Last May, the European Union Court of Justice ruled in favour of Mario Costeja González, a Spaniard who had brought a case against Google Spain requesting the removal from search results of a link associating his name with a 1998 newspaper article about an auction for his repossessed home. Sr Costeja argued that he had repaid the debt and that the information should no longer be linked with him online, where it could continue to damage his reputation.
The court determined that, under EU data protection law, individuals did indeed have the right to ask search engines to remove certain search results relating to them. The next day, Google received 12,000 requests to remove personal details from its search results.
A year after the so-called ‘right to be forgotten’ ruling, Google has released a transparency report detailing its attempts to comply.
In the last year, Google received 254,271 removal requests relating to 922,638 URLs, and delisted 41.3% of search results.
Ten sites account for 8% of the total URLs requested for removal from search results:
While Google’s attempts to allow EU citizens the right to be forgotten may seem laudable, others are less than happy with the search giant’s approach to data privacy.
The BBC reports that Google is currently in talks with the UK Information Commissioner’s Office (ICO) about 48 cases it is accused of “getting wrong”, and over which the ICO has asked Google to “revise its decisions”.
A Google spokesman is quoted as saying: “We haven’t always got privacy right in Europe, not just because of errors we’ve made, but our attitude too. But our swift and thoughtful implementation of the right to be forgotten ruling showed that for Google this was a genuine ‘we get it’ moment.
“We’ve also worked hard to give users more control over the data we collect and we’re looking at how to make those tools easier to find and use. So stay tuned.”
A group of 80 academics, meanwhile, is calling for greater transparency from Google about its decision-making process in ‘right to be forgotten’ rulings. Observing that “there is some tension between transparency and the very privacy protection that the RTBF [right to be forgotten] is meant to advance”, the group notes in an open letter that:
“Beyond anecdote, we know very little about what kind and quantity of information is being delisted from search results, what sources are being delisted and on what scale, what kinds of requests fail and in what proportion, and what are Google’s guidelines in striking the balance between individual privacy and freedom of expression interests.”
The group then makes 13 suggestions of what it thinks should be disclosed.
Data protection remains a contentious issue across the union. The proposed General Data Protection Regulation (GDPR) – which will affect all organisations in the EU – will now very likely replace the ‘right to be forgotten’ with a ‘right to erasure’, which will doubtless cause even greater difficulties for Internet search engines.
Preparing for GDPR compliance
As PwC’s global head of data protection and cyber security, Stewart Room, noted in February, “Now is the time for businesses to move towards states of ‘Regulatory Reform Readiness’. The impact of the likely legal changes for their businesses ought to be considered and the gaps between their current and desired levels of legal compliance ought to be measured. From there, strategies for adjustments and business transformations can be developed, which deliver changes in measured, proportionate and effective ways.”
Implementing a best-practice information security management system (ISMS), as set out in the international standard ISO 27001, will enable all EU organisations to meet their new legal obligations while streamlining their existing processes and creating greater business efficiency.
IT Governance has led hundreds of ISO 27001 implementation projects around the world, and our ISO 27001 Packaged Solutions provide fixed-price implementation resources and implementation guidance for all European organisations.