You are here

EU right to be forgotten: France fails, Google gains on privacy pullback

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

The European “right to be forgotten” law, which is effectively part of GDPR, has been clarified this week by the Court of Justice in Luxembourg. Despite French regulators’ protestations, the court ruled that EU laws don’t apply outside Europe.

So Google can’t be forced to hide certain search results in, say, North America. Shocker, I know: It’s an outbreak of legal sanity.

But not every angle is quite as clear-cut. In this week’s Security Blogwatch, we dig below the surface.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: CGI noodles.

[ Learn how to close your privacy and security compliance gaps and define the line between teams in this Webinar. ]

RTBF TBF, ex-EU/EEA/EFTA

What’s the craic? Sarah Marsh—'Right to be forgotten' … only applies in EU, court rules:

In a landmark ruling … the European court of justice said search engine operators faced no obligation to remove … embarrassing or out-of-date information … outside the 28-country zone. … Google welcomed the court’s decision [having] argued that … the obligation could be abused by authoritarian governments trying to cover up human rights abuses.

[Google] was also supported by Microsoft … the Wikimedia Foundation, and the non-profit Reporters Committee for Freedom of the Press, among others.

A victory for common sense? Gareth Corfield fields International sites needn't worry:

In a 25-page judgment … the EU's top court said that the bloc's internal rules about search engine results did not apply outside its borders because there were no legal mechanisms for them to do so. [It] means that international or country-specific versions of Google results are exempt from EU laws.

The ruling … opposed French data protection body … CNIL, which appealed a local case it brought against Google up to the EU. [It] had previously imposed a [$110,000] fine.

The ruling will be regarded as a major blow by those who believe EU laws could form a heavyweight alternative to the largely American underpinnings of internet law today. It will be welcomed by those who oppose [the idea that] domestic laws apply outside … borders.

Google's position has long been that it is criminals and politicians who mainly benefit from the RTBF, something given more weight when two convicted criminals sued Google in the [UK] last year to force the deletion of search results about their dodgy pasts.

How did we get here? Paul Thurrott reminds us:

As you may recall, the … drama dates back to 2010, when a Spanish citizen complained that … details of his home repossession in Google search results violated his privacy rights. The Spanish courts eventually referred the case to the European Court of Justice, which ruled in May 2014 that … search engine providers that operated in EU member states would need to remove privacy-invasive search results when requested.

EU citizens have the right to be forgotten when the information published about them is inaccurate, inadequate, irrelevant or excessive. But … that right to be forgotten was not absolute, and that it needed to be balanced against other rights, including the freedoms of expression and the media.

Google has since removed many millions of URLs from search results. … “Since 2014, we’ve worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people’s rights of access to information and privacy,” a Google statement reads.

But SvnLyrBrto looks elsewhere:

Google should have been left out this fight entirely. If some article or site's content is libelous or defamatory, it should be taken down at the source.

Leave Google and any other search engine out of it. Once the data is removed at the source, the next time [a] search engine spiders the site, it will drop out of the index organically. Problem solved.

Attacking Google instead of the original publishers reeks of looking for the deepest pockets or simple-minded xenophobia. … All nations … need to stop exporting their laws outside their borders … (the US is fond of doing so … the EU in general, and France in particular, are pretty egregious offenders too).

On that final point, LDS is in full agreement:

Once again EU shown it's much more reasonable than US, which decided their CLOUD Act is applicable worldwide.

Is that it, then? Nope. Daphne Keller—@daphnehk—notes a second ruling:

Today’s second “Right to Be Forgotten” ruling – the one about sensitive data … is much more interesting. [It] says that Google should do notice-and-takedown operation for indexed “sensitive” data.

At the very end the Court adds this crazy thing about mandatory first-place search result listing for criminal exonerations. [It] says that when Google indexes reports of a criminal accusation, trial, etc., but the person was later acquitted, the very first search result must show the acquittal.

That’s just thrown in out of the blue. … I bet no one briefed it. And if anyone did, they probably didn’t work through the real-world implications.

That will be fun to implement … the new #1 result will often be super random, low quality, and hard for readers to interpret. … Amazeballs.

Wait, what? Michael explains more succinctly:

The ruling is actually saying that any search that results in anything relating to a legal case must put links for the latest ruling at the top.

The result of this would be searching for "Chicken Soup Recipe" would have to show links to legal cases relating to chicken soup recipes before links to actual cooking sites.

Imagine that. Ev Samuel imagines an unintended consequence:

[Imagine] the SEO con artists messing around with things that are mandated by law, and nobody having any reasonable way of stopping them. Tying Google's hands, and making the concerns around this issue much much worse.

It would be grand. Grand, I tell you.

Meanwhile, ArmoredDragon waxes nostalgic for 1980-era videotex:

Perhaps France should just ban the internet and force itself and the rest of the EU to go back to Minitel so that France can completely govern what all of the EU sees, restoring French pride in the process.

The moral of the story?

It’s an outbreak of legal sanity. Good news for non-EU net services—and not just search engines.

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]

And finally

CGI noodles


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Peter Be (Pixabay)

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]