transparency. The company publishes a transparency report on RTBF removal requests, but the report only provides the percentage of URLs removed from its search results, a few sample requests, and a list of the most-affected sites. Google has not responded to requests to explain how its review process works. And although it notifies individuals when their requests are denied, it does not explain why.
(However, Google did at one point accidentally expose some of the data underlying the report. As the Guardian pointed out, despite fears that the service would be used by public figures seeking to white-wash their past, in fact 95% of requests apparently originated from “everyday members of the public” seeking to have “private or personal information” removed. This underlying data has since been secured, and Google has not chosen to make it public officially.)
The deeper concern behind the transparency gripe, however, often seems to be an uneasiness with the idea that Google—or any private company—should be responsible for deciding what we see on the Internet in the first place. To some, this function (if it is to be performed at all) should be in the hands of a government regulator accountable to the public. Of course, we rely on Google precisely because it curates, sorts, and presents information in a usable fashion. As the director of the Spanish data protection authority pointed out, this is the kind of work that search engines do every day.
Doesn’t Anyone Use Bing?
The short answer is no. Google understandably occupies most of the public discussion of (and litigation on) the RTBF given its overwhelming market share across the EU: according to Business Insider, Google accounts for more than 90% of the EU’s search market. That figure is even higher within certain countries. For example, Google has 97% of the German search market and 96% of the French search market. (Yahoo and Bing apparently put up a better fight in the US, where together they have about 30% market share.)
But the CJEU’s decision applies to all search engines operating in Europe, and those companies have also taken steps to comply. Microsoft and Yahoo thus provide portals allowing EU users to request link removal, as do local search engines. For example, the New York Times reports that Seznam, a Czech search engine with about 25% of the country’s search market, will delete links if individuals have first convinced the publisher website to remove the material (a practice arguably not in compliance with the CJEU’s ruling, which explicitly stated that the complaining individual had no right to have his information removed from the website of the newspaper which had published it).
Whose Side Are You On, Anyway?
As the discussion is traditionally framed, particularly within the US, the right to be forgotten debate pits American free-speech fanatics against European privacy zealots. As other countries begin to “pick sides,” the United States is finding itself increasingly as an outlier.
Google itself has extended the EU’s RTBF protections to four non-EU European countries: Switzerland, Iceland, Norway, and Liechtenstein. Other countries would also like in on the deletion action. Hong Kong’s privacy commissioner has called on Google to apply the EU policy globally, even in the absence of legal requirements that it do so.
Other countries have taken more aggressive steps to protect their citizens’ privacy. As soon as next month, South Koreans will also be able to request that websites and search engines remove personal information from web pages and search results. Courts in Japan and Mexico have ruled that Google is required to remove certain private information at an individual’s request. The Mexican court noted that while the right to be forgotten generally includes an exception for matters in the public interest, in the case presented, Google had not sufficiently established this element, thus highlighting Google’s dual — and potentially conflicting — role as both censor and defender. In countries like Argentina, the right to be forgotten has effectively been enforced in a slightly altered form of search engine liability for third-party content the search engine helps publish or disseminate.
And despite its speech-loving reputation, even the US is getting in on the action. In May 2015, California implemented a law requiring websites to allow minors either to delete or request to have deleted content they had previously posted to the Internet. Similar legislation is currently pending in Illinois and New Jersey. The Do Not Track Kids Act , recently introduced in Congress, would enshrine such a rule at the federal level. The US legislation generally offers only the lowest form of protection—the right for children only to erase content that the child had personally created—but the trend demonstrates that the RTBF concept is not as foreign to American soil as First Amendment die-hards sometimes claim.
Overall, however, the United States remains an outlier. The right of privacy remains an “expendable afterthought” for American data-handling companies, while the EU’s privacy protections are becoming the global standard. As Google’s appeal works its way through the system, we are likely to learn just how global that standard will ultimately be.