EU privacy ruling should apply globally, says digital chief

One of the most interesting questions in European tech privacy circles right now is about territoriality and the so-called “right to be forgotten” — when an EU citizen requests the delisting of a piece of information about them from Google’s search results, should it apply only in Europe or around the world?

On Thursday Andrus Ansip, the EU vice president in charge of the digital single market, said the delisting should apply globally. He gave this as his personal opinion — he has no say in the matter — but that opinion comes down on the side of Europe’s data protection regulators, who fear that limited implementation is too easily circumvented by visiting non-European versions of Google. Google’s expert advisors have almost unanimously taken the opposing view, arguing that Europe has no right to impose its privacy laws on the rest of the world.

Whose law is it anyway?

Here’s what Ansip said during a round-table Q&A session at the Google-sponsored Startup Europe Summit in Berlin:

Everybody has to respect a decision made by the courts. This right to be forgotten is not just based on a decision of court, but a court decision based on EU legislation. [It is] not a new principle. I think if a decision is made [and the] court case is closed, then it covers the whole company, not just some territories, but this is my personal view in this case.

The decision in question was made last year by the Court of Justice of the European Union, the EU’s highest court, in a case involving a Spanish man who wanted to remove from Google’s results an old news article about his long-ago debt problems. The CJEU’s decision set a new precedent by saying EU data protection law, which allows people to request the erasure of out-of-date information about themselves in limited circumstances, applied to search engines.

The question of how far its implementation should extend touches on a fundamental conundrum about the internet — countries need to be able to apply their laws online as they do offline, but the onlne layer’s lack of inherent borders makes that difficult to do effectively. If countries can impose their laws on the world, that means what internet users see can be affected by the laws of multiple countries at once, and not just their own.

Data protection and net neutrality

Ansip also touched on the issue of Europe’s tough new data protection laws, which he wants to get through the Council stage (i.e. final approval by the member states) by the end of this year. This legislative package would massively boost online privacy rights, providing a right to the erasure of personal data and allowing for much harsher fines on companies from anywhere in the world that mishandle the data of European citizens.

The vice president said he said he was against watering down the new privacy rules in order to strike a compromise: “I don’t think we have to protect everybody’s privacy, everybody’s personal data just because of some kind of directive or agencies that are asking to do that. To protect privacy, to protect data is a must.”

On the subject of net neutrality, which is part of a separate legislative package that’s also being finalized with member states, Ansip appeared a little less clear. Having earlier in the day maintained in an on-stage session that some kinds of web traffic may require prioritization over others, and having then insisted that “similar traffic has to be treated equally”, he went on to suggest during the round-table Q&A that “if we make tough standards then we will not leave space for innovations”.

It is very difficult to tell at this stage where he might compromise with the Council, some members of whom are more keen on loose principles than tight, enforceable net neutrality rules. He said on Thursday that it was important to reach consensus so as to give predictability to network investors and startups alike, and noted (in what seems to be an approving tone) that the latest Council proposals were “pretty close to the Commission’s proposal”.

The Commission’s proposal – the first draft of Europe’s incoming net neutrality law — was heavily toughened up by the European Parliament before it went to the Council, through the addition of strong definitions that precluded the possibility of prioritizing specific services over others. Where the final compromise will lie remains a mystery for now.

Google advisory council: Right to delist should only apply in EU

To help it handle the EU ruling that forces it to delist certain results about people, Google assembled a team of expert advisors that travelled the continent, seeking out various opinions on how best to implement Europeans’ data protection rights. On Friday that advisory council published its report, providing recommendations for the way forward.

The Google advisors’ report (embedded below) makes for a fascinating read, but the highlights are its assertion that the delisting should only apply in Europe, and its nuanced discussion of when publishers or webmasters should be notified of delisting.

The ruling was about data that’s inadequate, irrelevant or excessive – it’s a fundamental right in Europe that people can have such data deleted, and the Court of Justice of the European Union decided last year that this data protection right can be applied to search engines.

The global question

The advisors’ call for a limited geographical scope in applying the so-called “right to be forgotten” – Google’s favored term, but one the group strenuously objected to – directly contradicts the guidance given by the Article 29 Working Party (WP29) band of EU data protection regulators.

WP29 argued that, if the link to the data in question is only removed from Google’s European domains, it’s far too easy for people to access other Google domains, therefore the delisting should take place globally. Indeed, one of Google’s advisors, former German justice minister Sabine Leutheusser-Schnarrenberger, agreed with this in a dissenting opinion in today’s report.

Overall, though, the council said delisting should only apply in Europe. Its report acknowledged that global delisting “may ensure more absolute protection of a data subject’s rights”, but it pointed out that Google users outside Europe had the right to access information according to their own country’s laws, not those of EU countries.

It continued:

There is also a competing interest on the part of users within Europe to access versions of search other than their own. The Council heard evidence about the technical possibility to prevent Internet users in Europe from accessing search results that have been delisted under European law. The Council has concerns about the precedent set by such measures, particularly if repressive regimes point to such a precedent in an effort to ‘lock’ their users into heavily censored versions of search results.

Notifications

On the subject of whether or not to notify publishers that one of their pages is going to be delisted due to a data subject exercising their right, the council noted that it had “received conflicting input about the legal basis for such notice.” It then provided something of a fudge: “Given the valid concerns raised by online publishers, we advise that, as a good practice, the search engine should notify the publishers to the extent allowed by law.”

In other words, do what the law allows, whatever that is. In the opinion of WP29, contacting the webmasters in this way may itself involve “processing” of the subject’s data, which requires a legal basis – and there is none. However, the advisory council and WP29 did agree on one aspect of this question: If the decision to delist a particular piece of information is especially complex and difficult, it may be helpful to all concerned if the search engine could ask the publisher or webmaster for help.

The council also suggested four broad categories of criteria that Google and other search engines should apply when deciding on specific cases:

  • The data subject’s role in public life (Is the person a celebrity or do they have a special role in a certain profession?)
  • The nature of the information (Is it about the subject’s sex life or finances? Does it include private contact or other sensitive information? Is it true or false? Does it relate to public health or consumer protection or criminal information? Is it integral to the historical record? Is it art?
  • The source of the information (Does it come from journalists or “recognized bloggers”? Was it published by the subjects themselves and can they easily remove it?)
  • Time (Is the information about a long-past minor crime? Was it about a crime that’s relevant to the subject’s current role? How prominent were they at the time? Is the data about the subject’s childhood?)

The advisors recommended that Google’s delisting request form should have more fields so the subject can submit more information that will help the balancing test – for example, in which geographical area they’re publicly known, or whether their role in public life was deliberately adopted or not.

Other opinions

The dissenting opinions at the end of the report were interesting. That of Wikipedia founder Jimmy Wales was the starkest – “the recommendations to Google contained in this report are deeply flawed due to the law itself being deeply flawed” – as he entirely opposes the concept of a company being forced to adjudicate between free expression and privacy.

Frank La Rue, the former U.N. free speech rapporteur, also said this shouldn’t be down to Google, arguing that only a state authority should be establishing criteria and procedures for privacy protection. La Rue also criticized the scope of the EU’s data protection itself, saying data should only be removed or delisted if it is “malicious, is false, or produces serious harm to an individual.”

Overall, I think the report is an important document. There are of course many reasons to criticize the process that led to its drafting – it was done according to Google’s terms and timescale, and under the misleading banner of the “right to be forgotten” – and some of its recommendations don’t actually gel with current EU law:

However, I think it’s fair to say the council members were independent-minded and not all singing from the same hymn sheet. Ultimately, as a counterpart to the Article 29 Working Party’s more legalistic set of recommendations (that is their job after all), this was a valuable exercise in chewing over the deeper implications of that CJEU ruling.

Report of the Advisory Committee to Google on the Right to Be Forgotten

[protected-iframe id=”a2093e680e23c149c5ef77e8ab00270e-14960843-16988840″ info=”https://www.scribd.com/embeds/254900585/content?start_page=1&view_mode=scroll&show_recommendations=true” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

Google fight over Mosley orgy shows censorship creep in Europe

A rich, powerful man won a series of court victories in France and Germany that arguably helped pave the way for Europe’s controversial “right to be forgotten”, which has helped people erase history by scrubbing search engines. Now, that man is pushing a U.K. court to go a step further — and, unfortunately, it sounds like the court will agree.

As the BBC explains, Max Mosley was in the High Court this week demanding that Google be held accountable for images that show him romping with five German-speaking prostitutes in a prolonged S&M orgy in a posh London apartment.

Mosley, who is the former head of F1 racing and the son of a prominent U.K. fascist, already has the right to ask Google to remove specific search results that link to the pictures or videos in question. What he is seeking now is for the court to designate Google as a publisher in its own right, which would make it responsible for finding and deleting any other links that might appear in the future.

The distinction is crucial because a court ruling in Mosley’s favor would transform Google and other search engines from a passive directory into an active censor. It is the difference between asking a newsstand to remove a certain magazine that has an offensive image, versus making the newsstand responsible for ensuring the image never appears in any other publication it sells in the future.

To support his position, Mosley’s lawyers are pointing to a court ruling against the defunct tabloid News of the World, which was forced to pay Mosley £60,000 for defamation and violating his privacy. They say Google is similarly liable for violating a U.K. law known as the Data Protection Act.

Google’s lawyer, meanwhile, is asking the court to throw out the case on two grounds: that Mosley no longer has a privacy right in the images since they have been so widely disseminated, and because the search engine is not a publisher in the first place. As the FT reports:

“Max Mosley remains in the public eye as a campaigner for privacy rights and this has never been forgotten or receded into the past,” [the lawyer] told the court, adding that in legal terms Google was not a publisher of the images.

While the case would be quickly thrown out in a North American court, other news reports suggest Mosley’s argument gained traction with the judge. The Mirror, for instance, quotes the judge in the case as saying “damages may simply not be available” to Mosley, but that an injunction is “much less problematic.”

This distinction will be cold comfort for Google since Mosley, if the judge issues an injunction, will be in a position to seek damages or a contempt of court charge if Google fails to comply with an order not to display or link to the images.

In the bigger picture, Mosley’s latest gambit appears likely to cause Europe’s creeping cloak of internet censorship to expand further. And a U.K. ruling in his favor will also bring about a further fracturing of the internet as a whole, as North Americans see one version of the web — including the Mosley video — while Europeans see a different one punched full of holes.

Why the EU’s “right to be de-linked” should not go global

Google and other search engines should remove links to out-of-date or unwelcome personal information from all of their search results around the world – not just in specific European countries – when people in Europe ask for them to be taken down and there’s no good reason not to, EU data protection officials have decided.

European privacy regulators build mechanisms for handling ‘right to be de-linked’ cases

Europe’s data protection authorities (DPAs) have agreed on a common set of tools to help them deal with those seeking the right to be de-linked from search engines. The tools include a dashboard that will help regulators judge whether cases that come before them are similar to prior ones, or if they are new and require fresh thinking. This is a great step – it should ensure consistency and, because it will make the DPAs’ handling of such requests more efficient, it should also make it easier for Google and others to err on the side of rejecting requests and pass off the casework to the DPAs, as should be happening anyway.