Right to be forgotten: CNIL and Google’s arm wrestling match is only the symptom of a deeper disease

Sep 23, 2015
Vote on Hacker News

wpid-Google-s-View-on-the-Right-to-be-Forgotten2We often say, « the truth lies somewhere in between ». That’s exactly what applies to the arguments put forward in the battle the Commission Nationale Informatique et Libertés (CNIL), a French independent authority in charge of data regulation, is fighting with Google for the implementation of the « right to be forgotten ».

The European Court of Justice enshrined the right to be forgotten in a 2014 judgment. The exercise of this right results from the application of European law for data protection to search engines, targeting in particular Google. Specifically, anyone who wishes to delete one or more results appearing from a search of his name can make a request to the browser. Google then reviews the application and grants the right if the legal conditions are met. Google has principally to evaluate between the right to respect for private life and the right to information granted to the public. In case of refusal, the person may appeal the decision to the CNIL or the competent judicial authority within each Member state.  The company has received 320,000 requests since then and fulfilled around 40 percent of them.

However, Google is not willing to entirely comply with this obligation. The search engine informed the CNIL earlier this year that it is ready to withdraw undesirable content which is prejudicial to a person from the European version of Google (fr./de./it./es./etc..), but not from “Google.com” as such an undertaking would be impossible to implement on a worldwide scale. In turn, the CNIL addressed an injunction to Google to comply to the withdrawing of undesirable content on every version of the web browser. Peter Fleischer, Google’s Global Privacy Counsel, responded via a blog post to the CNIL by stating that: “While the right to be forgotten may now be the law in Europe, it is not the law globally. Moreover, there are innumerable examples around the world where content that is declared illegal under the laws of one country, would be deemed legal in others: Thailand criminalizes some speech that is critical of its King (…) and Russia outlaws some speech that is deemed to be gay propaganda. If the CNIL’s proposed approach were to be embraced as the standard for Internet regulation, (…) in the end, the Internet would only be as free as the world’s least free place.”

Finally, on the 21st of September, the CNIL unsurprisingly informed on its website that it rejects Google’s informal appeal against the notice requesting it to apply the delisting on all of the search engine’s domain names. To put additional pressure on Google, the European group of national authorities responsible for the protection of personal data (G29) recently announced to increase financial sanctions in case Google does not comply with its obligations.

All in all, it seems as if we are only at the beginning of a long judicial battle where one thing is for sure: Fighting Google on this particular issue without engaging in greater reform is only periodically going to stop the symptoms, but not the illness itself.

Coming back to Google’s and the CNIL’s disagreements, the problem of their diametrically opposed views is that they have both their right and their wrong sides, thus reflecting the status quo and leading nowhere. There is nothing like an easy or just solution here. However, it is important to point out several contradictions by opting for a more differentiated approach which can best illustrate the difficulties to solve but also the solutions to adopt.

Differentiating what is really different

Indeed, where Fleischer is right, is that if every country’s legislation were imposed to the entire world wide web, the purpose itself of the Internet would be destroyed.

The problem of his response is that he willingly mixes up different patterns and makes them appear as the same and exact thing even if they are truly not. In other words, if one takes, as Fleischer does, the case of criminalising a speech which is critical of a king, it is not possible to put on the same level this particular matter with the right to be forgotten.

In this precise case, it goes almost without saying that the freedom of speech or expression, a fundamental and universal right, allows someone outside of this particular territory to be critical of anyone, under the condition not to be disrespectful to a person for what he or she is but to criticise the institution or public person represented. In reality, it is highly unlikely that it would ever occur to the king of Thailand to appeal to a Court to withdraw a critical online article of himself outside the boundaries of his territory. It goes without saying that this makes absolutely no sense. The same applies to Russian “gay propaganda”.

With the right to be forgotten, it’s a different case. People who want undesirable content to be withdrawn from Google results are people who very often want a picture of themselves to be removed because it causes them a prejudice in their everyday life and no right to information for the greater public is at stake. These persons have an entirely legitimate right to see these data deleted from every search result and not only from every European version of Google which is clearly insufficient. For someone who wants to take advantage of another person being in such a fragile position, nothing is more simple than to connect via a proxy over an American IP address or directly over Google.com/ncr and to see exactly the content which does not appear anymore on the European versions of the search engine.

Further, if a picture is uploaded on Google+ for example, either by the person itself or someone else, this image is most likely uploaded over the “national” extension of Google (de./fr./co.uk/…). The person was not asked whether this picture should be shown as a search result on a specific version or every version of Google. It goes without saying that if you upload content anywhere, it is going to figure and be accessible from nearly any country in the world. Following this argumentation, if a link has to be removed from the Internet, it should be deleted so as that it is not accessible from anywhere as content online has as a characteristic to be available from everywhere. In other words, Google reserves itself the right to propagate data on every extension of its search engine but agrees only to withdraw these exact data from one single branch of the browser. Here as well, the contradiction is flagrant.  (Find out more about Google’s hypocrisy on RudeBaguette)

Putting forward the above-mentioned examples has as a purpose to show how important it is to adopt a casuistic approach when talking about the possibility or impossibility to regulate the Internet or a part of it.

The need to converge towards a common legal frame for private data protection has never been more imminent

Talking about regulating the Internet, it is time for countries all around the world to gather and to adopt an international legal frame that guarantees minimum rights to users. If you feel like you have heard a thousand of these propositions over the last years, and nothing happened, it is hard to deny this would be completely untrue. However, only a harmonised legal frame can implement the necessary regulation to deal effectively with data protection issues as it is simply a transnational issue. In this particular case, European law has to apply to cases that concern data stored overseas and involving companies that are often located in yet different places.  In this context, national or European law is clearly insufficient to try to regulate any data usage, mostly stored outside the boundaries of its territory, or privacy rights effectively. Therefore, it is significant net users nowadays can profit from a “right to protection of private data” which enables them to have undesirable content removed from the Internet and not just a part of it.

Further, points of convergence have to be found between countries regarding the need to frame the use of cross-sectional data and the commercial reuse of data. The Safe Harbor principles which should ensure that European regulations on personal data are respected before being transmitted overseas have not proven to be effective and are more than ever put into question. In the same way, adapted fundamental rights such as the “right to freedom of speech” as well as the “right to a private and family life” and accustomed procedures to adequately report abuses via online platforms have to be implemented. These rights, which can be given different interpretations regarding the country, with freedom of speech in France differing from freedom of expression in the US, would nevertheless have the merit to agree and to stick to a common base of values applying on an international level. fulmira.com Such a legal frame can solve problems involving the usage of data and impose a beginning of regulation to private companies on a larger scale than a national one. This is essential to make a first step towards a more coherent protection of private individual’s rights and liberties.

To this end, the recent agreement between the European Union and the United States on data protection, which will allow Europeans to enter US Justice in case of misuse of their personal data in the United States, demonstrates, even if very lightly, the ability to find agreements on international issues related to data protection. If this can be seen as an only reciprocal right to the one already existing for American citizens in Europe regarding data protection in judicial proceedings, in times where the NSA scandals tend to cool periodically down diplomatic relations between both continents, it shows however that agreements can be found on an international level, and considering the amount of data stocked in servers in the United States or managed by US-based companies, the challenge to find a binding and ambitious agreement on data protection is of crucial importance.

As for now, positions between both continents could barely be more opposed as correctly noticed by Alex Türk, former President of the CNIL, who recently stated that “there is an abysmal gap today between the European and US conception of personal data that are for the latter market goods and the first attributes of our personality.” However it may be, the ability to find a binding and efficient agreement on data protection is going to be one of the big challenges of the beginning of this twenty-first century. The implementation of the right to be forgotten ruling is no exception to this.