Google controls most of the search engine market in Europe, and as a result receives most ‘right to be forgotten’ requests, those things where individuals can request the de-listing of links to sensitive information about themselves that are deemed out-dated or irrelevant. But more than half of requests are denied, and of those that are appealed, most of those are too denied – which the European Union says is just fine.
In a press release published by WP29, the data protection working party tasked with handling complaints about denied de-listings, the group said that it found of the almost 2,000 appeals submitted and reviewed thus far, the vast majority of refusals by search engines to remove links have been “justified by the fact that the information is directly related to the professional activity of the individual, or that it is pertinent in regard to current events or to purpose of the processing.”
These findings were the result of a survey WP29 recently launched in order to evaluate their practices regarding the evaluation of de-listing complaints, summarizing in short that the group has efficiently played its role.
The group in the release shed some light on how it assesses complaints about search engine de-listing denials, saying that in making each decision on whether or not to overturn denials it balances the right to protection of ones private life and personal data with the public interest, of having access to the information via searches made on a search engine against an individual’s name. These considerations are part of the common guidelines (outlined here) used by the working party when addressing complaints.
The party goes on to say that the consistency of its decisions is ensured through the criteria it has settled on based on its interpretation of the Court of Justice of the European Union’s original ruling that created the RTBF (right-to-be-forgotten) system in the first place. While it believes all of its criteria are relevant and efficient, some may need to be “refined”:
All criteria appear to be relevant and efficient in the context of delisting requests. However, some criteria might need to be refined in order to gain some more clarity. This is for example the case of the “role in public life” criteria. Data protection authorities will also need to reflect on how to assess to what extent a complaint is well-founded.. Moreover, they will have to specify at what point a piece of information can be considered as outdated and thus irrelevant.
All of the European data protection authorities that make up the WP29 party have set up dedicated teams tasked with reviewing, evaluating, and responding to appeals in accordance to the adopted guidelines and de-listing criteria, with some even having escalation systems for the “most complex requests” to receive a high level of validation. This release was the first of regular progress updates from these data protection authorities in the field of de-listing, the working party said for the release.
Google has protested the RTBF law ever since it was put into place, saying that it forces the company to make “difficult and debatable judgements” based on “very vague and subjective tests.” Peter Fleischer, the company’s global privacy counsel, back in May provided an example of one of these difficult judgements:
A German national was convicted in the U.S. of a sex crime that occurred when he was 16 years old. The victim was two years younger than him. In the U.S., his name was published. Under German law, his name wouldn’t have been published because he was a minor.
Google has found itself in squabbles recently for dealing with these cases by de-listing links from individual European sites while leaving them up on Google.com, with European courts saying this puts the company in violation of the law. The company may be on the verge of a compromise, though, with the possibility of using the location of a users’ computer to determine whether or not they’re in a country where the link has been de-listed, and then de-listing it no matter if they’re accessing Google from one of its European domains or the international Google.com domain. Here’s what we wrote about this back in May:
The compromise suggested by Johannes Caspar, the head of the data-protection regulator in Germany, is for Google to use geolocation information to remove results from the .com site when the search request originates from a European Union country. Google already has the technology in place to do this, he suggests, as the company uses this approach to deliver locally-targeted advertising.
The company meanwhile continues to publish statistics on the number of links requested to be removed as well as how many it has actually removed to its transparency site, but has so far said little about how such decisions are made.