Robert Preston the BBC journalist has a problem about one of his blogs: he asks “Why has Google cast me into oblivion?”. His blog concerned one of those banking “Masters of the Universe” whose expertise in the financial “dark arts” led to billion dollar losses and the collapse of Merrill Lynch. Google has told Mr Preston that thanks to the ECJ judgement, his article is no longer searchable by its search engine.
James Ball, a Guardian journalist, has the same problem. He wrote a story about Google delinking a story about a retired Scottish football referee who lied about his reasons for granting a penalty in a Celtic v Dundee United match (which when exposed prompted his resignation).
Both journalists are naturally raising questions about the judgement which resulted in their writings becoming less available to us all; claims of censorship have naturally followed in the subsequent press coverage.
Of course one has to take the above with a pinch of salt. It is well known Google does not like the ECJ judgment and the suspicion is that Google is removing links and telling journalists that their scoops are no longer accessible to the public. This provokes them to go ballistic, in print, and make wild claims of censorship; the last Sunday Times editorial on “The right-to-be-forgotten law is an ass” is an example of the ill-informed outcome which, sadly, Google appears to be encouraging.
Such gamesmanship explains why I have decided to devote this (very long) blog to draft a procedure for Google to follow; I think it covers most of the issues in a way that balances the conflicting interests. There might be nuances at the edges, but I think the approach is mainly correct. Anybody who can improve it, please make a comment.
Hopefully, after a few iterations there will an “open source procedure” for Google, Yahoo! etc to adopt; clearly Google appears to be so opposed to the ECJ ruling that it is incapable of producing a balanced procedure for itself.
Piggy in the middle
I should add that the procedure I am suggestion is not something I have just invented; it’s a development from the one needed to meet the requirements of the interpretation of the Fourth Data Protection Principle (Schedule 1, Part II, Paragraph 7).
This interpretation deals with the problem when a data subject tells the data controller one thing and a third party, who is consulted by the data controller, contradicts the data subject’s account. How does the data controller know whose personal data are accurate and up-to-date?
In this situation, the data controller is “piggy in the middle” between data subject and a third party; this is close to the position of Google, except it is placed between the data controller who has posted the personal data and the data subject who is complaining about the posting. (For the absence of doubt, the term data controller does not imply that controller is subject to any national data protection law; some controllers will be subject to a data protection law - many won't).
Remember that if European data protection laws do apply the domestic purpose exemption is very unlikely to apply to postings of personal data on a website (see the ECJ Judgement on Lindqvist which dealt with publication of personal data on the Internet). This means that there would be a data controller who has posted the personal data and an individual who is the subject of those data.
Two important questions to ask the data subject
So, suppose a data subject identifies himself to Google and claims that such and such a link is no longer relevant for whatever reason (e.g. the link is causing unwarranted distress to the data subject; the link is not in the public interest; the link is to a site that contains irrelevant, inaccurate or outdated personal data). I am assuming the data subject is a “normal citizen” with a low public profile.
Evidence supporting the data subject’s identity and a description of the nature of the problem and URL links should be provided (as per the current Google form). As data subjects are giving personal details about themselves, Google’s form should have a commitment to keeping such details confidential and used or disclosed only in relation to the issue of removal or non-removal of the link. This commitment to confidentiality is absent at the moment.
The first two questions Google should ask is “whether the data subject has approached the data controller that is responsible for the personal data on the website?” and “If so, what was the outcome of the attempt to resolve the issue?”. Even though Google, as data controller, has the responsibility to make its own determination of the application of any national data protection law to its own processing of personal data, it can still ask these questions.
The possible answers to the first question are: “yes”, “no”, “it is manifestly unreasonable to make contact with the data controller” (e.g. if the purpose of the personal data on the website is intended humiliate, denigrate or bully a data subject) or “it is not possible to make contact with the data controller” (e.g. when personal data are posted anonymously).
With respect to the second question, I would expect any response given to the data subject by the posting data controller to be provided to Google. However, there may be exceptional circumstances when a data subject will refuse to provide Google with the response from the controller (e.g. if the controller threatens the data subject, or has a hold over the data subject in some way, or the provision of the response to Google would in itself be an invasion of privacy). Google’s form should have a free text field to cover this eventuality.
Does Google need to take down a link?
Google should ask: “Did you voluntarily provide directly or indirectly the personal data displayed on the website?”. What I am after is whether the personal data originates from an action of the data subject (e.g. the data subject originally consented to the personal data being displayed) or whether the personal data have been posted by someone-else without the consent of the data subject.
I suspect that in many cases where the personal data originates from an action of the data subject, the issue of link removal (or not) can be resolved without the need for Google to do anything; the website data controller, if contacted, could take appropriate corrective action. For example, it has been reported that the Robert Preston article had its links withdrawn because it carried a comment from a data subject (i.e. the complaining data subject was not the financial wizard identified in the blog).
So if the data subject has not made contact with the data controller, I see no difficulty in Google being allowed 15-20 working days to ask the data subject to contact the data controller if this is reasonable, especially if the data controller (e.g. such as the BBC) is subject to data protection legislation (not necessarily just European data protection law). In the Preston example, for instance, an organisation like the BBC could easily anonymise a comment.
Note also in this situation, the data subject had originally consented to publishing a comment and at a later stage is withdrawing consent. Procedures to deal with the withdrawal of consent are a problem for the data controller in the first instance (and not for Google).
Indeed, it would be interesting to know how, for instance, the BBC would respond to such a withdrawal of consent request from the data subject; I suspect the requested change would be made. It would also be interesting to find out how newspapers in the USA would react to such a request in relation to a data subject who had posted a comment.
In a sense this is the correct position; it is the personal data on the website that is creating the problem – all Google’s searching algorithm does is amplify the problem by making the problematic personal data available worldwide.
Other questions to ask the data subject
The next two questions to ask are: “whether there is any objection from Google contacting the website data controller if this is possible or needed?” and “Can Google use the details provided by the data subject in such contact?”. I think it is reasonable for Google (as well as the data subject) to be able to communicate with such controllers.
Note that if the data subject has already stated that “it is manifestly unreasonable to make contact with the data controller” or and “further contact by Google risks a further invasion of my privacy” then Google should not make contact with the data controller (examples are given below where the public interest is served by taking a link down).
I also think Google should also be able to ask: “If relevant, have you complained about the personal data to the Data Protection Authority in the country where the data controller for the website is established, and if so, can you provide details of the complaint”. This is to facilitate communications between Google and the Data Protection Authority and would be useful if the issue raises novel aspects that need exploring.
Finally, any response given to Google by the data controller or data protection authority should be made available for comment by the data subject making the complaint to Google.
Inferences from making contact with the data controller
The questions about contact with the data controller responsible for the web-site content are important; they allow Google access to information it needs to make an informed decision about the link and helps verify what the data subject and data controller has reported to it.
Suppose the data controller responsible for the web-site content refuses the data subject’s request; Google should be able to take the controller’s response and take it into account when making its own decision. If the data subject unreasonably refuses to provide such details, it may help Google to argue that the link should be maintained.
The reverse position arises if the data controller responsible for the web-site gives the data subject the “brush-off” or fails to respond or cannot be contacted or is anonymous; here the controller’s attitude might justify the taking of a link down. That is why I think that an approach by a data subject to a reptutable USA organisation (one not subject to a data protection law) will be considered carefully.
Also, Google's page ranking algorithm could play a part. Most reputable data controllers want incoming links to their websites; Google taking them down runs counter to this objective. This too reinforces the notion that those controllers, not subject to a data protection law, will not treat a data subject's request in a dismissive way.
It could be that the data subject has not made contact with the data controller because the data controller is not identifiable or has made no provision for such contact. Note that if the data controller is not identifiable then the processing of personal data immediately fails to meet the fairness requirements of European data protection legislation; if the data controller is not contactable, then there are also strong arguments for unfair processing. In both circumstances the links should be removed, irrespective of any public interest argument.
Note that if the web-site data controller is in Europe, then it is likely that any personal data content of that website will be covered by a data protection regime. It might be appropriate in some cases to direct the data subject to the relevant data protection authority. This could be important if the personal data on the website carry content that is beyond common decency, is unlawful or manifestly unfair for whatever reason. Google should get privacy plaudits if it aided or directed the data subject to the relevant Data Protection Authority (and took down links) in relevant cases.
Considering the public interest
There has been much debate about “the public interest”. So the rest of this blog assumes that the data subject’s reason for the request to take down a link relates to consideration of “the public interest”; remember if the data subject has contacted the data controller responsible for content, then this information should guide where the “public interest” falls.
For each “take-down a link” request, Google as data controller, is presented with three choices:
• The link should be maintained as it is in the public interest.
• The link should be removed because there is no public interest in maintaining it.
• It is difficult to tell whether the link is in the public interest or not.
The link should be maintained as it is in the public interest
Links should be maintained whenever the data subject has a considerable amount of press coverage or seeks out public attention or seeks support for his views (e.g. celebrities, politicians, stories that resonate with the public, perpetrators of violent crime etc).
Requests to links where a Court (higher than a Magistrates Court) has made any determination (e.g. libel, breach a confidence, criminality etc) should not be removed as there is likely to be a continuing public interest in the judgement and the debate leading up to the judgement (and beyond). For instance, consider the infamous Max Mosely case; I do not think that any link to any story in the Mosely case should be removed by Google mainly because the purpose of Mr Mosely’s Court case was for a right of reply (an interesting protection for data subjects who are maligned by the press).
The same goes for footballer Ryan Giggs. He is a public figure, like it or not, who was embroiled with another public figure. In other words, widely read stories in newspapers on the internet will be maintained. As Google keeps records of page accesses, such statistics could help determine "public interest".
The jurisprudence concerning the press and the public interest (e.g. where injunctions are granted or not granted give a clear steer on what the “public interest” means). That is why I think that links to stories about any celebrity, politician, rapists, murderers, bank robbers and other criminals with serious convictions will not (and should not) be removed by Google.
Refusal to take down the link, follows the refusal procedure identified below.
The link should be removed if there is no public interest in maintaining it.
I think this should be moderately clear cut. Suppose there is an individual who has been prosecuted for a minor offence (e.g. at a Magistrates Court) which is spent under the Rehabilitation of Offenders Act; if there is a web-site that refers to that offence, then that link should be removed. However, the data controller responsible for the site still should be asked as there might be a continuing public interest in maintaining the story (e.g. the individual concerned has graduated to more serious offences).
I can see local newspapers refusing such requests on the grounds that newspapers published on a particular date should not be changed or censored. I agree with that position. However, when Google takes the link down, it is not acting as censor; it is acting as distributor. The text of the newspaper is not changed; it is the world-wide distribution that has changed.
Links to websites that clearly involve unlawful processing of personal data or incite unlawful processing should be removed. The kind of example I have in mind is a person who publishes the actual medical record of a data subject following a data loss in the absence of any public interest in the data subject’s medical history.
Another example would be a website that publishes a list of credit cards and passwords and account numbers or websites that display overtly racist, humiliating xenophobic personal data (e.g. in breach of relevant legislation also fall in this category).
It could be that the content itself is of a nature which makes establishes the lack of public interest (e.g. a YouTube video of a data subject posted in order to bully or humiliate the data subject or images of a sexual nature made by the ex-partner to a relationship with the data subject). This is also an example where it is manifestly unreasonable for the data subject to contact the data controller (e.g. the ex-partner).
It is difficult to tell where the public interest lies
The burden of proof will be on Google to show that there is a public interest, so if it is difficult to determine where the public interest falls, then the link has to be withdrawn.
This conclusion follows the construction of the various data protection principles. For instance, the data controller has to demonstrate that personal data are “adequate, relevant and not excessive” in the context of the processing purpose. So, if the controller does not know whether the personal data are “relevant”, then the controller cannot demonstrate that the personal data are relevant. Hence the link goes.
This reinforces the need for contact with the data controller responsible for web-site in such cases.
Should Google be able to reverse “public interest”?
Yes. Google should be able to undo the removal of links as the public interest might change. However, if Google does reverse the public interest argument it should contact the data subject and allow representations to be made. This is being fair to the data subject.
Refusing to take down a link- just like FOIA
Should Google refuse the request it should refer the data subject to the relevant data protection authority (e.g. the Information Commissioner inthe UK) for an independent determination of the case, if the data subject is unhappy with the decision. Google should also explain why the public interest is served by not removing the link.
Note that this procedure is very close to the formal refusal procedure under FOI and FOISA; indeed I think it prudent for Google to offer an internal review of its original refusal decision in such cases.
Referral to the Data Protection Authority
In some cases which can be seen to be difficult or different, it could be reasonable for Google to argue that the procedures under that European Data Protection law with respect of the website controller should be determined before it deals with the issue of removing a link.
The same argument applies to any data protection law (e.g. based on OECD or APEC Guidelines or on Council of Europe Convention No 108) even though such laws are not based on Directive 95/46/EC. Obviously, this won’t work for organisations that are outside a data protection law or some laws like the Maltese data protection law which has a total exemption for a press website.
Well done to readers who have got this far; please table any comment. Finally, I have not dealt with the issue of a controller transferring the personal data so it can be posted on another site; I am assuming that if Google has taken the first link down, it can take the second link down.
Google's motto is "Don't be evil"; it would be helpful if it can understand that the ECJ does not do evil also.
The ECJ Judgment: C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González” can be found on http://curia.europa.eu/juris/documents.jsf?num=C-131/12:
Bodil Lindqvist ECJ judgment concerning publication of personal data on the internet, the place of publication, the definition of transfer of personal data to third countries and Freedom of expression and its compatibility with Directive 95/46/EC (Case C-101/01). http://curia.europa.eu/juris/liste.jsf?language=en&num=C-101/01
Google’s BBC tip-off to Robert Preston: http://www.bbc.co.uk/news/business-28130581
Google’s Guardian tip-off to James Ball: http://www.theguardian.com/commentisfree/2014/jul/02/eu-right-to-be-forgotten-guardian-google
Sunday Times editorial (6/7/2014): “The right-to-be-forgotten law is an ass” on: http://www.thesundaytimes.co.uk/sto/comment/article1430718.ece
Examples of the rubbish propagated by the USA press on the ECJ judgement (ignore the satirical commentary; just look at the clips): https://www.youtube.com/watch?v=r-ERajkMXw0&feature=kp
Google’s current website form: https://support.google.com/legal/contact/lr_eudpa?product=websearch&hl=en