The ruling is fair, it would open an international can of worms if EU bodies would start to dictate other countries users what to see on the net.
However, it means the real effect of the RtBF law is that it impedes less technically proficient internet users to search other person's data, but absolutely doesn't achieve stated goals (as nothing is forgotten, and entities which do personal data checks will for sure be able to use non-EU IPs to get unrestricted results). What it essentially does is limitation of low-skilled users search results. And that's all.
Which proves the whole thing was a combination of PR stunt, and incompetence on behalf of wide array of EU politicians, and NGO activists.
I don't understand why it's search engine's burden to bear for right to be forgotten. Shouldn't the takedown notices go to the source materials, eg newspapers, who actually contains the knowledge? Google is simply the references to knowledge that "needs" to be forgotten, and not the knowledge itself?
Not defending the law, but yes, at the moment where Google is hosting that information, it has effectively become another source and seems fair to treat them the same as a source.
They could get out of it by not being a source.
Say you search "John Doe crimes". Consider these Google results:
1) <some url>
2) <some url> John Doe was accused of kicking a baby in Brussels...
In case 1) Google is just pointing you to a url and isn't a source. In case 2), Google is hosting some of the content itself and has become a source. So any law that says "if you have the story about John Doe kicking the baby, remove it", then it should apply to the summary Google gives in 2.
That's because the newspaper and the search engine have very different kinds of activities when it comes to processing data.
In 2014, this is how the Court explains it (my emphasis):
"35 In this connection, it should be pointed out that the processing of personal data carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites, consisting in loading those data on an internet page.
36 Moreover, it is undisputed that that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published.
37 Also, the organisation and aggregation of information published on the internet that are effected by search engines with the aim of facilitating their users’ access to that information may, when users carry out their search on the basis of an individual’s name, result in them obtaining through the list of results a structured overview of the information relating to that individual that can be found on the internet enabling them to establish a more or less detailed profile of the data subject."
[...]
"80 It must be pointed out at the outset that, as has been found in paragraphs 36 to 38 of the present judgment, processing of personal data, such as that at issue in the main proceedings, carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him. Furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous (see, to this effect, Joined Cases C‑509/09 and C‑161/10 eDate Advertising and Others EU:C:2011:685, paragraph 45)."
> What it essentially does is limitation of low-skilled users search results. And that's all.
That sounds like it's still something though. If someone gets falsely accused of e.g. being a pedophile, and their prospective employer does not run into that information when researching them during the interview process, that seems like it achieves one of the goals people had in mind with this legislation.
Sure, but nothing to celebrate: it puts average Joe in even more disadvantaged position compared to organized entities (corporations, and gov't agencies) when searching, while still won't save anyone from professional info gathering. E.g. all headhunting companies certainly will use VPNs, or similar technologies when compiling data.
Wouldn’t this be a systematic violation of the candidate’s right to be forgotten?
It seems like this is the now-missing part of the puzzle: other countries still have sovereignty over their data but explicitly using a vpn to access legally protected pii should be itself a violation.
I don't think so. The law doesn't oblige me to abstain from searching information (IANAL), and it really must not, because it won't be technically enforceable unless you are willing to go to the space of totalitarian state solutions, and overall decrease of rights people enjoy just to expand one particular (and not particularly well tested) legal concept. I think it worth keeping in mind that attaching word "right" to some legal novelty doesn't necessary means it is something sacred, and even just good. We always have to assess cost/benefits balance, and not just declared intentions when looking at laws. RtBF conflicts with rights regarding searching facts/data which everybody needs to make informed decisions. Therefore it cannot be pushed farther without rather unpleasant consequences.
If you consider that somebody who has accomplished his sentence paid their debt to society it doesn't really matter. Either the person is still in prison (and they have bigger problems than worrying about Google search results) or they have left prison and society deemed that they deserved a second chance, in which case the right to be forgotten actually works as intended.
I realize that for these types of heinous crimes not everybody will agree with that but on the other hand letting these people free but living as pariahs shunned by the rest of society doesn't seem like a good solution (especially if we want to prevent them from acting on their impulses again).
Some crimes I can forgive, this I cannot. And therin lies the root of the problem. I do not want crimes that are deemed acceptable to be forgotten to be delegated to private corporations.
>I do not want crimes that are deemed acceptable to be forgotten to be delegated to private corporations.
But that's effectively the opposite of that. It's the government that mandates that private corporations implement the "right to be forgotten", regardless of the reason. The corporation has no say on the matter.
On the other hand if you do not have something like that then you live it up to private entities to effectively implement vigilante justice by listing supposed pedophiles forever on their websites for instance.
If you really think that people who commit pedophilia and other heinous crimes are forever unfit to live in society you should get your government to enact laws that make sure they're never released without supervision for instance. I mean unless you're a proponent of vigilante justice, but then you are effectively delegating justice to private entities, corporations or otherwise.
AFAIK search engines have the right to determine if a request is 'reasonable' according to some internal criteria. That's not something I'm comfortable with anyone having.
They would, of course. Unless, someone's planning to build a whole Chinese-style censorship state, it's not possible to disallow to obtain information through VPN.
I think the assumption is that the employer wouldn't do a background check in most cases (education etc. is an exception).
I've never encountered one in Germany and we certainly don't do them with potential applicants at my place of employment. (No idea whether this is because of a law or for different reasons)
No 'background checks' by private investigators in Germany. Some employers ask for a police certificate of conduct. There's a law saying which kind of convictions are listed there (nothing below a certain amount of days) and how long (to allow re-socialization).
Preventing the search may be hard. But I don't see a problem with disallowing hiring discrimination based on such information (which is likely already the case).
A big part of the rationale behind RtBF was about how advances in technology had made it harder for some individuals to escape a past scandal at all, since it would show up in all searches of their name, a de facto scarlet letter. Censoring just the easy default searches does preserve the mitigation against that effect.
I'm not sure which effect. One very likely still face consequencies anytime there's an incentive to check the person's background, such as when looking for a big company employment, or entering public/political life. Because, it's still few clicks away, and one doesn't need neither costly equipment, nor complex training to reveal it. Random grandma may not find it, but arguments for the law where based on the former, not on the latter.
> However, it means the real effect of the RtBF law is that it impedes less technically proficient internet users to search other person's data, but absolutely doesn't achieve stated goals (as nothing is forgotten, and entities which do personal data checks will for sure be able to use non-EU IPs to get unrestricted results). What it essentially does is limitation of low-skilled users search results. And that's all.
The goal of "right to be forgotten" in this context is precisely to make the information less ubiquitous, not to delete it altogether. E.g. it does not apply to newspapers etc.
That's not how I recall arguing for the law. It was advertized as right to be forgotten, actually :-) Kind of "a guy served his term, let's make a law so that past won't affect employability today". And I miss the meaning of 'less ubiquitous' in Google search context. Reality is that the law just slightly raises the bar on intentions to search, so that if you don't care you won't find, but if you do you will. In its dictionary meaning ubiqiutousness doesn't seem to play any role in outcomes.
Btw, it doesn't apply to newspaper not because the bill's authors intended it to be so, but because it would infringe freedom of speech in a very blatant manner otherwise.
>> What it essentially does is limitation of low-skilled users search results.
Well most of the users are "low skilled" so I think it works good enough. After all a skilled user could do a comprehensive background check which may reveal more than Google.
1. Low skilled search is unlikely to be about anything affecting life, or career. Life, and career meanwhile are affected by people who know what they are looking for.
2. Low skilled level will be different in 5 years from today. I'm old enough to remember when people asked me to push 'on' button on a computer, just in case.
> [...] that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.
This "crux" misses point 72 of the ruling which states that EU law does not prohibit national law from (a) finding a different balance between privacy and freedom of expression and, thus, from (b) requiring the de-listing of the relevant name-search result on all versions of the search engine (i.e. globally).
This ruling is not the end of the case -- this is the EU law's top court ruling -- the case now goes back to the French court, to decide.
>requiring the de-listing of the relevant name-search result on all versions of the search engine (i.e. globally).
I sure hope this gets turned down. I'm not ready for international law where courts ruling over 65 million people (French population) can enforce their laws worldwide. If a single nation has that power, what's stopping China from making Tienanmen Square unsearchable worldwide?
"United, Delta and American received letters last year from Chinese aviation officials saying their social credit score could be hit unless their websites labeled Macau, Hong Kong and Taiwan as part of China. Lower scores would lead to investigations, the possibility of frozen bank accounts, limitations on local employees’ movement and other punishments, according to a letter sent to United and seen by The New York Times."
I don't really think France's judges power really has an influence on what's stopping, or not stopping, China.
China is not waiting for this ruling to try to do just that. It's up to operators like Google to decide whether they want to do business in China or whether they prioritise human rights.
China could probably pull that off if they wanted to. The same way they made international companies rename Taiwan, including Air Canada, they could force search engines to erase Tiananmen Massacre references if they want to continue doing business in China. However, last I heard Google is blocked in China, so the company is one of very few to resist Chinese pressure. Is that still true?
If this were a ruling that said the results cannot be shown in France or in the EU then I would be okay with that. I think that individual countries should be able to apply laws in their jurisdiction. My problem is that they want to enforce this law worldwide.
Hypothetically, if EU law says their ruling applies worldwide and Google stops doing business in the EU, does that mean they would be exempted? Can they then show all results or does the EU still try to charge them with breaking their law?
Obviously that's a lot of ifs. I'm just trying to wrap my head around how this ruling would even work if they decide that it does apply to everyone.
> My problem is that they want to enforce this law worldwide
The point really is: how to protect or remedy against the privacy infringement felt by someone in France's jurisdiction? And what the EU Court is saying at point 72 is: EU law does not prohibit the French judge from finding that it is necessary to have a stringent measure, i.e. to order a search engine to really prevent infringement even if coming from outside the EU.
We live in a global, connected world. This goes both ways if you want effective protection of rights of individuals. The only concern here really is to protect an individual's right to have a bit of control over the information about themselves that are so easily made available by serach engines.
> Hypothetically, if EU law says their ruling applies worldwide and Google stops doing business in the EU, does that mean they would be exempted? Can they then show all results or does the EU still try to charge them with breaking their law?
The rules are different between the previous law and the GDPR. The GDPR will apply to a company which has no business in the EU, if the data processing activity relates to:
"(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
"(b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
So now you could defeat the purpose of the "right to be forgotten" by making a site that remembers and lists all items that have been purged from EU only search results?
1. It is not the end of the case -- this ruling is from the European Union law's top court (the CJEU) to give the ultimate interpretation of European Union law on the topic.
2. The case now goes back to France, where the French judge will decide, taking into account both EU law and French law, whether the Data Protection Authority's (CNIL) ruling against Google was correct or not. The most crucial point that most media reports miss is that the CJEU ruling states clearly that French courts are not prohibited from ordering a global de-listing of all versions of Google, if the protection of privacy requires so (Point 72 of the ruling).
3. The CJEU ruling restates many points from its 2014 ruling against Google Inc (US) and Google Spain - i.e. this is about an individual's right to remove certain results from the list of results based on the individual's name. It is not a right to remove content per se, nor is it a right to remove results entirely (i.e. the de-listed results should be searchable through any other search query)
4. As in 2014, the Court rules that as a general rule/principle, the individual's right to opt-out prevails over the public's freedom to access search results -- but this is not absolute, and the other way around may be true depending on the circumstances (e.g. if the result is particularly relevant for the public's interest). [This "general rule" is the part of the ruling which I find most open to criticism, as in my opinion this is not what the law provides]
5. This ruling is based on law before the GDPR. While the GDPR will continue to apply this mutatis mutandis as we say, this ruling has nothing to do directly with GDPR.
The issue of course is not about the Law, and not even with the actual right to be forgotten (right or wrong is another question), it is IMHO more about the fact that this (or that) search engine will have different results depending on from where you make the same search.
Now these differences may well be only for the searches related to someone who invoked his/her right to be forgotten, but the moment the results of a same search from different places can be different, it opens all possible avenues to remove (or add) other kind of information selectively.
Too bad. I was hoping the EU would use its economic might to apply pressure against surveillance capitalism. Sometimes when our host nations fail us our best option is to hope for global pressure.
My issue with "right to be forgotten" is with the principle, not the implementation. It violates not only freedom of speech, but freedom of private communication. Let's look at what it's really involved with: I send an encrypted request asking a company for some information. That company wants to reply (also encrypted) with that information. This law forbids them from doing so. The company might be a megacorp like Google, but (depending on what I'm searching for) it might be a smaller service run by an enthusiast.
This law should really be called, "The right to stop other people saying true things about me to people who request that information."
The implications of what's been said here will on some level impact how EU law will apply to countries outside of the EU. Considering the right to be forgotten is closely married to the right to erasure, GDPR is in the crosshairs. Remember, GDPR was supposed to apply globally. It's clear from today's ruling, there's some doubt in the courts whether or not that is even responsible, let alone possible.
> Considering the right to be forgotten is closely married to the right to erasure
How? The right to be forgotten is just basically asking google/yahoo/bing/qwant not to put articles that can hurt one's reputation if asked. Imagine the only thing you're known for is a pedophilia case were you were first condamned, then release because it appears the children (and some of the really guilty) have lied: https://en.wikipedia.org/wiki/Outreau_trial
You might want your name removed from google. Maybe.
The right to erasure is just your furnishing your own personnal data to a service provider and then asking them to remove all the data they have on you they can delete.
In the last case, you have a direct, business relation to the service provider. In the first one you don't.
Yep, the right to be forgotten (or to oblivion) predates GDPR.
> The implications of what's been said here will on some level impact how EU law will apply to countries outside of the EU.
Not really, each country still decide by itself.
> Remember, GDPR was supposed to apply globally
It is not about GDPR.
The ruling on one side talks about "versions".
Facebook has only one version of its social network, while Google has been known of running different versions of their search engine.
For example: Google China is a subsidiary of Google
The other side of the ruling is that EU court just said that Europe could not impose the right to be forgotten on countries that did not recognize the law, which is fairly obvious.
USA cannot enforce patents on countries that do not recognize them.
They also feared - disproportionally given the status of things - that allowing it globally would mean that if North Korea do the same (which they already do BTW) that could lead to state censorship, as if it wasn't already a reality.
GDPR is more about the ownership of personal data, the right to data portability, for example, still makes perfect sense and it's not put in danger by this ruling.
I wonder how it came to be that only people in certain countries have a particular right, and how a court can determine that. I'd like to know their definition of a right. I'm pretty sure it differs from mine.
Some countries define rights on paper and then fight wars to preserve them.
Where there are differences between political bodies, the options are:
* Negotiate to resolve them via treaties, etc.
* Coerce via other means - usually loops back to the first bullet once sufficient force has been applied
Apparently the “right to be forgotten” is from laws in Spain which exist to allow people to erase their fascist past. Avoiding awkward conversations about what oke did during the war.
This comes from a [EU Court 2014 Ruling][1] based on Spain's implementation of European Union Directive 95/46 from 1995 which has nothing to do with what you're talking about.
And the 2014 ruling, as this ruling, are clear that there is no absolute right to "erase" the result on a name.
It is not a wildcard to erase every bit of relevant data about anyone, and Google regularly denies requests to de-list result on this basis.
As the 2014 ruling provides:
"Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life. (§81 of 2014, Case C-131/12)"
And for example the court provides that "for particular reasons" the right does not apply. Such reasons include "the role played by the data subject in public life" that would be "justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question. (§97)"
As always, the actual ruling is much more nuanced and balanced than many media reports or corporations would have you believe.
However, it means the real effect of the RtBF law is that it impedes less technically proficient internet users to search other person's data, but absolutely doesn't achieve stated goals (as nothing is forgotten, and entities which do personal data checks will for sure be able to use non-EU IPs to get unrestricted results). What it essentially does is limitation of low-skilled users search results. And that's all.
Which proves the whole thing was a combination of PR stunt, and incompetence on behalf of wide array of EU politicians, and NGO activists.